b"<html>\n<title> - CAN TECHNOLOGY PROTECT AMERICANS FROM INTERNATIONAL CYBERCRIMINALS?</title>\n<body><pre>[House Hearing, 113 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n                    CAN TECHNOLOGY PROTECT AMERICANS\n                   FROM INTERNATIONAL CYBERCRIMINALS?\n\n=======================================================================\n\n                             JOINT HEARING\n\n                               BEFORE THE\n\n                      SUBCOMMITTEE ON OVERSIGHT &\n                  SUBCOMMITTEE RESEARCH AND TECHNOLOGY\n\n              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED THIRTEENTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                             MARCH 6, 2014\n\n                               __________\n\n                           Serial No. 113-67\n\n                               __________\n\n Printed for the use of the Committee on Science, Space, and Technology\n\n\n\n\n\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n\n\n       Available via the World Wide Web: http://science.house.gov\n\n\n                               __________\n\n                         U.S. GOVERNMENT PRINTING OFFICE \n\n88-137 PDF                     WASHINGTON : 2014\n-----------------------------------------------------------------------\n  For sale by the Superintendent of Documents, U.S. Government Printing \n  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800 \n         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, \n                          Washington, DC 20402-0001\n\n\n\n\n\n\n\n\n\n\n\n\n              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY\n\n                   HON. LAMAR S. SMITH, Texas, Chair\nDANA ROHRABACHER, California         EDDIE BERNICE JOHNSON, Texas\nRALPH M. HALL, Texas                 ZOE LOFGREN, California\nF. JAMES SENSENBRENNER, JR.,         DANIEL LIPINSKI, Illinois\n    Wisconsin                        DONNA F. EDWARDS, Maryland\nFRANK D. LUCAS, Oklahoma             FREDERICA S. WILSON, Florida\nRANDY NEUGEBAUER, Texas              SUZANNE BONAMICI, Oregon\nMICHAEL T. McCAUL, Texas             ERIC SWALWELL, California\nPAUL C. BROUN, Georgia               DAN MAFFEI, New York\nSTEVEN M. PALAZZO, Mississippi       ALAN GRAYSON, Florida\nMO BROOKS, Alabama                   JOSEPH KENNEDY III, Massachusetts\nRANDY HULTGREN, Illinois             SCOTT PETERS, California\nLARRY BUCSHON, Indiana               DEREK KILMER, Washington\nSTEVE STOCKMAN, Texas                AMI BERA, California\nBILL POSEY, Florida                  ELIZABETH ESTY, Connecticut\nCYNTHIA LUMMIS, Wyoming              MARC VEASEY, Texas\nDAVID SCHWEIKERT, Arizona            JULIA BROWNLEY, California\nTHOMAS MASSIE, Kentucky              MARK TAKANO, California\nKEVIN CRAMER, North Dakota           ROBIN KELLY, Illinois\nJIM BRIDENSTINE, Oklahoma\nRANDY WEBER, Texas\nCHRIS COLLINS, New York\nVACANCY\n                                 ------                                \n\n                       Subcommittee on Oversight\n\n                   HON. PAUL C. BROUN, Georgia, Chair\nF. JAMES SENSENBRENNER, JR.,         DAN MAFFEI, New York\n    Wisconsin                        ERIC SWALWELL, California\nBILL POSEY, Florida                  SCOTT PETERS, California\nKEVIN CRAMER, North Dakota           EDDIE BERNICE JOHNSON, Texas\nLAMAR S. SMITH, Texas\n                                 ------                                \n\n                Subcommittee on Research and Technology\n\n                   HON. LARRY BUCSHON, Indiana, Chair\nSTEVEN M. PALAZZO, Mississippi       DANIEL LIPINSKI, Illinois\nMO BROOKS, Alabama                   FEDERICA WILSON, Florida\nRANDY HULTGREN, Illinois             ZOE LOFGREN, California\nSTEVE STOCKMAN, Texas                SCOTT PETERS, California\nCYNTHIA LUMMIS, Wyoming              AMI BERA, California\nDAVID SCHWEIKERT, Arizona            DEREK KILMER, Washington\nTHOMAS MASSIE, Kentucky              ELIZABETH ESTY, Connecticut\nJIM BRIDENSTINE, Oklahoma            ROBIN KELLY, Illinois\nCHRIS COLLINS, New York              EDDIE BERNICE JOHNSON, Texas\nLAMAR S. SMITH, Texas\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n                            C O N T E N T S\n\n                             March 6, 2014\n\n                                                                   Page\nWitness List.....................................................     2\n\nHearing Charter..................................................     3\n\n                           Opening Statements\n\nStatement by Representative Paul C. Broun, Chairman, Subcommittee \n  on Oversight, Committee on Science, Space, and Technology, U.S. \n  House of Representatives.......................................     9\n    Written Statement............................................     9\n\nStatement by Representative Dan Maffei, Ranking Minority Member, \n  Subcommittee on Oversight, Committee on Science, Space, and \n  Technology, U.S. House of Representatives......................    10\n    Written Statement............................................    10\n\nStatement by Representative Larry Bucshon, Chairman, Subcommittee \n  on Research and Technology, Committee on Science, Space, and \n  Technology, U.S. House of Representatives......................    11\n    Written Statement............................................    11\n\nStatement by Representative Daniel Lipinski, Ranking Minority \n  Member, Subcommittee on Research and Technology, Committee on \n  Science, Space, and Technology, U.S. House of Representatives..    12\n    Written Statement............................................    12\n\nWritten statement by Representative Eddie Bernice Johnson, \n  Ranking Member, Committee on Science, Space, and Technology, \n  U.S. House of Representatives..................................    13\n\n                               Witnesses:\n\nDr. Charles H. Romine, Director, Information Technology \n  Laboratory, National Institute of Standards and Technology\n    Oral Statement...............................................    14\n    Written Statement............................................    17\n\nMr. Bob Russo, General Manager, Payment Card Industry Security \n  Standards Council, LLC\n    Oral Statement...............................................    26\n    Written Statement............................................    28\n\nMr. Randy Vanderhoof, Executive Director, Smart Card Alliance\n    Oral Statement...............................................    35\n    Written Statement............................................    37\n\nMr. Justin Brookman, Director, Consumer Privacy, Center for \n  Democracy & Technology\n    Oral Statement...............................................    51\n    Written Statement............................................    54\n\nMr. Steven Chabinsky, Senior Vice President of Legal Affairs, \n  CrowdStrike, Inc.; Former Deputy Assistant Director, Federal \n  Bureau of Investigation - Cyber Division\n    Oral Statement...............................................    65\n    Written Statement............................................    67\n\nDiscussion.......................................................    75\n\n             Appendix I: Answers to Post-Hearing Questions\n\nDr. Charles H. Romine, Director, Information Technology \n  Laboratory, National Institute of Standards and Technology.....    86\n\nMr. Bob Russo, General Manager, Payment Card Industry Security \n  Standards Council, LLC.........................................    91\n\nMr. Randy Vanderhoof, Executive Director, Smart Card Alliance....    97\n\nMr. Justin Brookman, Director, Consumer Privacy, Center for \n  Democracy & Technology.........................................   107\n\nMr. Steven Chabinsky, Senior Vice President of Legal Affairs, \n  CrowdStrike, Inc.; Former Deputy Assistant Director, Federal \n  Bureau of Investigation - Cyber Division.......................   112\n\n \n  CAN TECHNOLOGY PROTECT AMERICANS FROM INTERNATIONAL CYBERCRIMINALS?\n\n                              ----------                              \n\n\n                        THURSDAY, MARCH 6, 2014\n\n                  House of Representatives,\n                       Subcommittees on Oversight &\n                                    Research and Technology\n               Committee on Science, Space, and Technology,\n                                                   Washington, D.C.\n\n    The Subcommittees met, pursuant to call, at 9:36 a.m., in \nRoom 2318 of the Rayburn House Office Building, Hon. Paul Broun \n[Chairman of the Subcommittee on Oversight] presiding.\n\n\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n    Chairman Broun. Good morning, everyone. This joint hearing \nof the Subcommittee on Oversight and the Subcommittee on \nResearch and Technology will come to order.\n    Again, good morning and welcome to today's joint hearing. \nIn front of you are packets containing the written testimony, \nbiographies, and truth-in-testimony disclosures for today's \nwitnesses.\n    Before we get started, since this is a joint hearing \ninvolving two Subcommittees, I want to explain how we will all \noperate procedurally so all Members understand how the \nquestion-and-answer period will be handled. We will recognize \nthose Members present at the gavel in order of seniority on the \nfull Committee, and those coming in after the gavel will be \nrecognized in order of arrival.\n    Now, for the sake of time, in lieu of giving my statement, \nI will enter it into the record at this point.\n    [The prepared statement of Mr. Broun follows:]\n\n  Prepared Statement of Subcommittee on Oversight Chairman Paul Broun\n\n    Good morning. Let me begin by extending a warm welcome to our \nwitnesses and thank you all for appearing. I especially appreciate \neveryone's patience and flexibility--witnesses and Members alike--in \nmaking themselves available today given the weather interruption \nearlier this week.\n    Today's hearing is titled ``Can Technology Protect Americans from \nInternational Cybercriminals?'' I hope you can all help us more fully \nanswer that question and explore what specifically is being done to \nsecure U.S. IT infrastructure.\n    On the one hand, we are here this morning to review what appears to \nbe a rash of recent attacks and successful breaches of American IT \ninfrastructure and computer networks: Target; Neiman Marcus; Easton \nSports; Michaels Stores; the University of Maryland; Blue Cross Blue \nShield in New Jersey; and now maybe even Sears! A reported 823 million \nexposed records made 2013 a record year for data breaches. The majority \nof these data breaches hit businesses and health-care, followed by \ngovernment, academic, and financial institutions, in that order. In \nfact, the Identity Theft Center, a non-profit organization that tracks \ndata theft, reported that health-care insurance providers and \norganizations suffered 267 breaches, or 43 percent of all attacks in \n2013. That's significantly higher than the business sector, comprised \nof retailers, tech companies and others. It seems like an epidemic, and \nthe clear implications of people's privacy being violated concerns me \ngreatly.\n    On the other hand, fraud and breaches within the retail credit card \nand debit card industry only amount to five-hundredths of 1% of sales, \nor five cents on the dollar. And that loss has been declining. In other \nwords, more records are being exposed, but the financial damage may be \nless. Is this a growing problem justifying more attention and effort, \nor an example of the ongoing, successful efforts of the private sector, \nwith the help of the government's experience, knowledge, and \ncooperation to counter these attacks? I take pride in noting that \nfinancial technology companies in my home state of Georgia handle over \n60 percent of all payment card transactions in America. These Georgia \ncompanies are industry leaders in consumer protection and data \nsecurity, as documented in a February 23rd piece in the Peach Pundit by \nthe CEO of the Electronic Transactions Association.