[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]



                    CAN TECHNOLOGY PROTECT AMERICANS
                   FROM INTERNATIONAL CYBERCRIMINALS?

=======================================================================

                             JOINT HEARING

                               BEFORE THE

                      SUBCOMMITTEE ON OVERSIGHT &
                  SUBCOMMITTEE RESEARCH AND TECHNOLOGY

              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED THIRTEENTH CONGRESS

                             SECOND SESSION

                               __________

                             MARCH 6, 2014

                               __________

                           Serial No. 113-67

                               __________

 Printed for the use of the Committee on Science, Space, and Technology







[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]





       Available via the World Wide Web: http://science.house.gov


                               __________

                         U.S. GOVERNMENT PRINTING OFFICE 

88-137 PDF                     WASHINGTON : 2014
-----------------------------------------------------------------------
  For sale by the Superintendent of Documents, U.S. Government Printing 
  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800 
         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
                          Washington, DC 20402-0001












              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY

                   HON. LAMAR S. SMITH, Texas, Chair
DANA ROHRABACHER, California         EDDIE BERNICE JOHNSON, Texas
RALPH M. HALL, Texas                 ZOE LOFGREN, California
F. JAMES SENSENBRENNER, JR.,         DANIEL LIPINSKI, Illinois
    Wisconsin                        DONNA F. EDWARDS, Maryland
FRANK D. LUCAS, Oklahoma             FREDERICA S. WILSON, Florida
RANDY NEUGEBAUER, Texas              SUZANNE BONAMICI, Oregon
MICHAEL T. McCAUL, Texas             ERIC SWALWELL, California
PAUL C. BROUN, Georgia               DAN MAFFEI, New York
STEVEN M. PALAZZO, Mississippi       ALAN GRAYSON, Florida
MO BROOKS, Alabama                   JOSEPH KENNEDY III, Massachusetts
RANDY HULTGREN, Illinois             SCOTT PETERS, California
LARRY BUCSHON, Indiana               DEREK KILMER, Washington
STEVE STOCKMAN, Texas                AMI BERA, California
BILL POSEY, Florida                  ELIZABETH ESTY, Connecticut
CYNTHIA LUMMIS, Wyoming              MARC VEASEY, Texas
DAVID SCHWEIKERT, Arizona            JULIA BROWNLEY, California
THOMAS MASSIE, Kentucky              MARK TAKANO, California
KEVIN CRAMER, North Dakota           ROBIN KELLY, Illinois
JIM BRIDENSTINE, Oklahoma
RANDY WEBER, Texas
CHRIS COLLINS, New York
VACANCY
                                 ------                                

                       Subcommittee on Oversight

                   HON. PAUL C. BROUN, Georgia, Chair
F. JAMES SENSENBRENNER, JR.,         DAN MAFFEI, New York
    Wisconsin                        ERIC SWALWELL, California
BILL POSEY, Florida                  SCOTT PETERS, California
KEVIN CRAMER, North Dakota           EDDIE BERNICE JOHNSON, Texas
LAMAR S. SMITH, Texas
                                 ------                                

                Subcommittee on Research and Technology

                   HON. LARRY BUCSHON, Indiana, Chair
STEVEN M. PALAZZO, Mississippi       DANIEL LIPINSKI, Illinois
MO BROOKS, Alabama                   FEDERICA WILSON, Florida
RANDY HULTGREN, Illinois             ZOE LOFGREN, California
STEVE STOCKMAN, Texas                SCOTT PETERS, California
CYNTHIA LUMMIS, Wyoming              AMI BERA, California
DAVID SCHWEIKERT, Arizona            DEREK KILMER, Washington
THOMAS MASSIE, Kentucky              ELIZABETH ESTY, Connecticut
JIM BRIDENSTINE, Oklahoma            ROBIN KELLY, Illinois
CHRIS COLLINS, New York              EDDIE BERNICE JOHNSON, Texas
LAMAR S. SMITH, Texas

















                            C O N T E N T S

                             March 6, 2014

                                                                   Page
Witness List.....................................................     2

Hearing Charter..................................................     3

                           Opening Statements

Statement by Representative Paul C. Broun, Chairman, Subcommittee 
  on Oversight, Committee on Science, Space, and Technology, U.S. 
  House of Representatives.......................................     9
    Written Statement............................................     9

Statement by Representative Dan Maffei, Ranking Minority Member, 
  Subcommittee on Oversight, Committee on Science, Space, and 
  Technology, U.S. House of Representatives......................    10
    Written Statement............................................    10

Statement by Representative Larry Bucshon, Chairman, Subcommittee 
  on Research and Technology, Committee on Science, Space, and 
  Technology, U.S. House of Representatives......................    11
    Written Statement............................................    11

Statement by Representative Daniel Lipinski, Ranking Minority 
  Member, Subcommittee on Research and Technology, Committee on 
  Science, Space, and Technology, U.S. House of Representatives..    12
    Written Statement............................................    12

Written statement by Representative Eddie Bernice Johnson, 
  Ranking Member, Committee on Science, Space, and Technology, 
  U.S. House of Representatives..................................    13

                               Witnesses:

Dr. Charles H. Romine, Director, Information Technology 
  Laboratory, National Institute of Standards and Technology
    Oral Statement...............................................    14
    Written Statement............................................    17

Mr. Bob Russo, General Manager, Payment Card Industry Security 
  Standards Council, LLC
    Oral Statement...............................................    26
    Written Statement............................................    28

Mr. Randy Vanderhoof, Executive Director, Smart Card Alliance
    Oral Statement...............................................    35
    Written Statement............................................    37

Mr. Justin Brookman, Director, Consumer Privacy, Center for 
  Democracy & Technology
    Oral Statement...............................................    51
    Written Statement............................................    54

Mr. Steven Chabinsky, Senior Vice President of Legal Affairs, 
  CrowdStrike, Inc.; Former Deputy Assistant Director, Federal 
  Bureau of Investigation - Cyber Division
    Oral Statement...............................................    65
    Written Statement............................................    67

Discussion.......................................................    75

             Appendix I: Answers to Post-Hearing Questions

Dr. Charles H. Romine, Director, Information Technology 
  Laboratory, National Institute of Standards and Technology.....    86

Mr. Bob Russo, General Manager, Payment Card Industry Security 
  Standards Council, LLC.........................................    91

Mr. Randy Vanderhoof, Executive Director, Smart Card Alliance....    97

Mr. Justin Brookman, Director, Consumer Privacy, Center for 
  Democracy & Technology.........................................   107

Mr. Steven Chabinsky, Senior Vice President of Legal Affairs, 
  CrowdStrike, Inc.; Former Deputy Assistant Director, Federal 
  Bureau of Investigation - Cyber Division.......................   112

 
  CAN TECHNOLOGY PROTECT AMERICANS FROM INTERNATIONAL CYBERCRIMINALS?

                              ----------                              


                        THURSDAY, MARCH 6, 2014

                  House of Representatives,
                       Subcommittees on Oversight &
                                    Research and Technology
               Committee on Science, Space, and Technology,
                                                   Washington, D.C.

    The Subcommittees met, pursuant to call, at 9:36 a.m., in 
Room 2318 of the Rayburn House Office Building, Hon. Paul Broun 
[Chairman of the Subcommittee on Oversight] presiding.




[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]



    Chairman Broun. Good morning, everyone. This joint hearing 
of the Subcommittee on Oversight and the Subcommittee on 
Research and Technology will come to order.
    Again, good morning and welcome to today's joint hearing. 
In front of you are packets containing the written testimony, 
biographies, and truth-in-testimony disclosures for today's 
witnesses.
    Before we get started, since this is a joint hearing 
involving two Subcommittees, I want to explain how we will all 
operate procedurally so all Members understand how the 
question-and-answer period will be handled. We will recognize 
those Members present at the gavel in order of seniority on the 
full Committee, and those coming in after the gavel will be 
recognized in order of arrival.
    Now, for the sake of time, in lieu of giving my statement, 
I will enter it into the record at this point.
    [The prepared statement of Mr. Broun follows:]