\n    Today, among other things, we will hear what the private sector is \ndoing in response to the market forces of risk, cost, liability, and \nreward. I would suggest those free market incentives and disincentives \nand the right of free association and cooperation are sufficient and \nthe most effective at addressing the evolving, quick-moving threat of \nsophisticated hacking organizations and cybercriminals. The fact that \nthe payment industry and retailers have been actively working together \nto make the necessary investments to tighten credit card and debit card \nsecurity next year by transitioning to ``smart or chip card'' \ntechnology is proof of that.\n    Nevertheless, the organized, international nature of the new IT \nthreat to intellectual property, trade secrets and other proprietary \ndata, personally identifiable information, medical and insurance \nrecords, financial resources, and even top secret material, makes this \na critical danger to our economic and national security. We will hear \ntoday that China and Russia are actively and aggressively waging \neconomic war on us with massive hacking espionage campaigns. This is \nvery disconcerting, and I look forward to the discussion about the role \nof law enforcement and intelligence capabilities to deter, detect, and \npunish global cybercrime syndicates, and whether they need more \ntechnological tools and resources.\n    After all, before former FBI Director Robert Mueller stepped down, \nhe declared that ``in the not too-distant-future we anticipate that the \ncyber threat will pose the greatest threat to our country.'' Well, it \nwill be interesting to hear what the former FBI Deputy Assistant \nDirector for Cyber, who served under Director Mueller, has to say in \nhis testimony.\n\n    Chairman Broun. And now, I will recognize my good friend, \nMr. Maffei, for his statement.\n    Mr. Maffei. Thank you, Mr. Chairman. And I will follow your \nlead and also ask unanimous consent to put my opening statement \ninto the record. You have to say so ordered.\n    Chairman Broun. Okay. Without objection.\n    [The prepared statement of Mr. Maffei follows:]\n\n            Prepared Statement of Subcommittee on Oversight\n                   Ranking Minority Member Dan Maffei\n\n    Cybercrime occurs on a daily basis. Widespread breaches, like the \nrecent data breach at Target, affected up to 110 million people by \nexposing their personal data and credit card information. Smaller \nbreaches can still have serious economic consequences. Last year, \nhackers with reported links to Al Qaeda engaged in hacking the phone \nsystems of small businesses in New York, including in my district in \nSyracuse, New York. One of the companies hacked, an Albany-based dry \ncleaner, halted plans to expand in Syracuse because they were \nstruggling to pay the $150,000 phone charges they incurred as a result \nof this attack. This particular breach resulted in more than 75,000 \nminutes of overseas calls to Zimbabwe, Bosnia, the Congo, Libya and the \nMaldives.\n    Last year alone half a billion records of personally identifiable \ninformation, including names, emails, credit card numbers and passwords \nwere leaked through data breaches according to an IBM cyber-threat \nreport. But many breaches go unreported. Others go undetected. The full \nscale and consequence of cybersecurity threats cannot be accurately \nassessed.\n    When cybercriminals obtain credit card information on tens of \nmillions of consumers from a retail establishment we all end up paying. \nRetailers have to pass along the costs for these security incidents \nthrough increased prices as a result of fraud, enhanced security \nupgrades, and potential litigation costs. When foreign governments \ninfiltrate our government agencies, it jeopardizes our national and \neconomic security. When an individual employee at a university,hospital \nor insurance company steals the digital data of students, patients or \nclients to engage in identity theft, there are real consequences for \nAmericans.\n    I do not believe there is a silver bullet to preventing cyber-\nthreats or eliminating the inadvertent disclosure of personal privacy-\nrelated data. Technology alone cannot protect us. This is a \nmultifaceted threat and requires a multi-pronged response. A \ncombination of corporate awareness, federal policies, the proper \nimplementation of security standards, employee and consumer training, \nand due diligence along the chain of information play a critical role \nin confronting thisgrowing cyber menace.\n    There are some technical solutions that can certainly help in \ncountering this threat. The migration of so called E-M-V chip cards in \nthe U.S. and the use of ``chip and PIN'' transactions can play a role. \nWhile this will help counter fraudulent person-to-person transactions, \nthey will not stop all fraudulent transactions, like online sales where \na card is not present. Online retail sales in the U.S. alone are \nexpected to grow from $231 billion in 2012 to $370 billion by 2017, \nmaking online financial transactions an even more appealing avenue for \ncybercriminals.\n    Standards are another technical solution that can play a key role \nin helping secure IT systems against a wide-range of cyber-threats. The \nNational Institute of Standards and Technology recently released its \n``Framework for Improving Critical Infrastructure Cybersecurity.'' This \nguide can help federal agencies and private industry alike implement \nreliable and robust IT networks that are as safe and secure as \npossible.\n    I am concerned however, that industry is not doing enough to \nprotect itself and to protect our data from these various cyber \nthreats. The Payment Card Industry (or PCI) has its own Security \nStandards Council and we have a witness from the council testifying \nhere today. His testimony clearly says--quote: ``the PCI Standards are \nthe best line of defense against the criminals seeking to steal payment \ncard data.'' While the efforts of the industry to police itself are \nlaudable, a recent 2014 report by Verizon called the ``PCI Compliance \nReport'' found that only 11.1 percent of the payment card industry \ncompanies that it surveyed in 2013 were ``fully'' compliant with the \nPCI ``Data Security Standard.'' This was a decline of nearly 50 percent \nfrom the 2010 Verizon ``PCI Compliance Report'' that showed 22 percent \nof companies in the Payment Card Industry surveyed in 2009 were \n``fully'' compliant with this standard.\n    It is unclear why the application of these industry endorsed \nstandards has declined but it is a troubling trend. This is \nparticularly troubling since even the PCI Security Standards Council \nhas said that they have seen a correlation between successful cyber-\nattacks and the lack of compliance with its standards. We need to \nfigure out a way to either incentivize industry to act or to mandate a \nrequirement that they must act.\n    It is important that we explore these issues to help understand \nwhat the private sector is doing to protect consumer data and how we \ncan be effective partners. But I think it is equally important to \nunderstand what the commercial market is doing with consumer data.\n    We are all sharing more data with more sources all the time. As we \nshare more personal data the opportunities for that data to be stolen, \nsold or lost escalates. We provide detailed financial data to our \nbanks. Our local grocery store knows the food we eat, the beverages we \ndrink and the toothpaste we use. Facebook knows who we associate with, \nour favorite movies, books and vacation spots. Google Maps knows where \nwe've been and where we're going. How private industry maintains this \ndata, for how long and how securely is important to every consumer, \nincluding me. I hope that Mr. Brookman, a consumer privacy expert from \nthe Center for Democracy & Technology, and one of our witnesses here \ntoday, can offer some suggested guidance on how Congress should be \nthinking about these issues that affect the privacy and security of all \nof us.\n    I look forward to hearing from our witnesses and I appreciate the \nChairman calling this hearing today. I yield back.\n\n    Mr. Maffei. And the only thing I will say is I want to \nthank you, Mr. Chairman, and also Chairman Bucshon and Ranking \nMember Lipinski for having this hearing. I see the Chairman of \nthe full Committee is here and I want to thank him and my good \nfriend Elizabeth Esty is also here, too.\n    So this is a very important and substantive issue and I \nreally appreciate you doing this and I think it is a very good \nissue for our Committee to be looking at.\n    I yield back.\n    Chairman Broun. Thank you, Mr. Maffei. I now recognize Dr. \nBucshon for his statement.\n    Mr. Bucshon. Chairman, I also ask unanimous consent to \nsubmit my statement for the record.\n    Chairman Broun. Without objection, so ordered.\n    [The prepared statement of Mr. Bucshon follows:]\n\n     Prepared Statement of Subcommittee on Research and Technology\n                         Chairman Larry Bucshon\n\n    I would like to welcome everyone to today's hearing on the role of \ntechnology in protecting Americans from cybercriminals.\n    As Dr. Broun stated, many Americans have experienced security \nbreaches in the past few years. Universities, small grocery stores and \nretailers in Indiana have all experienced security breaches recently. \nAlong with the national retailer security breaches, we have heard about \nrecently in the news, these smaller instances show how all individuals \nand consumers are threatened by this growing problem.\n    According to a poll conducted by Defense News, leaders in national \nsecurity policy, the military, congressional staff, and the defense \nindustry believe cybersecurity is the top threat to our national \nsecurity.\n    While there is no question the federal government plays a role in \npreventing these security breaches, we must ensure we are using our \nresources as efficiently and effectively as possible.\n    The Science, Space and Technology Committee was responsible for two \npieces of relevant legislation that passed the House last year.\n    H.R. 756, the Cybersecurity Enhancement Act, strengthens \ncoordination and provides for strategic planning of cybersecurity \nresearch and development between government agencies. While the federal \neffort to prevent cyber attacks from happening is commendable, we must \nensure that these well-intentioned programs are not duplicative or \ninefficient.\n    Another piece of legislation that the House passed last year is \nH.R. 967, the Advancing America's Networking and Information Technology \nResearch and Development Act, which also provides for coordination of \nthe federal investment in research and development of unclassified \nnetworking, computing and cybersecurity technology.\n    These two Science Committee bills both passed the House \noverwhelmingly with bipartisan support but have been stalled in the \nSenate, which has not yet indicated if they will act on these vital \nbills or not. It is my hope that we will see the Senate move these \nbills forward soon with the active help and support of the \ncybersecurity community and its stakeholders.\n    I want to thank the witnesses for participating in today's hearing \nand look forward to their testimony on private sector initiatives and \nhow we can help leverage these efforts.\n\n    Chairman Broun. Mr. Lipinski, you are recognized for your \nstatement.\n    Mr. Lipinski. You mean I don't get everyone's five minutes \nfor 20 minutes total?\n    No, thank you, Mr. Chairman. Thank you for holding this \nhearing. It is very important issue as we keep seeing \nunfortunately more cyber attacks and hacking, other ways of \nstealing people's personal information, so I thank you for \nholding this hearing.