  Prepared Statement of Subcommittee on Oversight Chairman Paul Broun

    Good morning. Let me begin by extending a warm welcome to our 
witnesses and thank you all for appearing. I especially appreciate 
everyone's patience and flexibility--witnesses and Members alike--in 
making themselves available today given the weather interruption 
earlier this week.
    Today's hearing is titled ``Can Technology Protect Americans from 
International Cybercriminals?'' I hope you can all help us more fully 
answer that question and explore what specifically is being done to 
secure U.S. IT infrastructure.
    On the one hand, we are here this morning to review what appears to 
be a rash of recent attacks and successful breaches of American IT 
infrastructure and computer networks: Target; Neiman Marcus; Easton 
Sports; Michaels Stores; the University of Maryland; Blue Cross Blue 
Shield in New Jersey; and now maybe even Sears! A reported 823 million 
exposed records made 2013 a record year for data breaches. The majority 
of these data breaches hit businesses and health-care, followed by 
government, academic, and financial institutions, in that order. In 
fact, the Identity Theft Center, a non-profit organization that tracks 
data theft, reported that health-care insurance providers and 
organizations suffered 267 breaches, or 43 percent of all attacks in 
2013. That's significantly higher than the business sector, comprised 
of retailers, tech companies and others. It seems like an epidemic, and 
the clear implications of people's privacy being violated concerns me 
greatly.
    On the other hand, fraud and breaches within the retail credit card 
and debit card industry only amount to five-hundredths of 1% of sales, 
or five cents on the dollar. And that loss has been declining. In other 
words, more records are being exposed, but the financial damage may be 
less. Is this a growing problem justifying more attention and effort, 
or an example of the ongoing, successful efforts of the private sector, 
with the help of the government's experience, knowledge, and 
cooperation to counter these attacks? I take pride in noting that 
financial technology companies in my home state of Georgia handle over 
60 percent of all payment card transactions in America. These Georgia 
companies are industry leaders in consumer protection and data 
security, as documented in a February 23rd piece in the Peach Pundit by 
the CEO of the Electronic Transactions Association.
    Today, among other things, we will hear what the private sector is 
doing in response to the market forces of risk, cost, liability, and 
reward. I would suggest those free market incentives and disincentives 
and the right of free association and cooperation are sufficient and 
the most effective at addressing the evolving, quick-moving threat of 
sophisticated hacking organizations and cybercriminals. The fact that 
the payment industry and retailers have been actively working together 
to make the necessary investments to tighten credit card and debit card 
security next year by transitioning to ``smart or chip card'' 
technology is proof of that.
    Nevertheless, the organized, international nature of the new IT 
threat to intellectual property, trade secrets and other proprietary 
data, personally identifiable information, medical and insurance 
records, financial resources, and even top secret material, makes this 
a critical danger to our economic and national security. We will hear 
today that China and Russia are actively and aggressively waging 
economic war on us with massive hacking espionage campaigns. This is 
very disconcerting, and I look forward to the discussion about the role 
of law enforcement and intelligence capabilities to deter, detect, and 
punish global cybercrime syndicates, and whether they need more 
technological tools and resources.
    After all, before former FBI Director Robert Mueller stepped down, 
he declared that ``in the not too-distant-future we anticipate that the 
cyber threat will pose the greatest threat to our country.'' Well, it 
will be interesting to hear what the former FBI Deputy Assistant 
Director for Cyber, who served under Director Mueller, has to say in 
his testimony.

    Chairman Broun. And now, I will recognize my good friend, 
Mr. Maffei, for his statement.
    Mr. Maffei. Thank you, Mr. Chairman. And I will follow your 
lead and also ask unanimous consent to put my opening statement 
into the record. You have to say so ordered.
    Chairman Broun. Okay. Without objection.
    [The prepared statement of Mr. Maffei follows:]

            Prepared Statement of Subcommittee on Oversight
                   Ranking Minority Member Dan Maffei

    Cybercrime occurs on a daily basis. Widespread breaches, like the 
recent data breach at Target, affected up to 110 million people by 
exposing their personal data and credit card information. Smaller 
breaches can still have serious economic consequences. Last year, 
hackers with reported links to Al Qaeda engaged in hacking the phone 
systems of small businesses in New York, including in my district in 
Syracuse, New York. One of the companies hacked, an Albany-based dry 
cleaner, halted plans to expand in Syracuse because they were 
struggling to pay the $150,000 phone charges they incurred as a result 
of this attack. This particular breach resulted in more than 75,000 
minutes of overseas calls to Zimbabwe, Bosnia, the Congo, Libya and the 
Maldives.
    Last year alone half a billion records of personally identifiable 
information, including names, emails, credit card numbers and passwords 
were leaked through data breaches according to an IBM cyber-threat 
report. But many breaches go unreported. Others go undetected. The full 
scale and consequence of cybersecurity threats cannot be accurately 
assessed.
    When cybercriminals obtain credit card information on tens of 
millions of consumers from a retail establishment we all end up paying. 
Retailers have to pass along the costs for these security incidents 
through increased prices as a result of fraud, enhanced security 
upgrades, and potential litigation costs. When foreign governments 
infiltrate our government agencies, it jeopardizes our national and 
economic security. When an individual employee at a university,hospital 
or insurance company steals the digital data of students, patients or 
clients to engage in identity theft, there are real consequences for 
Americans.
    I do not believe there is a silver bullet to preventing cyber-
threats or eliminating the inadvertent disclosure of personal privacy-
related data. Technology alone cannot protect us. This is a 
multifaceted threat and requires a multi-pronged response. A 
combination of corporate awareness, federal policies, the proper 
implementation of security standards, employee and consumer training, 
and due diligence along the chain of information play a critical role 
in confronting thisgrowing cyber menace.
    There are some technical solutions that can certainly help in 
countering this threat. The migration of so called E-M-V chip cards in 
the U.S. and the use of ``chip and PIN'' transactions can play a role. 
While this will help counter fraudulent person-to-person transactions, 
they will not stop all fraudulent transactions, like online sales where 
a card is not present. Online retail sales in the U.S. alone are 
expected to grow from $231 billion in 2012 to $370 billion by 2017, 
making online financial transactions an even more appealing avenue for 
cybercriminals.
    Standards are another technical solution that can play a key role 
in helping secure IT systems against a wide-range of cyber-threats. The 
National Institute of Standards and Technology recently released its 
``Framework for Improving Critical Infrastructure Cybersecurity.'' This 
guide can help federal agencies and private industry alike implement 
reliable and robust IT networks that are as safe and secure as 
possible.
    I am concerned however, that industry is not doing enough to 
protect itself and to protect our data from these various cyber 
threats. The Payment Card Industry (or PCI) has its own Security 
Standards Council and we have a witness from the council testifying 
here today. His testimony clearly says--quote: ``the PCI Standards are 
the best line of defense against the criminals seeking to steal payment 
card data.'' While the efforts of the industry to police itself are 
laudable, a recent 2014 report by Verizon called the ``PCI Compliance 
Report'' found that only 11.1 percent of the payment card industry 
companies that it surveyed in 2013 were ``fully'' compliant with the 
PCI ``Data Security Standard.'' This was a decline of nearly 50 percent 
from the 2010 Verizon ``PCI Compliance Report'' that showed 22 percent 
of companies in the Payment Card Industry surveyed in 2009 were 
``fully'' compliant with this standard.
    It is unclear why the application of these industry endorsed 
standards has declined but it is a troubling trend. This is 
particularly troubling since even the PCI Security Standards Council 
has said that they have seen a correlation between successful cyber-
attacks and the lack of compliance with its standards. We need to 
figure out a way to either incentivize industry to act or to mandate a 
requirement that they must act.
    It is important that we explore these issues to help understand 
what the private sector is doing to protect consumer data and how we 
can be effective partners. But I think it is equally important to 
understand what the commercial market is doing with consumer data.
    We are all sharing more data with more sources all the time. As we 
share more personal data the opportunities for that data to be stolen, 
sold or lost escalates. We provide detailed financial data to our 
banks. Our local grocery store knows the food we eat, the beverages we 
drink and the toothpaste we use. Facebook knows who we associate with, 
our favorite movies, books and vacation spots. Google Maps knows where 
we've been and where we're going. How private industry maintains this 
data, for how long and how securely is important to every consumer, 
including me. I hope that Mr. Brookman, a consumer privacy expert from 
the Center for Democracy & Technology, and one of our witnesses here 
today, can offer some suggested guidance on how Congress should be 
thinking about these issues that affect the privacy and security of all 
of us.
    I look forward to hearing from our witnesses and I appreciate the 
Chairman calling this hearing today. I yield back.

    Mr. Maffei. And the only thing I will say is I want to 
thank you, Mr. Chairman, and also Chairman Bucshon and Ranking 
Member Lipinski for having this hearing. I see the Chairman of 
the full Committee is here and I want to thank him and my good 
friend Elizabeth Esty is also here, too.
    So this is a very important and substantive issue and I 
really appreciate you doing this and I think it is a very good 
issue for our Committee to be looking at.
    I yield back.
    Chairman Broun. Thank you, Mr. Maffei. I now recognize Dr. 
Bucshon for his statement.
    Mr. Bucshon. Chairman, I also ask unanimous consent to 
submit my statement for the record.
    Chairman Broun. Without objection, so ordered.
    [The prepared statement of Mr. Bucshon follows:]

     Prepared Statement of Subcommittee on Research and Technology
                         Chairman Larry Bucshon

    I would like to welcome everyone to today's hearing on the role of 
technology in protecting Americans from cybercriminals.
    As Dr. Broun stated, many Americans have experienced security 
breaches in the past few years. Universities, small grocery stores and 
retailers in Indiana have all experienced security breaches recently. 
Along with the national retailer security breaches, we have heard about 
recently in the news, these smaller instances show how all individuals 
and consumers are threatened by this growing problem.
    According to a poll conducted by Defense News, leaders in national 
security policy, the military, congressional staff, and the defense 
industry believe cybersecurity is the top threat to our national 
security.
    While there is no question the federal government plays a role in 
preventing these security breaches, we must ensure we are using our 
resources as efficiently and effectively as possible.
    The Science, Space and Technology Committee was responsible for two 
pieces of relevant legislation that passed the House last year.
    H.R. 756, the Cybersecurity Enhancement Act, strengthens 
coordination and provides for strategic planning of cybersecurity 
research and development between government agencies. While the federal 
effort to prevent cyber attacks from happening is commendable, we must 
ensure that these well-intentioned programs are not duplicative or 
inefficient.
    Another piece of legislation that the House passed last year is 
H.R. 967, the Advancing America's Networking and Information Technology 
Research and Development Act, which also provides for coordination of 
the federal investment in research and development of unclassified 
networking, computing and cybersecurity technology.
    These two Science Committee bills both passed the House 
overwhelmingly with bipartisan support but have been stalled in the 
Senate, which has not yet indicated if they will act on these vital 
bills or not. It is my hope that we will see the Senate move these 
bills forward soon with the active help and support of the 
cybersecurity community and its stakeholders.
    I want to thank the witnesses for participating in today's hearing 
and look forward to their testimony on private sector initiatives and 
how we can help leverage these efforts.

    Chairman Broun. Mr. Lipinski, you are recognized for your 
statement.
    Mr. Lipinski. You mean I don't get everyone's five minutes 
for 20 minutes total?
    No, thank you, Mr. Chairman. Thank you for holding this 
hearing. It is very important issue as we keep seeing 
unfortunately more cyber attacks and hacking, other ways of 
stealing people's personal information, so I thank you for 
holding this hearing.
    I ask unanimous consent to submit my opening statement for 
the record.
    Chairman Broun. Without objection, so ordered.
    [The prepared statement of Mr. Lipinski follows:]

      Prepared Statement of Subcommittee on Research & Technology
                  Ranking Minority Member Dan Lipinski

    Thank you Mr. Chairman. And thank you to our witnesses for being 
here today after some rescheduling earlier in the week.
    I've spoken in this Committee many times about the threats posed by 
cybercrime, and each time there have been recent and potentially more 
serious attacks to illustrate the point. This time, data breaches at 
Target and Neiman Marcus collectively resulted in over 100 million 
records being stolen in the form of personal and credit card 
information. In total, payment card fraud was responsible for over 11 
billion dollars in losses in 2012, with around half of that amount 
coming from the US. And this figure doesn't account for many other 
losses associated with identity theft.
    Simply put, cybercrime threatens businesses of all sizes and every 
single American. As such, reducing our risk and improving the security 
of cyberspace will take the collective effort of both the Federal 
Government and the private sector, as well as scientists, engineers, 
and the general public.
    Research efforts by the Federal Government and standards developed 
in conjunction with the private sector will play a big part in 
addressing cybercrime. The NSF and NIST have lead roles in these 
respective tasks. I'm interested in hearing more from Dr. Romine about 
NIST's recent efforts in these areas including the cybersecurity 
framework for critical infrastructure released last month.
    However, it's worth pointing out that it doesn't matter how good 
our technology is or how current our standards are if people don't use 
the technology correctly or adopt the standards. You can have the most 
up-to-date server in the world, but if someone doesn't change the 
default password or chooses an easily guessed password, no system will 
be safe. Consider that a Verizon report found that last year only 11% 
of companies surveyed were fully compliant with PCI standards. In many 
ways, people are the weakest link in this process, and understanding 
how people make decisions--and encouraging better decisions--through 
social science research must be a part of our efforts to mitigate risk.
    To help address some of our nation's cyber threats, Congressman 
McCaul and I have introduced the Cybersecurity Enhancement Act during 
the last three congresses. The bill would improve cybersecurity by 
building strong public-private partnerships, improving the transfer of 
cybersecurity technologies to the marketplace, training a cybersecurity 
workforce for both the public and private sectors, and coordinating and 
prioritizing federal cybersecurity R&D efforts. We passed the bill in 
the House last year but are still awaiting action in the Senate. 
Hopefully with increased focus on cybersecurity issues we can finally 
break through the logjam and get the Senate to act on a bipartisan bill 
that will address our most immediate research and workforce needs.
    Once again, thank you Mr. Chairman for holding this hearing. I look 
forward to hearing from our witnesses. And with that, I yield back.

    Chairman Broun. Now, I recognize the Chairman of the full 
Committee for his statement if he so desires. Mr. Smith.
    Chairman Smith. Thank you, Mr. Chairman. I will ask my 
opening statement be made a part of the record as well.
    Chairman Broun. Without objection, so ordered.
    Chairman Broun. Now, if there are any other Members who 
wish to submit an opening statement, your statements will be 
added to the record at this point.
    [The prepared statement of Ms. Johnson follows:]

  Prepared Statement of Full Committeee Ranking Member Eddie Bernice 
                                Johnson

    Thank you, Mr. Chairman. This morning we are examining how 
technology can help protect Americans against cyber-attacks.
    Unfortunately, we have seen a string of cyber-attacks recently. 
Last year, Target suffered a massive data breach resulting in the loss 
of millions of debit and credit card numbers. Neiman Marcus, a store 
based in my home state of Texas, experienced a data breach that 
involved over a million credit and debit cards last year as well. These 
breaches exposed the financial and personal information of millions of 
Americans.
    Data breaches are devastating. They cause Americans to lose trust 
in private and public institutions and result in significant economic 
losses. Data breaches can also result in intellectual property losses, 
which can include a company's research and development, leading to 
millions and billions of dollars in lost profits. The Ponemon Institute 
estimates that the cost of data breaches due to fines, loss of 
intellectual property, customer trust and capital equal $136 per 
lostrecord. This translates into $68 billion in losses globally last 
year alone.
    This morning we will hear about computer chip-based credit cards, 
known as the ``chip-and-pin'' cards. Although it seems like these 
``chip-and-pin'' cards would help reduce counterfeiting of stolen 
credit cards, it is not clear that they would have prevented the recent 
attacks on Target and Neiman Marcus. To help prevent further similar 
cyber-attacks, we will need other technologies.
    But new technologies alone will not prevent cyber-attacks. New 
technologies will need to be paired with training and education 
efforts. Email attachments carrying malware are the most common way 
attackers get into a computer. To stop that from happening, we need 
training and education about proper computer security for employees and 
individuals.
    There are a number of federal efforts in this area including at the 
National Institute of Standards and Technology, which has played an 
important role in cybersecurity efforts for decades. NIST is the agency 
tasked with developing standards and guidelines for Federal information 
systems.
    Additionally, NIST is the lead agency for the National Initiative 
for Cybersecurity Education; they developed the National Strategy for 
Trusted Identities in Cyberspace; they run a National Cybersecurity 
Center of Excellence; and they maintain a National Vulnerability 
Database.
    We are fortunate to have Dr. Romine here this morning who can tell 
us more about these and additional cybersecurity efforts at NIST. Last 
month, NIST released a Framework for Improving Critical Infrastructure 
Cybersecurity, which provides a common language for understanding and 
managing cybersecurity risks. In our discussion of new technologies, we 
should be discussing how the federal government can incentivize the 
public sector to adopt cybersecurity best practices and standards that 
are included in the Framework.
    To prevent cyber-attacks will take an all-hands-on-deck approach. I 
look forward to working with my colleagues on both sides of the aisle 
on how the federal government can help with the development and 
adoption of new cybersecurity technologies.
    I would like to thank the witnesses for being here today. Thank 
you, Mr. Chairman. I yield back the balance of my time.

    Chairman Broun. At this time I would like to introduce our 
panel of witnesses. Our first witness is Dr. Charles Romine, 
Director of the Information Technology Laboratory at the 
National Institute of Standards and Technology, NIST. Our 
second witness is Mr. Bob Russo, General Manager of the Payment 
Card Industry Security Standards Council. Our third witness is 
Mr. Randy Vanderhoof, Executive Director of the Smart Card 
Alliance. And our fourth witness is Mr. Justin Brookman, 
Director of Consumer Privacy at the Center for Democracy & 
Technology. Gentlemen, welcome. We are glad to have all of you 
here today.
    Our final witness is Mr. Chabinsky, Senior Vice President 
of Legal Affairs at CrowdStrike, Incorporated; Former Deputy 
Assistant Director at the Federal Bureau of Investigation's 
FBI's Cyber Division. I welcome you, too, sir. I apologize. I 
was rushing along to get into this hearing because we are going 
to have votes very shortly.
    And so just for everybody's information, we are going to 
try to get through all of our witnesses' statements as quickly 
as possible. If you would, try to limit your testimony to five 
minutes each. You will have a light in front of you. When it 
turns red, please be through so we can try to hear everybody 
before we have to run off to vote and then we will come back 
for questions. We will get as far along as we can.
    As the witnesses should know, spoken testimony is limited 
to five minutes. Then, after that, Members will have five 
minutes each to ask you all questions. Upon the hearing, we 
will submit questions for the record, and please expeditiously 
answer these questions and get them back to the Committee.
    Now, it is the practice of this Subcommittee on Oversight 
to receive testimony under oath. If you would all please stand 
and raise your right hand unless you have an objection to 
taking an oath. Does anybody have an objection to taking an 
oath?
    No. Okay. I see them all shake their head side to side 
indicating no.
    Okay. Do you solemnly swear and affirm to tell the whole 
truth and nothing but the truth, so help you God?
    Very good. Please be seated.
    Let the record reflect that all the witnesses participating 
have taken the oath.
    Now, I recognize Dr. Romine for five minutes.