\n    I ask unanimous consent to submit my opening statement for \nthe record.\n    Chairman Broun. Without objection, so ordered.\n    [The prepared statement of Mr. Lipinski follows:]\n\n      Prepared Statement of Subcommittee on Research & Technology\n                  Ranking Minority Member Dan Lipinski\n\n    Thank you Mr. Chairman. And thank you to our witnesses for being \nhere today after some rescheduling earlier in the week.\n    I've spoken in this Committee many times about the threats posed by \ncybercrime, and each time there have been recent and potentially more \nserious attacks to illustrate the point. This time, data breaches at \nTarget and Neiman Marcus collectively resulted in over 100 million \nrecords being stolen in the form of personal and credit card \ninformation. In total, payment card fraud was responsible for over 11 \nbillion dollars in losses in 2012, with around half of that amount \ncoming from the US. And this figure doesn't account for many other \nlosses associated with identity theft.\n    Simply put, cybercrime threatens businesses of all sizes and every \nsingle American. As such, reducing our risk and improving the security \nof cyberspace will take the collective effort of both the Federal \nGovernment and the private sector, as well as scientists, engineers, \nand the general public.\n    Research efforts by the Federal Government and standards developed \nin conjunction with the private sector will play a big part in \naddressing cybercrime. The NSF and NIST have lead roles in these \nrespective tasks. I'm interested in hearing more from Dr. Romine about \nNIST's recent efforts in these areas including the cybersecurity \nframework for critical infrastructure released last month.\n    However, it's worth pointing out that it doesn't matter how good \nour technology is or how current our standards are if people don't use \nthe technology correctly or adopt the standards. You can have the most \nup-to-date server in the world, but if someone doesn't change the \ndefault password or chooses an easily guessed password, no system will \nbe safe. Consider that a Verizon report found that last year only 11% \nof companies surveyed were fully compliant with PCI standards. In many \nways, people are the weakest link in this process, and understanding \nhow people make decisions--and encouraging better decisions--through \nsocial science research must be a part of our efforts to mitigate risk.\n    To help address some of our nation's cyber threats, Congressman \nMcCaul and I have introduced the Cybersecurity Enhancement Act during \nthe last three congresses. The bill would improve cybersecurity by \nbuilding strong public-private partnerships, improving the transfer of \ncybersecurity technologies to the marketplace, training a cybersecurity \nworkforce for both the public and private sectors, and coordinating and \nprioritizing federal cybersecurity R&D efforts. We passed the bill in \nthe House last year but are still awaiting action in the Senate. \nHopefully with increased focus on cybersecurity issues we can finally \nbreak through the logjam and get the Senate to act on a bipartisan bill \nthat will address our most immediate research and workforce needs.\n    Once again, thank you Mr. Chairman for holding this hearing. I look \nforward to hearing from our witnesses. And with that, I yield back.\n\n    Chairman Broun. Now, I recognize the Chairman of the full \nCommittee for his statement if he so desires. Mr. Smith.\n    Chairman Smith. Thank you, Mr. Chairman. I will ask my \nopening statement be made a part of the record as well.\n    Chairman Broun. Without objection, so ordered.\n    Chairman Broun. Now, if there are any other Members who \nwish to submit an opening statement, your statements will be \nadded to the record at this point.\n    [The prepared statement of Ms. Johnson follows:]\n\n  Prepared Statement of Full Committeee Ranking Member Eddie Bernice \n                                Johnson\n\n    Thank you, Mr. Chairman. This morning we are examining how \ntechnology can help protect Americans against cyber-attacks.\n    Unfortunately, we have seen a string of cyber-attacks recently. \nLast year, Target suffered a massive data breach resulting in the loss \nof millions of debit and credit card numbers. Neiman Marcus, a store \nbased in my home state of Texas, experienced a data breach that \ninvolved over a million credit and debit cards last year as well. These \nbreaches exposed the financial and personal information of millions of \nAmericans.\n    Data breaches are devastating. They cause Americans to lose trust \nin private and public institutions and result in significant economic \nlosses. Data breaches can also result in intellectual property losses, \nwhich can include a company's research and development, leading to \nmillions and billions of dollars in lost profits. The Ponemon Institute \nestimates that the cost of data breaches due to fines, loss of \nintellectual property, customer trust and capital equal $136 per \nlostrecord. This translates into $68 billion in losses globally last \nyear alone.\n    This morning we will hear about computer chip-based credit cards, \nknown as the ``chip-and-pin'' cards. Although it seems like these \n``chip-and-pin'' cards would help reduce counterfeiting of stolen \ncredit cards, it is not clear that they would have prevented the recent \nattacks on Target and Neiman Marcus. To help prevent further similar \ncyber-attacks, we will need other technologies.\n    But new technologies alone will not prevent cyber-attacks. New \ntechnologies will need to be paired with training and education \nefforts. Email attachments carrying malware are the most common way \nattackers get into a computer. To stop that from happening, we need \ntraining and education about proper computer security for employees and \nindividuals.\n    There are a number of federal efforts in this area including at the \nNational Institute of Standards and Technology, which has played an \nimportant role in cybersecurity efforts for decades. NIST is the agency \ntasked with developing standards and guidelines for Federal information \nsystems.\n    Additionally, NIST is the lead agency for the National Initiative \nfor Cybersecurity Education; they developed the National Strategy for \nTrusted Identities in Cyberspace; they run a National Cybersecurity \nCenter of Excellence; and they maintain a National Vulnerability \nDatabase.\n    We are fortunate to have Dr. Romine here this morning who can tell \nus more about these and additional cybersecurity efforts at NIST. Last \nmonth, NIST released a Framework for Improving Critical Infrastructure \nCybersecurity, which provides a common language for understanding and \nmanaging cybersecurity risks. In our discussion of new technologies, we \nshould be discussing how the federal government can incentivize the \npublic sector to adopt cybersecurity best practices and standards that \nare included in the Framework.\n    To prevent cyber-attacks will take an all-hands-on-deck approach. I \nlook forward to working with my colleagues on both sides of the aisle \non how the federal government can help with the development and \nadoption of new cybersecurity technologies.\n    I would like to thank the witnesses for being here today. Thank \nyou, Mr. Chairman. I yield back the balance of my time.\n\n    Chairman Broun. At this time I would like to introduce our \npanel of witnesses. Our first witness is Dr. Charles Romine, \nDirector of the Information Technology Laboratory at the \nNational Institute of Standards and Technology, NIST. Our \nsecond witness is Mr. Bob Russo, General Manager of the Payment \nCard Industry Security Standards Council. Our third witness is \nMr. Randy Vanderhoof, Executive Director of the Smart Card \nAlliance. And our fourth witness is Mr. Justin Brookman, \nDirector of Consumer Privacy at the Center for Democracy & \nTechnology. Gentlemen, welcome. We are glad to have all of you \nhere today.\n    Our final witness is Mr. Chabinsky, Senior Vice President \nof Legal Affairs at CrowdStrike, Incorporated; Former Deputy \nAssistant Director at the Federal Bureau of Investigation's \nFBI's Cyber Division. I welcome you, too, sir. I apologize. I \nwas rushing along to get into this hearing because we are going \nto have votes very shortly.\n    And so just for everybody's information, we are going to \ntry to get through all of our witnesses' statements as quickly \nas possible. If you would, try to limit your testimony to five \nminutes each. You will have a light in front of you. When it \nturns red, please be through so we can try to hear everybody \nbefore we have to run off to vote and then we will come back \nfor questions. We will get as far along as we can.\n    As the witnesses should know, spoken testimony is limited \nto five minutes. Then, after that, Members will have five \nminutes each to ask you all questions. Upon the hearing, we \nwill submit questions for the record, and please expeditiously \nanswer these questions and get them back to the Committee.\n    Now, it is the practice of this Subcommittee on Oversight \nto receive testimony under oath. If you would all please stand \nand raise your right hand unless you have an objection to \ntaking an oath. Does anybody have an objection to taking an \noath?\n    No. Okay. I see them all shake their head side to side \nindicating no.\n    Okay. Do you solemnly swear and affirm to tell the whole \ntruth and nothing but the truth, so help you God?\n    Very good. Please be seated.\n    Let the record reflect that all the witnesses participating \nhave taken the oath.\n    Now, I recognize Dr. Romine for five minutes.\n\n         TESTIMONY OF DR. CHARLES H. ROMINE, DIRECTOR,\n\n               INFORMATION TECHNOLOGY LABORATORY,\n\n         NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY\n\n    Dr. Romine. Thank you. Chairmen Broun and Bucshon, Ranking \nMembers Maffei and Lipinski, and Members of the Subcommittees, \nI am Dr. Charles Romine, the Director of the Information \nTechnology Lab at NIST. Thank you for the opportunity to \ndiscuss NIST's role in cybersecurity and our perspective on \nrecent cyber thefts.\n    Cyber thefts can occur at a scale unlike physical crimes. \nAs we know, one breach can affect thousands if not millions of \ncitizens. Cyber thefts are often perpetrated at the speed of \nelectronic transactions, making interception difficult and \nplacing a strong reliance on preventative security controls.\n    In response to the hearing title ``Can Technology Protect \nAmericans from International Cyber Criminals?'' my response \nwould be that it takes a holistic approach that includes \ntechnology, training and awareness, policy, legal, economic, \nand international efforts to bring cyber theft and other cyber \nthreats under control.\n    I will discuss some of NIST's activities that accelerate \nthe development and deployment of security technologies and \nassist our stakeholders and partners in protecting their \ninformation and communications infrastructure against cyber \nthreats.\n    In the area of cybersecurity, NIST has worked with Federal \nagencies, industry, and academia since 1972. Our role--to \nresearch, develop, and deploy information security standards \nand technology to protect information systems against threats \nto the confidentiality, integrity, and availability of \ninformation and services--was strengthened through the Computer \nSecurity Act of 1987 and reaffirmed through the Federal \nInformation Security Management Act of 2002 known as FISMA.\n    NIST accomplishes its mission in cybersecurity through \ncollaborative partnerships. The resulting NIST special \npublications and interagency reports provide operational and \ntechnical security guidelines for Federal agencies and cover a \nbroad range of topics such as electronic authentication and \nmalware.