         TESTIMONY OF DR. CHARLES H. ROMINE, DIRECTOR,

               INFORMATION TECHNOLOGY LABORATORY,

         NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

    Dr. Romine. Thank you. Chairmen Broun and Bucshon, Ranking 
Members Maffei and Lipinski, and Members of the Subcommittees, 
I am Dr. Charles Romine, the Director of the Information 
Technology Lab at NIST. Thank you for the opportunity to 
discuss NIST's role in cybersecurity and our perspective on 
recent cyber thefts.
    Cyber thefts can occur at a scale unlike physical crimes. 
As we know, one breach can affect thousands if not millions of 
citizens. Cyber thefts are often perpetrated at the speed of 
electronic transactions, making interception difficult and 
placing a strong reliance on preventative security controls.
    In response to the hearing title ``Can Technology Protect 
Americans from International Cyber Criminals?'' my response 
would be that it takes a holistic approach that includes 
technology, training and awareness, policy, legal, economic, 
and international efforts to bring cyber theft and other cyber 
threats under control.
    I will discuss some of NIST's activities that accelerate 
the development and deployment of security technologies and 
assist our stakeholders and partners in protecting their 
information and communications infrastructure against cyber 
threats.
    In the area of cybersecurity, NIST has worked with Federal 
agencies, industry, and academia since 1972. Our role--to 
research, develop, and deploy information security standards 
and technology to protect information systems against threats 
to the confidentiality, integrity, and availability of 
information and services--was strengthened through the Computer 
Security Act of 1987 and reaffirmed through the Federal 
Information Security Management Act of 2002 known as FISMA.
    NIST accomplishes its mission in cybersecurity through 
collaborative partnerships. The resulting NIST special 
publications and interagency reports provide operational and 
technical security guidelines for Federal agencies and cover a 
broad range of topics such as electronic authentication and 
malware.
    NIST maintains the National Vulnerability Database, or NVD, 
a repository of standards-based vulnerability management 
reference data which enables security automation capabilities 
for all organizations. The payment card industry uses the NVD 
vulnerability metrics to discern the IT vulnerability in point-
of-sale devices and determine acceptable risk.
    NIST researchers develop and standardize cryptographic 
mechanisms used worldwide to protect information. The NIST 
algorithms and guidelines are developed in a transparent and 
inclusive process leveraging cryptographic expertise around the 
world. The results are in standard interoperable cryptographic 
mechanisms that can be used by all.
    The impact of NIST's activities under FISMA extended beyond 
enabling protection of federal IT systems. They provide the 
cybersecurity foundations for the public trust that is 
essential to realizing the national and global economic 
productivity and innovation potential of electronic business.
    Many organizations voluntarily follow NIST's standards and 
guidelines reflecting their worldwide acceptance. NIST works 
extensively in smart card standards and guidelines. NIST 
developed the standard for the U.S. Government personal 
identity verification card and actively works on global 
cybersecurity standards for use in smart cards, smart card 
cryptography, and others.
    As you know, NIST spent the last year working to convene 
the U.S. critical infrastructure sectors to build a 
cybersecurity framework as part of Executive Order 13636. This 
cybersecurity framework released last month was created through 
collaboration between industry and government and consists of 
standards, guidelines, and practices to promote the protection 
of critical infrastructure. The framework is already being 
implemented by industry, adopted by infrastructure sectors, and 
is reducing cyber risks to our critical infrastructure, 
including the finance industry.
    The 2013 data breach investigations report noted that in 
2012 76 percent of network intrusions exploited weak or stolen 
credentials. Target has revealed that the compromised 
credential of one of its business partners was the vector used 
to access its network.
    NIST houses the National Program Office at the National 
Strategy for Trusted Identities in Cyberspace, or NSTIC, which 
is addressing this most commonly exploited vector of cyber 
attack, the inadequacy of passwords for authentication. NSTIC 
is addressing this issue by collaborating with the private 
sector, including funding 12 pilots, to catalyze a marketplace 
of better identity and authentication solutions.
    Another critical component of NIST's cybersecurity work is 
the National Cybersecurity Center of Excellence, a partnership 
between NIST, the State of Maryland, Montgomery County, and the 
private sector, which is accelerating the adoption of applied, 
standards-based solutions to cybersecurity challenges. NIST 
recognizes our essential role in helping counter cyber theft 
and cyber threats. We look forward to continuing our work along 
with our federal government partners, private sector 
collaborators, and international colleagues to improve upon the 
comprehensive set of technical solutions, standards, 
guidelines, and best practices necessary to realize this 
vision.
    Thank you for the opportunity to testify today on NIST's 
work in cybersecurity and to share some of the specific work we 
do to assist organizations to reduce risks due to cyber theft, 
and I would be happy to answer any questions.
    [The prepared statement of Dr. Romine follows:]



[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    Chairman Broun. Thanks, Dr. Romine.
    Mr. Russo, you are recognized for five minutes.

                  TESTIMONY OF MR. BOB RUSSO,

        GENERAL MANAGER, PAYMENT CARD INDUSTRY SECURITY

                     STANDARDS COUNCIL, LLC

    Mr. Russo. Thank you. My name is Bob Russo and I am the 
General Manager of the PCI Security Standards Council, a global 
industry initiative and membership organization focused on 
securing payment card data. Our approach to an effective 
security program combines people, process, and technology as 
key components of protecting payment card data. We believe that 
development of standards to protect payment card data is 
something the private sector and specifically PCI is uniquely 
qualified to do. The global reach, expertise, and flexibility 
of PCI have made it critical and vital.
    Our community of over 1,000 of the world's leading 
businesses is tackling data security challenges from simple 
issues--for instance, the word ``password'' is still the most 
commonly used password out there--to really complicated issues 
like proper encryption. Consumers are understandably upset when 
their payment card data is put at risk, and we know the harm 
caused by data breaches.
    The Council was created to proactively protect consumers' 
payment card data. Our standards represent a solid foundation 
for a multilayered security approach. We focus on removing card 
data if it is no longer needed. Simply put, if you don't need 
it, don't store it. If you do need it, then protect it. Reduce 
the incentives for criminals to steal it. Let me tell you how 
we do that.
    The Data Security Standard is built on 12 principles that 
cover everything from physical security to logical security and 
much more. This standard is updated regularly through feedback 
from our global community. In addition, we have developed other 
standards that cover payment software, point-of-sale devices, 
the secured manufacturing of cards, and much, much more.
    We work on technologies like tokenization and point-to-
point encryption to help reduce the amount of card data kept in 
systems and devalue that information. Tokenization and point-
to-point encryption work in concert with other PCI standards to 
offer additional protections.
    Another technology, EMV chip, is an extremely effective 
method of reducing card fraud in a face-to-face environment. 
That is why the Council supports its adoption in the United 
States through organizations such as the EMV Migration Forum. 
And our standards support EMV today in other worldwide markets.
    However, EMV chip is only one piece of the puzzle. 
Additional controls are needed to protect the integrity of 
payments online and in other channels. These include 
encryption, tamper-resistant devices, malware protection, 
network monitoring, and more. These are all addressed within 
the PCI standards. Used together, EMV chip and PCI can provide 
strong protections for payment card data.
    But effective security requires much more than just 
standards. Standards without supporting programs are only tools 
and not solutions. The Council's training and certification 
programs have educated tens of thousands of individuals and 
make it easy for businesses to choose products that have 
already been lab-tested and certified as secure.
    Finally, we conduct global campaigns to raise awareness of 
payment card security.
    We welcome the Committee's attention to this critical 
issue. The recent compromises underscore the importance of a 
multilayered approach to payment card security, and there are 
clear ways in which the government can help, for example, by 
leading stronger law enforcement efforts worldwide and by 
encouraging stiffer penalties for these crimes. Promoting 
information sharing between public and private sectors also 
merits attention.
    The Council is an active collaborator with government. We 
work with NIST, with DHS, and many other government entities. 
We are ready and willing to do much more. The recent breaches 
underscore the complex nature of payment card security. A 
multifaceted problem cannot be solved by a single technology, 
standard, mandate, or regulation. It cannot be solved by a 
single sector of society. We must work together to protect the 
financial and privacy interests of consumers.
    Today, as this Committee focuses on recent data breaches, 
we know that the criminals are focusing on inventing the next 
attacks. There is no time to waste. The PCI Standards Council 
and business must continue to provide multilayered security 
protections while Congress leads the efforts to combat global 
cybercrimes that threaten us all.
    We thank the Committee for taking a leadership role in 
seeking solutions to one of the largest security concerns of 
our time.
    [The prepared statement of Mr. Russo follows:]



[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    Chairman Broun. Thank you, Mr. Russo.
    The buzzer that you hear is for votes on the Floor of the 
House and so we are going to have to go shortly. We have time 
for Mr. Vanderhoof to give your testimony for five minutes. 
And, for Members' information, we will recess right after Mr. 
Vanderhoof finishes. We will go vote. It is going to be a long 
series of votes, probably about an hour, maybe a little more. 
We will come back for Mr. Brookman and Mr. Chabinsky's 
statement.
    And so, Mr. Vanderhoof, you are recognized for five 
minutes. Please keep it within five minutes. Thank you.