\n    NIST maintains the National Vulnerability Database, or NVD, \na repository of standards-based vulnerability management \nreference data which enables security automation capabilities \nfor all organizations. The payment card industry uses the NVD \nvulnerability metrics to discern the IT vulnerability in point-\nof-sale devices and determine acceptable risk.\n    NIST researchers develop and standardize cryptographic \nmechanisms used worldwide to protect information. The NIST \nalgorithms and guidelines are developed in a transparent and \ninclusive process leveraging cryptographic expertise around the \nworld. The results are in standard interoperable cryptographic \nmechanisms that can be used by all.\n    The impact of NIST's activities under FISMA extended beyond \nenabling protection of federal IT systems. They provide the \ncybersecurity foundations for the public trust that is \nessential to realizing the national and global economic \nproductivity and innovation potential of electronic business.\n    Many organizations voluntarily follow NIST's standards and \nguidelines reflecting their worldwide acceptance. NIST works \nextensively in smart card standards and guidelines. NIST \ndeveloped the standard for the U.S. Government personal \nidentity verification card and actively works on global \ncybersecurity standards for use in smart cards, smart card \ncryptography, and others.\n    As you know, NIST spent the last year working to convene \nthe U.S. critical infrastructure sectors to build a \ncybersecurity framework as part of Executive Order 13636. This \ncybersecurity framework released last month was created through \ncollaboration between industry and government and consists of \nstandards, guidelines, and practices to promote the protection \nof critical infrastructure. The framework is already being \nimplemented by industry, adopted by infrastructure sectors, and \nis reducing cyber risks to our critical infrastructure, \nincluding the finance industry.\n    The 2013 data breach investigations report noted that in \n2012 76 percent of network intrusions exploited weak or stolen \ncredentials. Target has revealed that the compromised \ncredential of one of its business partners was the vector used \nto access its network.\n    NIST houses the National Program Office at the National \nStrategy for Trusted Identities in Cyberspace, or NSTIC, which \nis addressing this most commonly exploited vector of cyber \nattack, the inadequacy of passwords for authentication. NSTIC \nis addressing this issue by collaborating with the private \nsector, including funding 12 pilots, to catalyze a marketplace \nof better identity and authentication solutions.\n    Another critical component of NIST's cybersecurity work is \nthe National Cybersecurity Center of Excellence, a partnership \nbetween NIST, the State of Maryland, Montgomery County, and the \nprivate sector, which is accelerating the adoption of applied, \nstandards-based solutions to cybersecurity challenges. NIST \nrecognizes our essential role in helping counter cyber theft \nand cyber threats. We look forward to continuing our work along \nwith our federal government partners, private sector \ncollaborators, and international colleagues to improve upon the \ncomprehensive set of technical solutions, standards, \nguidelines, and best practices necessary to realize this \nvision.\n    Thank you for the opportunity to testify today on NIST's \nwork in cybersecurity and to share some of the specific work we \ndo to assist organizations to reduce risks due to cyber theft, \nand I would be happy to answer any questions.\n    [The prepared statement of Dr. Romine follows:]\n\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n    Chairman Broun. Thanks, Dr. Romine.\n    Mr. Russo, you are recognized for five minutes.\n\n                  TESTIMONY OF MR. BOB RUSSO,\n\n        GENERAL MANAGER, PAYMENT CARD INDUSTRY SECURITY\n\n                     STANDARDS COUNCIL, LLC\n\n    Mr. Russo. Thank you. My name is Bob Russo and I am the \nGeneral Manager of the PCI Security Standards Council, a global \nindustry initiative and membership organization focused on \nsecuring payment card data. Our approach to an effective \nsecurity program combines people, process, and technology as \nkey components of protecting payment card data. We believe that \ndevelopment of standards to protect payment card data is \nsomething the private sector and specifically PCI is uniquely \nqualified to do. The global reach, expertise, and flexibility \nof PCI have made it critical and vital.\n    Our community of over 1,000 of the world's leading \nbusinesses is tackling data security challenges from simple \nissues--for instance, the word ``password'' is still the most \ncommonly used password out there--to really complicated issues \nlike proper encryption. Consumers are understandably upset when \ntheir payment card data is put at risk, and we know the harm \ncaused by data breaches.\n    The Council was created to proactively protect consumers' \npayment card data. Our standards represent a solid foundation \nfor a multilayered security approach. We focus on removing card \ndata if it is no longer needed. Simply put, if you don't need \nit, don't store it. If you do need it, then protect it. Reduce \nthe incentives for criminals to steal it. Let me tell you how \nwe do that.\n    The Data Security Standard is built on 12 principles that \ncover everything from physical security to logical security and \nmuch more. This standard is updated regularly through feedback \nfrom our global community. In addition, we have developed other \nstandards that cover payment software, point-of-sale devices, \nthe secured manufacturing of cards, and much, much more.\n    We work on technologies like tokenization and point-to-\npoint encryption to help reduce the amount of card data kept in \nsystems and devalue that information. Tokenization and point-\nto-point encryption work in concert with other PCI standards to \noffer additional protections.\n    Another technology, EMV chip, is an extremely effective \nmethod of reducing card fraud in a face-to-face environment. \nThat is why the Council supports its adoption in the United \nStates through organizations such as the EMV Migration Forum. \nAnd our standards support EMV today in other worldwide markets.\n    However, EMV chip is only one piece of the puzzle. \nAdditional controls are needed to protect the integrity of \npayments online and in other channels. These include \nencryption, tamper-resistant devices, malware protection, \nnetwork monitoring, and more. These are all addressed within \nthe PCI standards. Used together, EMV chip and PCI can provide \nstrong protections for payment card data.\n    But effective security requires much more than just \nstandards. Standards without supporting programs are only tools \nand not solutions. The Council's training and certification \nprograms have educated tens of thousands of individuals and \nmake it easy for businesses to choose products that have \nalready been lab-tested and certified as secure.\n    Finally, we conduct global campaigns to raise awareness of \npayment card security.\n    We welcome the Committee's attention to this critical \nissue. The recent compromises underscore the importance of a \nmultilayered approach to payment card security, and there are \nclear ways in which the government can help, for example, by \nleading stronger law enforcement efforts worldwide and by \nencouraging stiffer penalties for these crimes. Promoting \ninformation sharing between public and private sectors also \nmerits attention.\n    The Council is an active collaborator with government. We \nwork with NIST, with DHS, and many other government entities. \nWe are ready and willing to do much more. The recent breaches \nunderscore the complex nature of payment card security. A \nmultifaceted problem cannot be solved by a single technology, \nstandard, mandate, or regulation. It cannot be solved by a \nsingle sector of society. We must work together to protect the \nfinancial and privacy interests of consumers.\n    Today, as this Committee focuses on recent data breaches, \nwe know that the criminals are focusing on inventing the next \nattacks. There is no time to waste. The PCI Standards Council \nand business must continue to provide multilayered security \nprotections while Congress leads the efforts to combat global \ncybercrimes that threaten us all.\n    We thank the Committee for taking a leadership role in \nseeking solutions to one of the largest security concerns of \nour time.\n    [The prepared statement of Mr. Russo follows:]\n\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n    Chairman Broun. Thank you, Mr. Russo.\n    The buzzer that you hear is for votes on the Floor of the \nHouse and so we are going to have to go shortly. We have time \nfor Mr. Vanderhoof to give your testimony for five minutes. \nAnd, for Members' information, we will recess right after Mr. \nVanderhoof finishes. We will go vote. It is going to be a long \nseries of votes, probably about an hour, maybe a little more. \nWe will come back for Mr. Brookman and Mr. Chabinsky's \nstatement.\n    And so, Mr. Vanderhoof, you are recognized for five \nminutes. Please keep it within five minutes. Thank you.\n\n               TESTIMONY OF MR. RANDY VANDERHOOF,\n\n                      EXECUTIVE DIRECTOR,\n\n                      SMART CARD ALLIANCE\n\n    Mr. Vanderhoof. Chairman Broun and Chairman Bucshon and \nMembers of the Subcommittee, on behalf of the Smart Card \nAlliance and its members, I thank you for the opportunity to \ntestify today.\n    The Smart Card Alliance is a nonprofit organization that \nprovides education about smart card chip technology and \napplications. In 2012, the Alliance formed the EMV Migration \nForum to convene all payments industry stakeholders to advance \nthe migration to EMV in the United States. Collectively, the \ntwo organizations have more than 370 member organizations, \nincluding American Express, Discover, MasterCard, and Visa and \nfinancial institutions, merchants, and other payments industry \nparticipants.\n    My testimony will be about payment security and the \nincreasing threat of cybercrime to steal vulnerable payment \ndata, how EMV chip cards and terminals make payments more \nsecure, and the state of the U.S. migration towards EMV.\n    As this hearing recognizes, the increasing instances of \ncybercrime in the United States highlight the need for EMV chip \ncards. Cybercrime criminals are increasingly targeting retail \nstore chains. The FBI found at least 22 instances of this in \nthe past year. Attacks on retailers are particularly damaging \nbecause a single attack can cause millions of dollars' worth of \ncredit card fraud and create the need to close and reissue tens \nof millions of payment card accounts.\n    The increase in attempted data breaches on retail systems \nis due in part to the fact that the U.S. magnetic stripe card \ndata is highly valued by hackers who can sell it on the black \nmarket to criminals for large profits. For example, the black \nmarket price for several million card accounts believed to be \nstolen from the Target breach was between $27 and $45 each for \na period of time. Criminals pay such high prices for U.S. \nmagnetic stripe card data because it is easy to use it to \ncreate counterfeit payment cards. This is why the United States \nis the only region in the world where counterfeit card fraud \ncontinues to grow.\n    It is our best interest to replace magnetic stripe cards \nwith secure EMV chip cards because it will devalue U.S. \npayments data for criminals. This is mainly because, if stolen, \nEMV data cannot be used to create usable counterfeit payment \ncards. And countries that have implemented EMV have seen \ncounterfeit card fraud decline by as much as 67 percent. The \npositive news is that the U.S. payment system is already more \nthan two years into a plan to four-year migration to EMV chip \ntechnology.