               TESTIMONY OF MR. RANDY VANDERHOOF,

                      EXECUTIVE DIRECTOR,

                      SMART CARD ALLIANCE

    Mr. Vanderhoof. Chairman Broun and Chairman Bucshon and 
Members of the Subcommittee, on behalf of the Smart Card 
Alliance and its members, I thank you for the opportunity to 
testify today.
    The Smart Card Alliance is a nonprofit organization that 
provides education about smart card chip technology and 
applications. In 2012, the Alliance formed the EMV Migration 
Forum to convene all payments industry stakeholders to advance 
the migration to EMV in the United States. Collectively, the 
two organizations have more than 370 member organizations, 
including American Express, Discover, MasterCard, and Visa and 
financial institutions, merchants, and other payments industry 
participants.
    My testimony will be about payment security and the 
increasing threat of cybercrime to steal vulnerable payment 
data, how EMV chip cards and terminals make payments more 
secure, and the state of the U.S. migration towards EMV.
    As this hearing recognizes, the increasing instances of 
cybercrime in the United States highlight the need for EMV chip 
cards. Cybercrime criminals are increasingly targeting retail 
store chains. The FBI found at least 22 instances of this in 
the past year. Attacks on retailers are particularly damaging 
because a single attack can cause millions of dollars' worth of 
credit card fraud and create the need to close and reissue tens 
of millions of payment card accounts.
    The increase in attempted data breaches on retail systems 
is due in part to the fact that the U.S. magnetic stripe card 
data is highly valued by hackers who can sell it on the black 
market to criminals for large profits. For example, the black 
market price for several million card accounts believed to be 
stolen from the Target breach was between $27 and $45 each for 
a period of time. Criminals pay such high prices for U.S. 
magnetic stripe card data because it is easy to use it to 
create counterfeit payment cards. This is why the United States 
is the only region in the world where counterfeit card fraud 
continues to grow.
    It is our best interest to replace magnetic stripe cards 
with secure EMV chip cards because it will devalue U.S. 
payments data for criminals. This is mainly because, if stolen, 
EMV data cannot be used to create usable counterfeit payment 
cards. And countries that have implemented EMV have seen 
counterfeit card fraud decline by as much as 67 percent. The 
positive news is that the U.S. payment system is already more 
than two years into a plan to four-year migration to EMV chip 
technology.
    Next, I want to tell you more about EMV chip cards and how 
they address counterfeit card fraud. EMV is the name of the 
global standard for chip payment cards and is based on widely 
used and highly secure smart card technology. Today, 45 percent 
of the total payment cards in circulation and 76 percent of the 
POS terminals installed globally are this EMV-enabled device.
    EMV prevents counterfeit card fraud in two ways. The first 
way is the secure storage of the cardholder data inside the 
chip rather than on the magnetic stripe. Even if the chip data 
were to be copied, it cannot be used to create another chip 
card using the same data. Also, EMV transaction data excludes 
other data needed for magnetic stripe transactions, so it 
cannot be used to make fraudulent transactions in an EMV or 
magnetic stripe environment.
    The second way is by a one-time unique code called a 
cryptogram generated by the chip during each payment 
transaction. The cryptogram proves that the card is authentic 
and that the transaction data was unique to that card. 
Therefore, any use of the same unique card data would be 
detected and the transaction denied.
    To put these security benefits into perspective, if EMV 
chip card data had been present in the retailer systems that 
were recently victimized, the impact of that data breach would 
have been significantly lessened for the merchant, the card 
issuers, and the consumers due to the greatly reduced risk of 
counterfeiting and resulting card fraud.
    The U.S. migration to EMV is complex, expensive, and 
difficult to coordinate, especially for debit cards. The U.S. 
payment market, which is larger than all of Europe combined, is 
the largest individual market to convert to chip cards. This 
migration has been driven by the payment brands in the form of 
a fraud liability shift that align around targeted migration 
dates starting in October 2015. After these dates, the 
responsibility for fraud resulting from a payment transaction 
will shift away from the party using the most secure 
technology. This fraud liability shift is the most effective 
approach to ensure each party in the payments transaction makes 
the investment in chip technology.
    To date, an estimated 15 to 20 million chip payment cards 
have been issued to U.S. consumers and retailers have replaced 
approximately 1 million of the estimated 10 million point-of-
sale terminals.
    In summary, the predominant use of magnetic stripe payment 
cards contribute greatly to the U.S. financial markets being 
targets for cyber thefts and counterfeit card fraud. While a 
move to EMV chip payments in the United States is a complex and 
expensive undertaking, it is a critical one that will benefit 
our entire payment system. I am encouraged by the payments 
industry and merchants' recognition that we need to move to EMV 
chip technology quickly and by the fact that chip cards are 
being used now and retailers are moving to put in place the 
chip-enabled terminals to begin accepting chip transactions by 
the industry's target dates.
    I thank you for your attention and I welcome any questions 
from the Committee.
    [The prepared statement of Mr. Vanderhoof follows:]



[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    Chairman Broun. Mr. Vanderhoof, thank you so much. I think 
we have time for one more.
    Mr. Brookman, if you would please limit it to five minutes 
and then we will recess and come back right after votes. We 
have eight more minutes before the clock runs out, and as 
Members know, it will be held open for a while.
    So, Mr. Brookman.

               TESTIMONY OF MR. JUSTIN BROOKMAN,

                  DIRECTOR, CONSUMER PRIVACY,

               CENTER FOR DEMOCRACY & TECHNOLOGY

    Mr. Brookman. Absolutely. Thank you, Chairman Broun, 
Chairman Bucshon, Ranking Members Maffei and Lipinski. Thank 
you very much for the opportunity to testify here today.
    I am here today on behalf of the Center for Democracy & 
Technology. We are a digital rights advocacy group based here 
in D.C. and I head up our work on commercial data privacy. Some 
of us like me are lawyers but we also have technologists on 
staff who focus on internet architecture, encryption, and 
cybersecurity.
    We have been concerned about the issue of data security for 
some time. We have supported state efforts to require 
notification to consumers in the event of data breach, and we 
have encouraged the Federal Trade Commission to aggressively 
pursue bad data security cases under its general commercial 
protection authority.
    Unfortunately, it appears that the current policy solutions 
in place have been insufficient to staunch the proliferation of 
personal data breach. Just last week, the FTC announced that 
identity theft was the number one source of consumer complaints 
for the 14th year in a row. Moreover, the problem seems to be 
getting worse and not better. For one thing, there is more and 
more attack surface for malicious actors to target. Even the 
food trucks where I get my lunch every day accept credit card 
payments through smart readers attached to their phones. And 
people increasingly use credit cards for $1 and $2 purchases 
due to improvements in technology and purchase flows.
    The proliferation of financial account usage is of course 
tied to the bigger issue of big data in general. It is now 
easier for companies to collect and analyze all sorts of 
information about us, not just based on how we use their 
services but possibly supplemented by third-party data brokers 
as well. And it is cheaper for them to maintain these files, 
too. As storage technology advances, it is just simpler to keep 
old data around forever.
    And it is notable that Target was the subject of what was 
possibly the largest data breach in history because Target had 
been discussed in privacy circles recently for different 
reasons. Last year, it was revealed that Target was developing 
very sensitive predictive analytics technologies about the 
people who shop there, analyzing what they bought to develop 
profiles about what sort of people they were. And the most 
famous story coming out of that was there was a father who 
stormed into Target one afternoon complaining his daughter was 
receiving pregnancy-related coupons from Target, for diapers or 
prenatal vitamins, and he said how dare they; she is just a 
teenager, and then comes back a couple days later and 
apologizes that it turns out Target was right in this 
particular case.
    It is worth noting that this sort of sensitive information, 
information about what we buy, what we read, where we go, who 
we associate with, that is at risk, too, in the big data world. 
Target didn't just lose information about 40 million financial 
accounts; they also allegedly lost 70 million profiles from its 
customer relationship management database. Did that include in 
there assessments of all their shoppers possibly supplemented 
with third-party data? We don't know.
    We believe these issues should be addressed together. 
First, the United States should have comprehensive data privacy 
and security legislation. We are one of the few developed 
nations in the world that doesn't have baseline protections for 
all personal information. The FTC has tried to use its limited 
general consumer protection mandate to better protect privacy 
and data security, but that authority is currently being 
challenged in court by Wyndham Hotels. In that case, the FTC 
argued that Wyndham Hotels' use of objectively poor data 
security to safeguard consumer data constituted an unfair 
business practice under Section 5 of the FTC Act. Wyndham has 
refused to accept responsibility for its poor security 
management and is challenging the FTC's authority to go after 
bad security practices.
    We believe technology has a really important role to play 
in limiting data breach incidents, but we do not believe that 
Congress should enact specific technological data security 
solutions. That would embed current practices in the law and 
limit innovation in the future. Rather, policymakers should 
enact laws that strongly incentivize companies to safeguard 
personal data with significant consequences for companies that 
fail to use reasonable security practices.
    Now, for financial account information, there are some 
actually pretty good incentives under the law right now. 
Companies who undergo a financial data breach have to absorb 
the cost of data breach notification to consumers, 
investigation, credit monitoring, loss to consumer goodwill, 
and then payment to the issuing bank for potential violation of 
PCI standards.
    Yesterday, it was reported that Target has already spent 
over $60 million in the breach from last year, and in 2007, TJX 
Corporation reported that they had spent over $250 million from 
their data breach incident.
    However, it is not clear that these potential costs are 
sufficiently internalized today within corporate decision-
making. Organizations and people in general unfortunately have 
a tendency to under-evaluate small percentage chances of very 
bad things happening. And that appears to be what is happening 
with data security. Companies are convincing themselves it 
won't happen to them, and there are many cases failing to 
adequately account for security risks.
    We believe that strengthening the FTC's authority to go 
after bad security practices along with the authority to obtain 
civil penalties for bad security would help push companies in 
the right direction. We also believe that legislation should 
require companies to develop privacy and security plans and to 
adhere to privacy and security-by-design principles. The 
companies are encouraged to think proactively and 
prophylactically about data privacy and security from the very 
beginning of product and system development that will result in 
better outcomes for all consumers.
    Thank you very much for the opportunity to testify and I 
look forward to your questions.
    [The prepared statement of Mr. Brookman follows:]



[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    Chairman Broun. Thank you, Mr. Brookman.
    We are going to recess until after this vote series. 
Members, be aware that we are going to resume 10 minutes after 
the last vote begins, so please hurry back. My Democratic 
colleagues have agreed to that, so we will recess and be back.
    Gentlemen, thank you for your patience, appreciate it.
    [Recess]
    Chairman Broun. Okay. We will reconvene this hearing, and I 
appreciate all the witnesses' patience with us and particularly 
Mr. Chabinsky. I appreciate your patience. Maybe we saved the 
best for last, but anyway, I have always been very concerned 
about privacy issues and I know you are, too.
    Mr. Chabinsky, you have five minutes.

               TESTIMONY OF MR. STEVEN CHABINSKY,

            SENIOR VICE PRESIDENT OF LEGAL AFFAIRS,

                       CROWDSTRIKE, INC.;

               FORMER DEPUTY ASSISTANT DIRECTOR,

         FEDERAL BUREAU OF INVESTIGATION-CYBER DIVISION

    Mr. Chabinsky. Thank you. Good morning, Chairmen Broun and 
Bucshon, Ranking Members Maffei and Lipinski, and distinguished 
Members of the Subcommittees.
    I am pleased to appear before you today to discuss the role 
of technology in protecting Americans from international 
cybercrime. I have spent over 15 years committed to reducing 
the security risks associated with emerging technologies. And 
the observations and conclusions I am sharing today in my 
individual capacity are the culmination of a career spent in 
government--mostly with the FBI--industry, and academia.
    First, I would like to address the cyber threat landscape. 
Over the past 10 years, industry has faced a well-orchestrated 
hacking epidemic. Foreign intelligence services are siphoning 
off our intellectual property and weakening American 
competitiveness, while organized criminal groups steadily gain 
access to corporate and consumer credentials that have been 
used to defraud Americans out of billions of dollars.
    On the nation-state side, China and Russia continue to 
engage in massive cyber economic espionage campaigns that 
impact thousands of corporate victims daily.
    With respect to financially motivated cybercrime, a 
disproportionate amount of it appears to be tied to Eastern 
Europe. On the FBI's current cyber most wanted list, for 
example, 7 of the 10 individuals have connections either to 
Russia, Ukraine, or Latvia.
    Next, I would like to discuss our failed cybersecurity 
strategy. We keep spending more and more money and the problem 
keeps getting worse. I propose this is because we are focusing 
on the wrong part of the solution. Faced with the choice of 
trying to make our systems impenetrable--also known as 
vulnerability mitigation-- or trying instead or at least an 
equal part to dissuade people from hacking into our systems in 
the first place--which would be threat deterrence--we have 
focused our resources almost entirely on the former, 
vulnerability mitigation. Our failed strategy dramatically 
raises the costs to the victims without substantially raising 
the costs to the bad guys. In fact, our failed strategy has 
potential victims fearing for the loss of their data more than 
actual hackers are fearing for the loss of their freedom.
    We spend without end on vulnerability mitigation, despite 
it being well-understood that completely securing networks is a 
daunting, impossible task even for the most experienced. There 
simply is no chance that industry can consistently withstand 
intrusion attempts from foreign intelligence services and 
global organized crime groups. As a result, improving our 
security posture requires that we reconsider rather than simply 
redouble the nature of our efforts.
    Fundamentally, we need to ensure that our cybersecurity 
strategies, technologies, market incentives, and international 
dialogue focus greater attention on the challenges of more 
quickly detecting and mitigating harm while in parallel 
locating and penalizing bad actors. Doing so also would align 
our cybersecurity efforts with the security strategies we use 
in the physical world.
    In the physical world, vulnerability mitigation efforts 
certainly have their place. We take reasonable precautions to 
lock our doors and windows, but we do not spend an endless 
amount of resources in hopes of becoming impervious to crime. 
Instead, to counter determined thieves, we ultimately concede 
that an adversary can gain unlawful entry, but through the use 
of burglar alarms and video cameras, we shift our focus towards 
instant detection, attribution, threat response, and recovery.
    When the alarm monitoring company calls a business owner at 
3:00 a.m., it does not say we just received an alarm that your 
front door was broken into, but don't worry, we have called the 
locksmith. Rather, it is only obvious, immediately necessary 
and the reason people purchase alarm systems, that they call 
the police to stop the felon.
    It is surprising then and suggests a larger strategic 
problem that in the world of cyber, when the intrusion 
detection system goes off, the response has been to call the 
chief information security officer and perhaps even the CEO to 
explain what went wrong and to demand that they prevent it from 
happening again.
    In answer to the question of this hearing, technology can 
play a vital role in protecting Americans from international 
cybercrime, but to achieve that result, technology must be used 
in greater part to achieve threat deterrence. In that way, 
businesses and consumers will benefit from improved, sustained 
cybersecurity and will enjoy those benefits at lower costs.
    Thank you for the opportunity to testify today. I would be 
happy to answer any questions you may have.
    [The prepared statement of Mr. Chabinsky follows:]