\n    Next, I want to tell you more about EMV chip cards and how \nthey address counterfeit card fraud. EMV is the name of the \nglobal standard for chip payment cards and is based on widely \nused and highly secure smart card technology. Today, 45 percent \nof the total payment cards in circulation and 76 percent of the \nPOS terminals installed globally are this EMV-enabled device.\n    EMV prevents counterfeit card fraud in two ways. The first \nway is the secure storage of the cardholder data inside the \nchip rather than on the magnetic stripe. Even if the chip data \nwere to be copied, it cannot be used to create another chip \ncard using the same data. Also, EMV transaction data excludes \nother data needed for magnetic stripe transactions, so it \ncannot be used to make fraudulent transactions in an EMV or \nmagnetic stripe environment.\n    The second way is by a one-time unique code called a \ncryptogram generated by the chip during each payment \ntransaction. The cryptogram proves that the card is authentic \nand that the transaction data was unique to that card. \nTherefore, any use of the same unique card data would be \ndetected and the transaction denied.\n    To put these security benefits into perspective, if EMV \nchip card data had been present in the retailer systems that \nwere recently victimized, the impact of that data breach would \nhave been significantly lessened for the merchant, the card \nissuers, and the consumers due to the greatly reduced risk of \ncounterfeiting and resulting card fraud.\n    The U.S. migration to EMV is complex, expensive, and \ndifficult to coordinate, especially for debit cards. The U.S. \npayment market, which is larger than all of Europe combined, is \nthe largest individual market to convert to chip cards. This \nmigration has been driven by the payment brands in the form of \na fraud liability shift that align around targeted migration \ndates starting in October 2015. After these dates, the \nresponsibility for fraud resulting from a payment transaction \nwill shift away from the party using the most secure \ntechnology. This fraud liability shift is the most effective \napproach to ensure each party in the payments transaction makes \nthe investment in chip technology.\n    To date, an estimated 15 to 20 million chip payment cards \nhave been issued to U.S. consumers and retailers have replaced \napproximately 1 million of the estimated 10 million point-of-\nsale terminals.\n    In summary, the predominant use of magnetic stripe payment \ncards contribute greatly to the U.S. financial markets being \ntargets for cyber thefts and counterfeit card fraud. While a \nmove to EMV chip payments in the United States is a complex and \nexpensive undertaking, it is a critical one that will benefit \nour entire payment system. I am encouraged by the payments \nindustry and merchants' recognition that we need to move to EMV \nchip technology quickly and by the fact that chip cards are \nbeing used now and retailers are moving to put in place the \nchip-enabled terminals to begin accepting chip transactions by \nthe industry's target dates.\n    I thank you for your attention and I welcome any questions \nfrom the Committee.\n    [The prepared statement of Mr. Vanderhoof follows:]\n\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n    Chairman Broun. Mr. Vanderhoof, thank you so much. I think \nwe have time for one more.\n    Mr. Brookman, if you would please limit it to five minutes \nand then we will recess and come back right after votes. We \nhave eight more minutes before the clock runs out, and as \nMembers know, it will be held open for a while.\n    So, Mr. Brookman.\n\n               TESTIMONY OF MR. JUSTIN BROOKMAN,\n\n                  DIRECTOR, CONSUMER PRIVACY,\n\n               CENTER FOR DEMOCRACY & TECHNOLOGY\n\n    Mr. Brookman. Absolutely. Thank you, Chairman Broun, \nChairman Bucshon, Ranking Members Maffei and Lipinski. Thank \nyou very much for the opportunity to testify here today.\n    I am here today on behalf of the Center for Democracy & \nTechnology. We are a digital rights advocacy group based here \nin D.C. and I head up our work on commercial data privacy. Some \nof us like me are lawyers but we also have technologists on \nstaff who focus on internet architecture, encryption, and \ncybersecurity.\n    We have been concerned about the issue of data security for \nsome time. We have supported state efforts to require \nnotification to consumers in the event of data breach, and we \nhave encouraged the Federal Trade Commission to aggressively \npursue bad data security cases under its general commercial \nprotection authority.\n    Unfortunately, it appears that the current policy solutions \nin place have been insufficient to staunch the proliferation of \npersonal data breach. Just last week, the FTC announced that \nidentity theft was the number one source of consumer complaints \nfor the 14th year in a row. Moreover, the problem seems to be \ngetting worse and not better. For one thing, there is more and \nmore attack surface for malicious actors to target. Even the \nfood trucks where I get my lunch every day accept credit card \npayments through smart readers attached to their phones. And \npeople increasingly use credit cards for $1 and $2 purchases \ndue to improvements in technology and purchase flows.\n    The proliferation of financial account usage is of course \ntied to the bigger issue of big data in general. It is now \neasier for companies to collect and analyze all sorts of \ninformation about us, not just based on how we use their \nservices but possibly supplemented by third-party data brokers \nas well. And it is cheaper for them to maintain these files, \ntoo. As storage technology advances, it is just simpler to keep \nold data around forever.\n    And it is notable that Target was the subject of what was \npossibly the largest data breach in history because Target had \nbeen discussed in privacy circles recently for different \nreasons. Last year, it was revealed that Target was developing \nvery sensitive predictive analytics technologies about the \npeople who shop there, analyzing what they bought to develop \nprofiles about what sort of people they were. And the most \nfamous story coming out of that was there was a father who \nstormed into Target one afternoon complaining his daughter was \nreceiving pregnancy-related coupons from Target, for diapers or \nprenatal vitamins, and he said how dare they; she is just a \nteenager, and then comes back a couple days later and \napologizes that it turns out Target was right in this \nparticular case.\n    It is worth noting that this sort of sensitive information, \ninformation about what we buy, what we read, where we go, who \nwe associate with, that is at risk, too, in the big data world. \nTarget didn't just lose information about 40 million financial \naccounts; they also allegedly lost 70 million profiles from its \ncustomer relationship management database. Did that include in \nthere assessments of all their shoppers possibly supplemented \nwith third-party data? We don't know.\n    We believe these issues should be addressed together. \nFirst, the United States should have comprehensive data privacy \nand security legislation. We are one of the few developed \nnations in the world that doesn't have baseline protections for \nall personal information. The FTC has tried to use its limited \ngeneral consumer protection mandate to better protect privacy \nand data security, but that authority is currently being \nchallenged in court by Wyndham Hotels. In that case, the FTC \nargued that Wyndham Hotels' use of objectively poor data \nsecurity to safeguard consumer data constituted an unfair \nbusiness practice under Section 5 of the FTC Act. Wyndham has \nrefused to accept responsibility for its poor security \nmanagement and is challenging the FTC's authority to go after \nbad security practices.\n    We believe technology has a really important role to play \nin limiting data breach incidents, but we do not believe that \nCongress should enact specific technological data security \nsolutions. That would embed current practices in the law and \nlimit innovation in the future. Rather, policymakers should \nenact laws that strongly incentivize companies to safeguard \npersonal data with significant consequences for companies that \nfail to use reasonable security practices.\n    Now, for financial account information, there are some \nactually pretty good incentives under the law right now. \nCompanies who undergo a financial data breach have to absorb \nthe cost of data breach notification to consumers, \ninvestigation, credit monitoring, loss to consumer goodwill, \nand then payment to the issuing bank for potential violation of \nPCI standards.\n    Yesterday, it was reported that Target has already spent \nover $60 million in the breach from last year, and in 2007, TJX \nCorporation reported that they had spent over $250 million from \ntheir data breach incident.\n    However, it is not clear that these potential costs are \nsufficiently internalized today within corporate decision-\nmaking. Organizations and people in general unfortunately have \na tendency to under-evaluate small percentage chances of very \nbad things happening. And that appears to be what is happening \nwith data security. Companies are convincing themselves it \nwon't happen to them, and there are many cases failing to \nadequately account for security risks.\n    We believe that strengthening the FTC's authority to go \nafter bad security practices along with the authority to obtain \ncivil penalties for bad security would help push companies in \nthe right direction. We also believe that legislation should \nrequire companies to develop privacy and security plans and to \nadhere to privacy and security-by-design principles. The \ncompanies are encouraged to think proactively and \nprophylactically about data privacy and security from the very \nbeginning of product and system development that will result in \nbetter outcomes for all consumers.\n    Thank you very much for the opportunity to testify and I \nlook forward to your questions.\n    [The prepared statement of Mr. Brookman follows:]\n\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n    Chairman Broun. Thank you, Mr. Brookman.\n    We are going to recess until after this vote series. \nMembers, be aware that we are going to resume 10 minutes after \nthe last vote begins, so please hurry back. My Democratic \ncolleagues have agreed to that, so we will recess and be back.\n    Gentlemen, thank you for your patience, appreciate it.\n    [Recess]\n    Chairman Broun. Okay. We will reconvene this hearing, and I \nappreciate all the witnesses' patience with us and particularly \nMr. Chabinsky. I appreciate your patience. Maybe we saved the \nbest for last, but anyway, I have always been very concerned \nabout privacy issues and I know you are, too.\n    Mr. Chabinsky, you have five minutes.\n\n               TESTIMONY OF MR. STEVEN CHABINSKY,\n\n            SENIOR VICE PRESIDENT OF LEGAL AFFAIRS,\n\n                       CROWDSTRIKE, INC.;\n\n               FORMER DEPUTY ASSISTANT DIRECTOR,\n\n         FEDERAL BUREAU OF INVESTIGATION-CYBER DIVISION\n\n    Mr. Chabinsky. Thank you. Good morning, Chairmen Broun and \nBucshon, Ranking Members Maffei and Lipinski, and distinguished \nMembers of the Subcommittees.\n    I am pleased to appear before you today to discuss the role \nof technology in protecting Americans from international \ncybercrime. I have spent over 15 years committed to reducing \nthe security risks associated with emerging technologies. And \nthe observations and conclusions I am sharing today in my \nindividual capacity are the culmination of a career spent in \ngovernment--mostly with the FBI--industry, and academia.\n    First, I would like to address the cyber threat landscape. \nOver the past 10 years, industry has faced a well-orchestrated \nhacking epidemic. Foreign intelligence services are siphoning \noff our intellectual property and weakening American \ncompetitiveness, while organized criminal groups steadily gain \naccess to corporate and consumer credentials that have been \nused to defraud Americans out of billions of dollars.\n    On the nation-state side, China and Russia continue to \nengage in massive cyber economic espionage campaigns that \nimpact thousands of corporate victims daily.\n    With respect to financially motivated cybercrime, a \ndisproportionate amount of it appears to be tied to Eastern \nEurope. On the FBI's current cyber most wanted list, for \nexample, 7 of the 10 individuals have connections either to \nRussia, Ukraine, or Latvia.\n    Next, I would like to discuss our failed cybersecurity \nstrategy. We keep spending more and more money and the problem \nkeeps getting worse. I propose this is because we are focusing \non the wrong part of the solution. Faced with the choice of \ntrying to make our systems impenetrable--also known as \nvulnerability mitigation-- or trying instead or at least an \nequal part to dissuade people from hacking into our systems in \nthe first place--which would be threat deterrence--we have \nfocused our resources almost entirely on the former, \nvulnerability mitigation. Our failed strategy dramatically \nraises the costs to the victims without substantially raising \nthe costs to the bad guys. In fact, our failed strategy has \npotential victims fearing for the loss of their data more than \nactual hackers are fearing for the loss of their freedom.\n    We spend without end on vulnerability mitigation, despite \nit being well-understood that completely securing networks is a \ndaunting, impossible task even for the most experienced. There \nsimply is no chance that industry can consistently withstand \nintrusion attempts from foreign intelligence services and \nglobal organized crime groups. As a result, improving our \nsecurity posture requires that we reconsider rather than simply \nredouble the nature of our efforts.\n    Fundamentally, we need to ensure that our cybersecurity \nstrategies, technologies, market incentives, and international \ndialogue focus greater attention on the challenges of more \nquickly detecting and mitigating harm while in parallel \nlocating and penalizing bad actors. Doing so also would align \nour cybersecurity efforts with the security strategies we use \nin the physical world.\n    In the physical world, vulnerability mitigation efforts \ncertainly have their place. We take reasonable precautions to \nlock our doors and windows, but we do not spend an endless \namount of resources in hopes of becoming impervious to crime. \nInstead, to counter determined thieves, we ultimately concede \nthat an adversary can gain unlawful entry, but through the use \nof burglar alarms and video cameras, we shift our focus towards \ninstant detection, attribution, threat response, and recovery.\n    When the alarm monitoring company calls a business owner at \n3:00 a.m., it does not say we just received an alarm that your \nfront door was broken into, but don't worry, we have called the \nlocksmith. Rather, it is only obvious, immediately necessary \nand the reason people purchase alarm systems, that they call \nthe police to stop the felon.\n    It is surprising then and suggests a larger strategic \nproblem that in the world of cyber, when the intrusion \ndetection system goes off, the response has been to call the \nchief information security officer and perhaps even the CEO to \nexplain what went wrong and to demand that they prevent it from \nhappening again.\n    In answer to the question of this hearing, technology can \nplay a vital role in protecting Americans from international \ncybercrime, but to achieve that result, technology must be used \nin greater part to achieve threat deterrence. In that way, \nbusinesses and consumers will benefit from improved, sustained \ncybersecurity and will enjoy those benefits at lower costs.\n    Thank you for the opportunity to testify today. I would be \nhappy to answer any questions you may have.\n    [The prepared statement of Mr. Chabinsky follows:]\n\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n    Chairman Broun. Thank you, Mr. Chabinsky.\n    I want to thank the witnesses for your testimony, now \nreminding Members that Committee rules limit questioning to \nfive minutes. The Chair will open the first round of questions. \nThe Chair recognizes himself for five minutes.\n    I ask this of all five of you. What is the fastest and the \nbest way to get new innovations deployed to protect the safety, \nprivacy, and security of consumers' financial data? Government \nmandates that pick technological winners and losers or allowing \nmaximum competition for customers in the market by companies \noffering innovative security solutions and consumer protections \nagainst new, evolving, and changing threats that go way beyond \nthe requirements of a static law?\n    Start with Mr. Romine.\n    Dr. Romine. Thank you, Mr. Chairman. I think it is clear \nthat in order to maintain the kind of innovation that is needed \non the defensive side for us to protect our assets and our \nnetworks, we have to be just as agile as the innovation that is \ntaking place with our malefactors. And so, I think having \nadditional regulation is probably not the answer from our \nperspective. We have a voluntary program associated, for \nexample, as I talked to earlier in my testimony about the \ncybersecurity framework for critical infrastructures that NIST \nworked on, and that is a purely voluntary program in part \nbecause we believe that that enables the private sector to \nmaintain an innovative approach to the kind of defenses that \nare needed.\n    Chairman Broun. Very good. Mr. Russo?\n    Mr. Russo. Thank you for the question. I think the PCI \nSecurity Standards Council is uniquely qualified to do exactly \nwhat you are looking for. We have a network of over 1,000 \nmerchants, banks, vendors, associations worldwide that submit \nfeedback to us on a regular basis indicating what they are \nseeing in their region and then their particular verticals, and \nall of this is factored into creating the absolute best \ndefenses that we can to protect this data. Right now, I think \nthat the best defense against a breach are the PCI standards.\n    Chairman Broun. Very good. Mr. Vanderhoof?\n    Mr. Vanderhoof. Yes, thank you. There really needs to be \nmultiple layers of security around payments data, so certainly \nwe need to devalue the data that currently exists in this \nsystem, and there are alternative technologies using chip \ntechnology, as well as other techniques such as tokenization \nthat are being developed to try to accomplish that goal.\n    Also, we certainly need to continue to strengthen the \nnetworks that are using this data and the efforts that have \nbeen made by the PCI Council and by other cybersecurity best \npractices are going a long way towards doing that. And I think \nwe need to also maintain and invoke strong enforcement of when \ndata breaches do occur in terms of trying to track down the \npeople responsible for that and preventing future breaches from \nhappening.\n    Chairman Broun. Mr. Brookman.\n    Mr. Brookman. Yes. So I certainly don't think that \nlegislatively prescribing technological solutions is a good \nidea. However, I think it would be a good idea to maybe \nstrengthen the Federal Trade Commission's authority to go after \nbad data security practices. Right now, that authority is \nsomewhat unclear, and even when they do bring those cases, they \ndon't have the ability to get penalties for bad practices.\n    So I think strengthening them, creating more incentives for \ncompanies and for banks and for merchants to deploy better \ntechnological solutions is probably the best approach.\n    Chairman Broun. Mr. Chabinsky?\n    Mr. Chabinsky. Thank you, Mr. Chairman.\n    I think fundamentally we need a bit more research and \ndevelopment in the area of return on investment. It is very \ndifficult for us to understand whether the value of security \nthat is being proposed in the marketplace will have a \ncommensurate benefit as to the cost. We have heard a lot within \nthis hearing as well as prior ones about the costs of \nimplementing certain solutions, in certain cases mounting into \nthe billions of dollars. And it is very difficult for industry \nto understand whether or not that is a benefit that outweighs \nthe cost that we are seeing. So I would suggest that this \nCommittee is in a good position to explore government research \nthat would spend more time looking at the metrics of success \nand the return on investment.\n    Chairman Broun. Okay. Thank you, Mr. Chabinsky.\n    Mr. Chabinsky. Thank you.\n    Chairman Broun. I have a question for all of you. As a \nphysician, I am very concerned particularly with the question \nabout protection of privacy and security in the healthcare \nindustry and the insurance industry. I have half a minute left. \nDoes anybody want to take on what we can do to protect privacy \nin patient records and that sort of thing?\n    Mr. Vanderhoof.\n    Mr. Vanderhoof. Yes, thank you, Chairman.\n    I think the problem we have with the imposed changes that \nare happening in the healthcare system around the use of \nelectronic data for health records is that we have failed to be \nable to authenticate who are the actual individuals that have \nauthorized access to that data and be able to positively \nidentify the individual that owns that data so that when health \ninformation is being digitized and being used and shared across \ndifferent professional entities, there needs to be a way to \nprotect the access to that information and so that that \ninformation can't be then stolen and be used for other \npurposes. And having this ability to strengthen the health IT \nsystem in similar ways is really another way forward to making \nsure that consumer health information stays protected.\n    Chairman Broun. Thank you, Mr. Vanderhoof.\n    My time is expired, but I would like for all five of you to \nanswer that question for the record in written form.\n    And, as a physician, I am very concerned about a central \nrepository of all health records. I think there should be a \nbetter way so that patients control their own electronic \nmedical records and not the Federal Government and not an \ninsurance agent or the insurance industry. And so I would \nappreciate any input from all of you.\n    My time is expired. Mr. Maffei, you are recognized for five \nminutes.\n    Mr. Maffei. Thank you, Mr. Chairman.\n    I guess I will start with Dr. Romine. Where are these \nthreats and incursions coming from generally? I mean where are \nthe criminals, if you will, coming from?\n    Dr. Romine. So I think there are a number of places, and I \nthink Mr. Chabinsky is absolutely right. Some of them are \nintelligence services from other governments seeking our \nintellectual property for their competitive advantage. Some of \nthem are organized crime, highly organized and capable, and \nthose are international as well. So I think, Mr. Chabinsky is \naccurate on that score.\n    Mr. Maffei. Mr. Russo, you and I talked about this a little \nbit. Do you have an idea of how many are external to the United \nStates? Is there any way to trace that or figure that out?\n    Mr. Russo. There probably isn't a good way to trace that. \nObviously, some of the major breaches that we are seeing now \nare being perpetrated from outside the United States. As a \nmatter of fact, I picked up a USA Today this morning and there \nwas a big article about this malware coming from someplace \noutside of the United States as well.\n    I would agree with Mr. Chabinsky. I think one of the areas \nthat we would like to see a little more help in is bringing \nsome of these people to justice, stiffer fines, and the ability \nto stop this thing. We are basically in an arms race when it \ncomes to security, and while we are staying up with them and \nstaying ahead in some cases, you need to be vigilant all the \ntime. And unfortunately, many businesses are not vigilant 365, \n24/7, and hackers need to be vigilant one day.