[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    Chairman Broun. Thank you, Mr. Chabinsky.
    I want to thank the witnesses for your testimony, now 
reminding Members that Committee rules limit questioning to 
five minutes. The Chair will open the first round of questions. 
The Chair recognizes himself for five minutes.
    I ask this of all five of you. What is the fastest and the 
best way to get new innovations deployed to protect the safety, 
privacy, and security of consumers' financial data? Government 
mandates that pick technological winners and losers or allowing 
maximum competition for customers in the market by companies 
offering innovative security solutions and consumer protections 
against new, evolving, and changing threats that go way beyond 
the requirements of a static law?
    Start with Mr. Romine.
    Dr. Romine. Thank you, Mr. Chairman. I think it is clear 
that in order to maintain the kind of innovation that is needed 
on the defensive side for us to protect our assets and our 
networks, we have to be just as agile as the innovation that is 
taking place with our malefactors. And so, I think having 
additional regulation is probably not the answer from our 
perspective. We have a voluntary program associated, for 
example, as I talked to earlier in my testimony about the 
cybersecurity framework for critical infrastructures that NIST 
worked on, and that is a purely voluntary program in part 
because we believe that that enables the private sector to 
maintain an innovative approach to the kind of defenses that 
are needed.
    Chairman Broun. Very good. Mr. Russo?
    Mr. Russo. Thank you for the question. I think the PCI 
Security Standards Council is uniquely qualified to do exactly 
what you are looking for. We have a network of over 1,000 
merchants, banks, vendors, associations worldwide that submit 
feedback to us on a regular basis indicating what they are 
seeing in their region and then their particular verticals, and 
all of this is factored into creating the absolute best 
defenses that we can to protect this data. Right now, I think 
that the best defense against a breach are the PCI standards.
    Chairman Broun. Very good. Mr. Vanderhoof?
    Mr. Vanderhoof. Yes, thank you. There really needs to be 
multiple layers of security around payments data, so certainly 
we need to devalue the data that currently exists in this 
system, and there are alternative technologies using chip 
technology, as well as other techniques such as tokenization 
that are being developed to try to accomplish that goal.
    Also, we certainly need to continue to strengthen the 
networks that are using this data and the efforts that have 
been made by the PCI Council and by other cybersecurity best 
practices are going a long way towards doing that. And I think 
we need to also maintain and invoke strong enforcement of when 
data breaches do occur in terms of trying to track down the 
people responsible for that and preventing future breaches from 
happening.
    Chairman Broun. Mr. Brookman.
    Mr. Brookman. Yes. So I certainly don't think that 
legislatively prescribing technological solutions is a good 
idea. However, I think it would be a good idea to maybe 
strengthen the Federal Trade Commission's authority to go after 
bad data security practices. Right now, that authority is 
somewhat unclear, and even when they do bring those cases, they 
don't have the ability to get penalties for bad practices.
    So I think strengthening them, creating more incentives for 
companies and for banks and for merchants to deploy better 
technological solutions is probably the best approach.
    Chairman Broun. Mr. Chabinsky?
    Mr. Chabinsky. Thank you, Mr. Chairman.
    I think fundamentally we need a bit more research and 
development in the area of return on investment. It is very 
difficult for us to understand whether the value of security 
that is being proposed in the marketplace will have a 
commensurate benefit as to the cost. We have heard a lot within 
this hearing as well as prior ones about the costs of 
implementing certain solutions, in certain cases mounting into 
the billions of dollars. And it is very difficult for industry 
to understand whether or not that is a benefit that outweighs 
the cost that we are seeing. So I would suggest that this 
Committee is in a good position to explore government research 
that would spend more time looking at the metrics of success 
and the return on investment.
    Chairman Broun. Okay. Thank you, Mr. Chabinsky.
    Mr. Chabinsky. Thank you.
    Chairman Broun. I have a question for all of you. As a 
physician, I am very concerned particularly with the question 
about protection of privacy and security in the healthcare 
industry and the insurance industry. I have half a minute left. 
Does anybody want to take on what we can do to protect privacy 
in patient records and that sort of thing?
    Mr. Vanderhoof.
    Mr. Vanderhoof. Yes, thank you, Chairman.
    I think the problem we have with the imposed changes that 
are happening in the healthcare system around the use of 
electronic data for health records is that we have failed to be 
able to authenticate who are the actual individuals that have 
authorized access to that data and be able to positively 
identify the individual that owns that data so that when health 
information is being digitized and being used and shared across 
different professional entities, there needs to be a way to 
protect the access to that information and so that that 
information can't be then stolen and be used for other 
purposes. And having this ability to strengthen the health IT 
system in similar ways is really another way forward to making 
sure that consumer health information stays protected.
    Chairman Broun. Thank you, Mr. Vanderhoof.
    My time is expired, but I would like for all five of you to 
answer that question for the record in written form.
    And, as a physician, I am very concerned about a central 
repository of all health records. I think there should be a 
better way so that patients control their own electronic 
medical records and not the Federal Government and not an 
insurance agent or the insurance industry. And so I would 
appreciate any input from all of you.
    My time is expired. Mr. Maffei, you are recognized for five 
minutes.
    Mr. Maffei. Thank you, Mr. Chairman.
    I guess I will start with Dr. Romine. Where are these 
threats and incursions coming from generally? I mean where are 
the criminals, if you will, coming from?
    Dr. Romine. So I think there are a number of places, and I 
think Mr. Chabinsky is absolutely right. Some of them are 
intelligence services from other governments seeking our 
intellectual property for their competitive advantage. Some of 
them are organized crime, highly organized and capable, and 
those are international as well. So I think, Mr. Chabinsky is 
accurate on that score.
    Mr. Maffei. Mr. Russo, you and I talked about this a little 
bit. Do you have an idea of how many are external to the United 
States? Is there any way to trace that or figure that out?
    Mr. Russo. There probably isn't a good way to trace that. 
Obviously, some of the major breaches that we are seeing now 
are being perpetrated from outside the United States. As a 
matter of fact, I picked up a USA Today this morning and there 
was a big article about this malware coming from someplace 
outside of the United States as well.
    I would agree with Mr. Chabinsky. I think one of the areas 
that we would like to see a little more help in is bringing 
some of these people to justice, stiffer fines, and the ability 
to stop this thing. We are basically in an arms race when it 
comes to security, and while we are staying up with them and 
staying ahead in some cases, you need to be vigilant all the 
time. And unfortunately, many businesses are not vigilant 365, 
24/7, and hackers need to be vigilant one day.
    Mr. Maffei. Right. Exactly.
    Mr. Chabinsky, do you have any--I--DD is--are there any 
estimates about how many threats are from outside the United 
States? And also if you have a related comment.
    Mr. Chabinsky. I don't--I am not aware of any actual 
estimates but I think it is only natural that hackers being 
able to remotely gain access are less likely to hit 
domestically where they are. Right? So you would see that other 
nations are experiencing hacking that would include hacking 
from the United States and that we are more likely to then have 
hacking from abroad.
    Certainly, there is no doubt that a lot of the financial 
fraud that we are seeing tends to be led or have strong ties to 
Eastern Europe. But equally true, those groups even that have 
those ties to Eastern Europe are global in nature and we have 
seen groups that are operating in dozens of countries 
simultaneously, hitting hundreds of cities at once. We saw one 
ring that was able to hit ATMs throughout the world in a 24-
hour period and steal in excess of $9 million within 24 hours 
on the ground. This turned out to be a proof of concept. A 
group later did it, stealing $45 million. So it is certainly 
global.
    I would say in that regard that law enforcement is well 
aware of that and the FBI for its part has a legal attache 
program that they are using in no small part to help protect 
Americans against cyber threats. They have embedded agents not 
only within the embassies there but there are a number of 
nation-states that have invited our own law enforcement to sit 
side-by-side with them in their national Federal law 
enforcement agencies just to combat cyber. In that regard, the 
FBI has cyber agents sitting side-by-side with cyber agents of 
other countries in Estonia, Ukraine, the Netherlands, Romania, 
and Latvia. Those are very helpful models to build on this 
international aspect of cybercrime law enforcement.
    Mr. Maffei. So most of the time other countries are 
cooperative with our efforts and we are with theirs?
    Mr. Chabinsky. That is absolutely correct.
    Mr. Maffei. But are there some instances of state 
sponsorship that we know of, anybody on the panel?
    Mr. Chabinsky. There are. China and Russia are certainly 
the most heavily invested in state-sponsored espionage. The 
relationship between nation-state espionage and cybercrime is 
uncertain in most areas. There certainly is a lot of 
information indicating that there can be an unsteady alliance 
at times between nation-states and criminal enterprises either 
because at the lower level of law enforcement, not typically at 
the Federal level, there could be corruption of state and local 
aw enforcement protection, and at the higher levels, there may 
be an uneasy alliance where criminals are actually helping the 
intelligence service for nation-state aims while on the side 
being able to get rich quick, if you will, on criminal 
activities for which the nation-state might look the other way.
    Mr. Maffei. Do we know where the data breach at Target 
originated?
    Mr. Chabinsky. I am not prepared today to discuss that 
matter.
    Mr. Maffei. Anybody else know or--Mr. Russo, do you have 
any idea? Okay.
    Well, I would submit to the Committee that this is an 
important--I appreciate the Chairman--the two Chairmen for 
holding this hearing but that this is also a severe national 
security concern. And the fact that we don't even know how many 
of these threats are coming from outside the United States I 
just think, you know, makes it important to have additional 
scrutiny. So I will also be bringing it up in my other 
Committee, which is the Armed Services Committee, although that 
may not be the right one either, maybe Homeland Security. I am 
not sure.
    But I really appreciate us a drawing attention to it in 
this hearing.
    Thank you, Mr. Chairman.
    Chairman Broun. Thank you, Mr. Maffei.
    And I am on Homeland Security and we have looked into these 
issues and we will continue to do so.
    Dr. Bucshon, you are recognized for five minutes.
    Mr. Bucshon. Thank you, Mr. Chairman.
    On April 16 of last year, the House overwhelmingly passed 
two bipartisan Science Committee bills to assist the private 
sector and other domestic organizations to secure their 
information systems. Each bill got over 400 votes.
    The first is H.R. 756, the Cybersecurity Enhancement Act, 
which requires a government-wide IT security R&D plan, 
authorizes the National Science Foundation basic research on 
cybersecurity with scholarships and support for cybersecurity 
education, human resource development, and directs NIST to 
coordinate Federal activities on international cybersecurity 
technical standards development.
    The other bill is H.R. 967, the Networking and Information 
Technology R&D, or NITRD Act. It updates the NITRD program on 
cybersecurity and it focuses the NITRD program on R&D to 
detect, prevent, resist, respond to, and recover from actions 
that compromise or threaten to compromise the availability, 
integrity, or confidentiality of computer and network-based 
systems. Unfortunately, neither one of these bills have been 
taken up in the Senate and so right now they are kind of in 
limbo.
    The question I have is to the entire panel. Would these 
bills help protect Americans from international cyber 
criminals? And maybe we should suggest that the Senate pass the 
bills if that is the case.
    So I will start with Dr. Romine.
    Dr. Romine. Thank you. There are many provisions of these 
bills that are very constructive in addressing the very complex 