\n    Mr. Maffei. Right. Exactly.\n    Mr. Chabinsky, do you have any--I--DD is--are there any \nestimates about how many threats are from outside the United \nStates? And also if you have a related comment.\n    Mr. Chabinsky. I don't--I am not aware of any actual \nestimates but I think it is only natural that hackers being \nable to remotely gain access are less likely to hit \ndomestically where they are. Right? So you would see that other \nnations are experiencing hacking that would include hacking \nfrom the United States and that we are more likely to then have \nhacking from abroad.\n    Certainly, there is no doubt that a lot of the financial \nfraud that we are seeing tends to be led or have strong ties to \nEastern Europe. But equally true, those groups even that have \nthose ties to Eastern Europe are global in nature and we have \nseen groups that are operating in dozens of countries \nsimultaneously, hitting hundreds of cities at once. We saw one \nring that was able to hit ATMs throughout the world in a 24-\nhour period and steal in excess of $9 million within 24 hours \non the ground. This turned out to be a proof of concept. A \ngroup later did it, stealing $45 million. So it is certainly \nglobal.\n    I would say in that regard that law enforcement is well \naware of that and the FBI for its part has a legal attache \nprogram that they are using in no small part to help protect \nAmericans against cyber threats. They have embedded agents not \nonly within the embassies there but there are a number of \nnation-states that have invited our own law enforcement to sit \nside-by-side with them in their national Federal law \nenforcement agencies just to combat cyber. In that regard, the \nFBI has cyber agents sitting side-by-side with cyber agents of \nother countries in Estonia, Ukraine, the Netherlands, Romania, \nand Latvia. Those are very helpful models to build on this \ninternational aspect of cybercrime law enforcement.\n    Mr. Maffei. So most of the time other countries are \ncooperative with our efforts and we are with theirs?\n    Mr. Chabinsky. That is absolutely correct.\n    Mr. Maffei. But are there some instances of state \nsponsorship that we know of, anybody on the panel?\n    Mr. Chabinsky. There are. China and Russia are certainly \nthe most heavily invested in state-sponsored espionage. The \nrelationship between nation-state espionage and cybercrime is \nuncertain in most areas. There certainly is a lot of \ninformation indicating that there can be an unsteady alliance \nat times between nation-states and criminal enterprises either \nbecause at the lower level of law enforcement, not typically at \nthe Federal level, there could be corruption of state and local \naw enforcement protection, and at the higher levels, there may \nbe an uneasy alliance where criminals are actually helping the \nintelligence service for nation-state aims while on the side \nbeing able to get rich quick, if you will, on criminal \nactivities for which the nation-state might look the other way.\n    Mr. Maffei. Do we know where the data breach at Target \noriginated?\n    Mr. Chabinsky. I am not prepared today to discuss that \nmatter.\n    Mr. Maffei. Anybody else know or--Mr. Russo, do you have \nany idea? Okay.\n    Well, I would submit to the Committee that this is an \nimportant--I appreciate the Chairman--the two Chairmen for \nholding this hearing but that this is also a severe national \nsecurity concern. And the fact that we don't even know how many \nof these threats are coming from outside the United States I \njust think, you know, makes it important to have additional \nscrutiny. So I will also be bringing it up in my other \nCommittee, which is the Armed Services Committee, although that \nmay not be the right one either, maybe Homeland Security. I am \nnot sure.\n    But I really appreciate us a drawing attention to it in \nthis hearing.\n    Thank you, Mr. Chairman.\n    Chairman Broun. Thank you, Mr. Maffei.\n    And I am on Homeland Security and we have looked into these \nissues and we will continue to do so.\n    Dr. Bucshon, you are recognized for five minutes.\n    Mr. Bucshon. Thank you, Mr. Chairman.\n    On April 16 of last year, the House overwhelmingly passed \ntwo bipartisan Science Committee bills to assist the private \nsector and other domestic organizations to secure their \ninformation systems. Each bill got over 400 votes.\n    The first is H.R. 756, the Cybersecurity Enhancement Act, \nwhich requires a government-wide IT security R&D plan, \nauthorizes the National Science Foundation basic research on \ncybersecurity with scholarships and support for cybersecurity \neducation, human resource development, and directs NIST to \ncoordinate Federal activities on international cybersecurity \ntechnical standards development.\n    The other bill is H.R. 967, the Networking and Information \nTechnology R&D, or NITRD Act. It updates the NITRD program on \ncybersecurity and it focuses the NITRD program on R&D to \ndetect, prevent, resist, respond to, and recover from actions \nthat compromise or threaten to compromise the availability, \nintegrity, or confidentiality of computer and network-based \nsystems. Unfortunately, neither one of these bills have been \ntaken up in the Senate and so right now they are kind of in \nlimbo.\n    The question I have is to the entire panel. Would these \nbills help protect Americans from international cyber \ncriminals? And maybe we should suggest that the Senate pass the \nbills if that is the case.\n    So I will start with Dr. Romine.\n    Dr. Romine. Thank you. There are many provisions of these \nbills that are very constructive in addressing the very complex \nissue of cybersecurity, and NIST has had a very close working \nrelationship in collaboration or discussions with the entire \nCommittee and your Subcommittee and your staff and we look \nforward to continuing to engage on that.\n    Mr. Russo. Thank you, Congressman. The Council does not \nendorse or comment on any specific legislation, but these bills \ncertainly represent concepts that we support.\n    Mr. Vanderhoof. Yes, and likewise, the Smart Card Alliance \ndoes not advocate on behalf of any specific legislation. \nHowever, in principle, we certainly do believe that more \nresearch can be done to help stimulate private industry in \nterms of looking for creative solutions to try to fight \ncybercrime.\n    Mr. Brookman. My office does take positions on legislation. \nWe have not taken positions on these two bills. I think there \nare some really good things in there that are incredibly \nimportant and would be productive. My only caveat would be I \nwould want to ensure that additional funding and research was \ngiven to NIST to fulfill the requirements that they would do \nunder those bills and not take away from existing resources.\n    Mr. Chabinsky. Chairman Bucshon, I fully support the goals \nof both bills. I believe that in order to protect our economic \nand national security, including better protecting Americans \nfrom international cybercrime, the Federal Government must \nincrease its investment in research and development, as well as \nin cyber workforce development.\n    I would respectfully recommend only that this Committee \nkeep an eye on how government-supported R&D resources are \nallocated, keeping in mind that the best long-term strategy for \nprotecting Americans from criminals, whether they are near or \nfar, is in my opinion not through enhanced defenses but rather \nthrough better detection of, attribution of, and penalties \nagainst the criminals themselves.\n    These bills can promote the goals of enhancing cyber threat \ndeterrence, and I am grateful for the attention of the \nCommittee in advancing them.\n    Mr. Bucshon. Thank you very much. I want to make one \ncomment. I think on this whole issue that the American public \nis very acutely aware of the privacy issues related to \ncybersecurity but not as aware of--in my opinion when I talk to \npeople--of what the threats and the risk to breaches in \ncybersecurity are because of the attention brought by the \nnational media leaning more towards the privacy issue, which is \nan extremely important issue of course.\n    But I think all of us could in some way be helpful by \nexposing more of what the risk actually is other than just \nlosing your credit card data, which is very important of \ncourse, but a bigger issue is, for example, if half of America \nall of a sudden loses power suddenly or the entire country \nloses power or our GPS system shuts down, what the risk of that \nis.\n    Mr. Romine and Mr. Russo, is the private sector capable of \nsuccessfully developing and following security standard for \nitself or does it need government assistance or oversight?\n    Dr. Romine. So in this case, the NIST position is clear \nthat in the development of the cybersecurity framework we \nworked very closely and collaboratively with the private sector \nand we believe that those voluntary approaches are in fact \ngoing to be very effective.\n    I would say government assistance, however, in the sense \nthat NIST has been acting as a convener for those discussions, \nis very helpful.\n    Mr. Bucshon. Mr. Russo, quickly, because my time is up.\n    Mr. Russo. I would agree. The standards are adaptable. They \nare developed in collaboration with a huge amount of input \nglobally, so I think we are uniquely qualified to handle \nspecifically payment card data.\n    Mr. Bucshon. Thank you very much. I yield back, Mr. \nChairman.\n    Chairman Broun. Thank you, Dr. Bucshon.\n    My friend Dan Lipinski, you are recognized for five \nminutes.\n    Mr. Lipinski. Thank you, Mr. Chairman. I want to thank \nChairman Bucshon for talking about those two bills. You saved \nme a little bit of time. I want to especially mention the \nCybersecurity Enhancement Act, which is the bill that I have \ndone with Congressman McCaul. In past Congresses also, and as \noften happens, we are waiting for the Senate to act. Hopefully, \nthey will move soon on that.\n    So that moves me into my next question, which is for Mr. \nBrookman and Mr. Romine, but anyone else can jump in.\n    Technology plays an important role in countering cyber \nthreats, but we all know that there are important other factors \nthat can contribute to cyber attacks also. Human factors often \nhelp facilitate successful cyber intrusions by individuals who \nmistakenly or incorrectly give up passwords or open up emails \nfrom strangers, for instance, or they make their password \n``password,'' as was mentioned earlier.\n    From a cybersecurity and cyber policy perspective, how do \nwe begin to address those elements to help counter cyber \nattacks? That is, what is the importance of social science \nresearch especially to look at the problems of cybersecurity \nthat come from human factors, and what can be done to encourage \npeople to practice better cyber hygiene?\n    So let's start with Mr. Brookman.\n    Mr. Brookman. Sure. So I am not a researcher but I know \nthere is a lot of good social science research going on on \nthese issues. I know Carnegie Mellon University, for example, \nDr. Lorrie Cranor, also UC Berkeley has done some really good \nwork with Chris Hoofnagle, Stanford, Alicia McDonald, did a lot \nof looking into these issues about what kind of nudges you can \ngive to folks to do the right thing. I don't know how much \ntheir research has been implemented in the marketplace.\n    From a policy perspective, I think the most important thing \nyou can do is to put the incentives in place to make companies \nmake the right decision that if they have a liability, they are \nthe ones who have to push people to do harder passwords. I \nthink it is very hard to prescribe that at a Federal level, but \nI think, you know, putting stronger incentives on companies \nto--in the event that they let people do passwords, then \nperhaps their liability I think is probably the best solution.\n    Mr. Lipinski. All right. Dr. Romine?\n    Dr. Romine. Thank you. I am pleased to be able to say that \nmy laboratory has an active research program in the usability \nof security. We have staff of psychologists, human factors, \nengineers, computer scientists that are working on this \nproblem.\n    And I would like to make a couple of points. One is, of \ncourse, regulating behavior is often not going to be as \neffective as making strides in usability. The goal is to make \nit easy to do the right thing, make it hard to do the wrong \nthing, and make it easy to recover when the wrong thing happens \nanyway.\n    And the other thing I would say is this idea that there is \na tradeoff between usability and security is a false dichotomy. \nThe fact is that you can actually achieve better security, more \nrealized security if you improve the usability of the security \nand particularly the identity management that you are \nundertaking.\n    Mr. Lipinski. Does anyone else want to comment on that at \nall?\n    Let me move on then to the notification of these cyber \nbreaches. There is currently no Federal data breach \nnotification regulation. For many cyber tests, consumers are \nnot notified for days or longer after a company realizes it has \nbeen successfully attacked. And Mr. Chabinsky had talked about \nwhat usually is the--what the response is. Can each of you give \nus very briefly your thoughts on requiring a national data \nbreach notification requirement? Let's start with Mr. Chabinsky \nand go across.\n    Mr. Chabinsky. I fully support the goals of a national data \nbreach law. Right now, industry is subjected to I think at last \ncount it is 46 different data breach statutes on the books \nacross our land. That is making it very difficult not only for \nconsumers to get any sort of consistent approach in data breach \nnotification but for industry to actually have the confidence \nand ability to react in a quick way across so many different \njurisdictions.\n    Mr. Brookman. Yes. We are really ambivalent on the need for \na Federal data breach notification. As you said, there are 46 \nStates, so it is by and large already required. Making it more \nseamless, easier to have a data breach notification is arguably \nsomewhat counterproductive, right? If it is easier for you to \ncomply, well, then there is less incentive for you to get \nsecurity right in the first place. So we think in order to be \neffective, you have to pair it with something else, some sort \nof comprehensive privacy or security requirements to make that \neffective for consumers.\n    Mr. Vanderhoof. Yes, I definitely support some uniform data \nbreach notification guidelines for industry rather than having \na state-by-state approach because it does provide industry with \na better framework by which they can set up their procedures to \nbe able to uniformly inform their customers when a breach \noccurs.\n    I would only caution that notifying customers when a breach \noccurs and then notifying them what their risks are and what \nthey are able to do to address those risks is still going to be \nup to the individual organization that has been breached, and \ntherefore, there still needs to be control within the \nindividual organization in terms of how they manage the \nrelationship with their customers.\n    Mr. Russo. Congressman, as I indicated, the Council does \nnot speak on legislation, but generally, we support awareness \nof these types of issues.\n    Mr. Lipinski. Thank you. Dr. Romine?\n    Dr. Romine. And I would agree that a further discussion \nneeds to take place on whether that is an advisable approach. \nFrom my perspective as a NIST representative, it is outside the \ntechnical scope of our activities.\n    Mr. Lipinski. All right. Thank you very much. I yield back.\n    Chairman Broun. Thank you, Dan.\n    Mr. Kilmer, you are recognized for five minutes.\n    Mr. Kilmer. Thank you, Mr. Chairman.\n    I was going to start with Mr. Chabinsky. I am a member of \nthe Armed Services Committee. In fact, I just came from there \nso apologies for being late. I know the military doesn't defend \nitself from cyber attacks by software alone. You know, they use \na system of personnel training and physical security and IT to \nguard against would-be attackers. Does industry follow that \napproach, and if not, what percentage of risk would be--would \ninvestments in enhanced IT hardware and software cover?\n    Mr. Chabinsky. Thank you for the question, Congressman \nKilmer.\n    Industry does absolutely follow the same approach. That \napproach is in fact developed by NIST and adopted under FISMA. \nBasically, you are talking about three different controls that \nare put into place under a risk framework. There are technical \ncontrols and much of what the focus of this Committee is on the \ntechnology, and then we have already heard about the \nadministrative controls, about trying to work with our \npersonnel to ensure effective enforcement of our policies, and \nthen physical controls, making sure people don't actually have \naccess to our servers.\n    Those are exactly the same types of controls that are \nadopted in private sector standards that are international as \nwell and that have been rolled out again in an actually quite \nelegant form in the cybersecurity framework.\n    I would, of course, note that the military systems \nthemselves have been breached on numerous occasions and have \nnot been able to withstand the onslaught of intelligence \nservices, nor have the private sector. So I think everybody is \nworking in a situation in which they are doing the best that \nthey can following similar standards, but again, we are talking \nabout an area where risk is controlled but there remains an \nunfortunately large amount of residual risk in this area.\n    Mr. Kilmer. I am going to touch on something that there has \nbeen some discussion around already. I was a few months back in \na meeting with a number of folks in the IT space and we were \ntalking about cybersecurity issues, and the conversation found \nits way to how companies implement protection, invest in new \nsoftware, and adopt best practices on avoiding cyber attack. \nAnd one of the folks in the room said, you know, governments--\nit is not the government's role to force compliance or force \nprotection. And I asked the question, you know, can government \nin some way incent good cyber hygiene and incent compliance? Do \nyou think government as it stands right now provides any \nincentive to industry to take steps it should to protect \nitself? And if so, how? And if not, what might that look like?\n    Dr. Romine. So speaking again from the perspective of the \ndevelopment of the cybersecurity framework that was just \nreleased last month, there have been discussions in place with \nregard to DHS helping with the voluntary program and they have \nrolled out something that they call now C3, which is their \napproach to providing assistance in using the framework. But \nthere has always been, in addition to that, discussions about \nincentives that could be provided from the government, and \nthose discussions would be productive going forward as well.\n    Mr. Kilmer. Anything specific? I mean, go ahead, Mr. \nVanderhoof.\n    Mr. Vanderhoof. Thank you, Mr. Kilmer. So you mentioned the \nDepartment of Defense, which still today is pretty much the \ngold standard in terms of protecting its networks and \ncybersecurity effects. And what they did was they invested in \ntheir identity credentials to make those authentication \ntechnologies as strong as they possibly can so that they know \nwho is allowed to be within their network to help prevent those \npeople that are not allowed to be in the network from getting \nin the network.\n    And the government has adopted this common standard across \nthe entire Federal enterprise using secure chip technology and \nhave actually extended that technology standard that was set by \nNIST to the commercial entities that also do business with \ngovernment.\n    So what has proven to be very effective on the commercial \nside has been government leading by example of protecting \nitself first, extending that level of standard for protection \nfor commercial entities doing business with the government, and \nthen that in turn has stimulated investment in those \ntechnologies that are then translated into the commercial \nspaces well.\n    Mr. Brookman. I will say that for financial data I think \nthe law does provide some pretty strong incentives. Data breach \nnotification is incredibly painful and expensive. The PCI rules \nI think put pretty strong incentives there. For other \ncategories of consumer data, though, I think they are actually \nvery poor, including a lot of health data, right? To the extent \nhealth data is not governed by HIPAA and HITECH, to the extent \nyou give information to an app or to some online service, there \nare very little protections at all security-wise.\n    The Federal Trade Commission has tried to be aggressive \nwith its consumer protection authority, but even when they win, \nthey can't get any money. They just say, okay, promise to use \nbetter security in the future. So I think there should be \nstronger protections for other categories of consumer data.\n    Mr. Chabinsky. On the incentive side, Department of \nHomeland Security is doing good work right now with the \ninsurance industry to determine whether or not corporations \nwill be able to find a better market in insurance to be able to \ntransfer risk, and the insurance industry as a result is trying \nto think of ways that improved security will result in a market \nthat will be both cost-effective and beneficial. So I think \nthat that is one area that the government is working right now \non the incentives side.\n    Of course in a national data breach notification law, \nshould one exist, there is the potential to have certain safe \nharbors if certain encryption methodologies were in place or \notherwise. So, I think that there are a number of incentives.\n    Again, my only caution is using any comparison between the \nprivate sector and the government with respect to data security \nand network security to have a more realistic discussion about \nthe number of breaches that actually are actively being \nincurred against government systems with a lot of resources \nbeing put against them and mandates no less, not voluntary, and \nyet there still obviously are a lot of issues there.\n    Thank you.\n    Mr. Kilmer. Thank you. Thank you, Mr. Chairman.\n    Chairman Broun. The gentleman's time is expired.\n    I want to thank the witnesses for you all's valuable \ntestimony. I am southern. Y'all is plural for you all. But I \nwant to thank you all for you all's valuable testimony, and I \nreally want to thank you for your flexibility and for your \npatience. I know you have been just kind of jerked around a \nlittle bit by the weather and changing schedules and vote \nseries and you all have been extremely patient and extremely \nflexible with us. It has been a great hearing I think. All the \nMembers, I am sure, have garnered a tremendous amount of \ninformation from you all and we appreciate you all considering \ngetting back to us.\n    I want to remind Members that you all have a short period \nof time to get questions to them. In fact, in two weeks, we \nwill submit questions for you all to answer. We call them \nquestions for the record and they will be put in the record, \nand we appreciate your help on that.\n    So I do remind Members that if you have any additional \ncomments or any additional questions to please get them in \nexpeditiously.\n    Thank you all. You all are excused. This hearing is now \nadjourned.\n    [Whereupon, at 11:57 a.m., the Subcommittees were \nadjourned.]\n\n\n\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n                                 [all]\n\x1a\n</pre></body></html>\n"