issue of cybersecurity, and NIST has had a very close working 
relationship in collaboration or discussions with the entire 
Committee and your Subcommittee and your staff and we look 
forward to continuing to engage on that.
    Mr. Russo. Thank you, Congressman. The Council does not 
endorse or comment on any specific legislation, but these bills 
certainly represent concepts that we support.
    Mr. Vanderhoof. Yes, and likewise, the Smart Card Alliance 
does not advocate on behalf of any specific legislation. 
However, in principle, we certainly do believe that more 
research can be done to help stimulate private industry in 
terms of looking for creative solutions to try to fight 
cybercrime.
    Mr. Brookman. My office does take positions on legislation. 
We have not taken positions on these two bills. I think there 
are some really good things in there that are incredibly 
important and would be productive. My only caveat would be I 
would want to ensure that additional funding and research was 
given to NIST to fulfill the requirements that they would do 
under those bills and not take away from existing resources.
    Mr. Chabinsky. Chairman Bucshon, I fully support the goals 
of both bills. I believe that in order to protect our economic 
and national security, including better protecting Americans 
from international cybercrime, the Federal Government must 
increase its investment in research and development, as well as 
in cyber workforce development.
    I would respectfully recommend only that this Committee 
keep an eye on how government-supported R&D resources are 
allocated, keeping in mind that the best long-term strategy for 
protecting Americans from criminals, whether they are near or 
far, is in my opinion not through enhanced defenses but rather 
through better detection of, attribution of, and penalties 
against the criminals themselves.
    These bills can promote the goals of enhancing cyber threat 
deterrence, and I am grateful for the attention of the 
Committee in advancing them.
    Mr. Bucshon. Thank you very much. I want to make one 
comment. I think on this whole issue that the American public 
is very acutely aware of the privacy issues related to 
cybersecurity but not as aware of--in my opinion when I talk to 
people--of what the threats and the risk to breaches in 
cybersecurity are because of the attention brought by the 
national media leaning more towards the privacy issue, which is 
an extremely important issue of course.
    But I think all of us could in some way be helpful by 
exposing more of what the risk actually is other than just 
losing your credit card data, which is very important of 
course, but a bigger issue is, for example, if half of America 
all of a sudden loses power suddenly or the entire country 
loses power or our GPS system shuts down, what the risk of that 
is.
    Mr. Romine and Mr. Russo, is the private sector capable of 
successfully developing and following security standard for 
itself or does it need government assistance or oversight?
    Dr. Romine. So in this case, the NIST position is clear 
that in the development of the cybersecurity framework we 
worked very closely and collaboratively with the private sector 
and we believe that those voluntary approaches are in fact 
going to be very effective.
    I would say government assistance, however, in the sense 
that NIST has been acting as a convener for those discussions, 
is very helpful.
    Mr. Bucshon. Mr. Russo, quickly, because my time is up.
    Mr. Russo. I would agree. The standards are adaptable. They 
are developed in collaboration with a huge amount of input 
globally, so I think we are uniquely qualified to handle 
specifically payment card data.
    Mr. Bucshon. Thank you very much. I yield back, Mr. 
Chairman.
    Chairman Broun. Thank you, Dr. Bucshon.
    My friend Dan Lipinski, you are recognized for five 
minutes.
    Mr. Lipinski. Thank you, Mr. Chairman. I want to thank 
Chairman Bucshon for talking about those two bills. You saved 
me a little bit of time. I want to especially mention the 
Cybersecurity Enhancement Act, which is the bill that I have 
done with Congressman McCaul. In past Congresses also, and as 
often happens, we are waiting for the Senate to act. Hopefully, 
they will move soon on that.
    So that moves me into my next question, which is for Mr. 
Brookman and Mr. Romine, but anyone else can jump in.
    Technology plays an important role in countering cyber 
threats, but we all know that there are important other factors 
that can contribute to cyber attacks also. Human factors often 
help facilitate successful cyber intrusions by individuals who 
mistakenly or incorrectly give up passwords or open up emails 
from strangers, for instance, or they make their password 
``password,'' as was mentioned earlier.
    From a cybersecurity and cyber policy perspective, how do 
we begin to address those elements to help counter cyber 
attacks? That is, what is the importance of social science 
research especially to look at the problems of cybersecurity 
that come from human factors, and what can be done to encourage 
people to practice better cyber hygiene?
    So let's start with Mr. Brookman.
    Mr. Brookman. Sure. So I am not a researcher but I know 
there is a lot of good social science research going on on 
these issues. I know Carnegie Mellon University, for example, 
Dr. Lorrie Cranor, also UC Berkeley has done some really good 
work with Chris Hoofnagle, Stanford, Alicia McDonald, did a lot 
of looking into these issues about what kind of nudges you can 
give to folks to do the right thing. I don't know how much 
their research has been implemented in the marketplace.
    From a policy perspective, I think the most important thing 
you can do is to put the incentives in place to make companies 
make the right decision that if they have a liability, they are 
the ones who have to push people to do harder passwords. I 
think it is very hard to prescribe that at a Federal level, but 
I think, you know, putting stronger incentives on companies 
to--in the event that they let people do passwords, then 
perhaps their liability I think is probably the best solution.
    Mr. Lipinski. All right. Dr. Romine?
    Dr. Romine. Thank you. I am pleased to be able to say that 
my laboratory has an active research program in the usability 
of security. We have staff of psychologists, human factors, 
engineers, computer scientists that are working on this 
problem.
    And I would like to make a couple of points. One is, of 
course, regulating behavior is often not going to be as 
effective as making strides in usability. The goal is to make 
it easy to do the right thing, make it hard to do the wrong 
thing, and make it easy to recover when the wrong thing happens 
anyway.
    And the other thing I would say is this idea that there is 
a tradeoff between usability and security is a false dichotomy. 
The fact is that you can actually achieve better security, more 
realized security if you improve the usability of the security 
and particularly the identity management that you are 
undertaking.
    Mr. Lipinski. Does anyone else want to comment on that at 
all?
    Let me move on then to the notification of these cyber 
breaches. There is currently no Federal data breach 
notification regulation. For many cyber tests, consumers are 
not notified for days or longer after a company realizes it has 
been successfully attacked. And Mr. Chabinsky had talked about 
what usually is the--what the response is. Can each of you give 
us very briefly your thoughts on requiring a national data 
breach notification requirement? Let's start with Mr. Chabinsky 
and go across.
    Mr. Chabinsky. I fully support the goals of a national data 
breach law. Right now, industry is subjected to I think at last 
count it is 46 different data breach statutes on the books 
across our land. That is making it very difficult not only for 
consumers to get any sort of consistent approach in data breach 
notification but for industry to actually have the confidence 
and ability to react in a quick way across so many different 
jurisdictions.
    Mr. Brookman. Yes. We are really ambivalent on the need for 
a Federal data breach notification. As you said, there are 46 
States, so it is by and large already required. Making it more 
seamless, easier to have a data breach notification is arguably 
somewhat counterproductive, right? If it is easier for you to 
comply, well, then there is less incentive for you to get 
security right in the first place. So we think in order to be 
effective, you have to pair it with something else, some sort 
of comprehensive privacy or security requirements to make that 
effective for consumers.
    Mr. Vanderhoof. Yes, I definitely support some uniform data 
breach notification guidelines for industry rather than having 
a state-by-state approach because it does provide industry with 
a better framework by which they can set up their procedures to 
be able to uniformly inform their customers when a breach 
occurs.
    I would only caution that notifying customers when a breach 
occurs and then notifying them what their risks are and what 
they are able to do to address those risks is still going to be 
up to the individual organization that has been breached, and 
therefore, there still needs to be control within the 
individual organization in terms of how they manage the 
relationship with their customers.
    Mr. Russo. Congressman, as I indicated, the Council does 
not speak on legislation, but generally, we support awareness 
of these types of issues.
    Mr. Lipinski. Thank you. Dr. Romine?
    Dr. Romine. And I would agree that a further discussion 
needs to take place on whether that is an advisable approach. 
From my perspective as a NIST representative, it is outside the 
technical scope of our activities.
    Mr. Lipinski. All right. Thank you very much. I yield back.
    Chairman Broun. Thank you, Dan.
    Mr. Kilmer, you are recognized for five minutes.
    Mr. Kilmer. Thank you, Mr. Chairman.
    I was going to start with Mr. Chabinsky. I am a member of 
the Armed Services Committee. In fact, I just came from there 
so apologies for being late. I know the military doesn't defend 
itself from cyber attacks by software alone. You know, they use 
a system of personnel training and physical security and IT to 
guard against would-be attackers. Does industry follow that 
approach, and if not, what percentage of risk would be--would 
investments in enhanced IT hardware and software cover?
    Mr. Chabinsky. Thank you for the question, Congressman 
Kilmer.
    Industry does absolutely follow the same approach. That 
approach is in fact developed by NIST and adopted under FISMA. 
Basically, you are talking about three different controls that 
are put into place under a risk framework. There are technical 
controls and much of what the focus of this Committee is on the 
technology, and then we have already heard about the 
administrative controls, about trying to work with our 
personnel to ensure effective enforcement of our policies, and 
then physical controls, making sure people don't actually have 
access to our servers.
    Those are exactly the same types of controls that are 
adopted in private sector standards that are international as 
well and that have been rolled out again in an actually quite 
elegant form in the cybersecurity framework.
    I would, of course, note that the military systems 
themselves have been breached on numerous occasions and have 
not been able to withstand the onslaught of intelligence 
services, nor have the private sector. So I think everybody is 
working in a situation in which they are doing the best that 
they can following similar standards, but again, we are talking 
about an area where risk is controlled but there remains an 
unfortunately large amount of residual risk in this area.
    Mr. Kilmer. I am going to touch on something that there has 
been some discussion around already. I was a few months back in 
a meeting with a number of folks in the IT space and we were 
talking about cybersecurity issues, and the conversation found 
its way to how companies implement protection, invest in new 
software, and adopt best practices on avoiding cyber attack. 
And one of the folks in the room said, you know, governments--
it is not the government's role to force compliance or force 
protection. And I asked the question, you know, can government 
in some way incent good cyber hygiene and incent compliance? Do 
you think government as it stands right now provides any 
incentive to industry to take steps it should to protect 
itself? And if so, how? And if not, what might that look like?
    Dr. Romine. So speaking again from the perspective of the 
development of the cybersecurity framework that was just 
released last month, there have been discussions in place with 
regard to DHS helping with the voluntary program and they have 
rolled out something that they call now C3, which is their 
approach to providing assistance in using the framework. But 
there has always been, in addition to that, discussions about 
incentives that could be provided from the government, and 
those discussions would be productive going forward as well.
    Mr. Kilmer. Anything specific? I mean, go ahead, Mr. 
Vanderhoof.
    Mr. Vanderhoof. Thank you, Mr. Kilmer. So you mentioned the 
Department of Defense, which still today is pretty much the 
gold standard in terms of protecting its networks and 
cybersecurity effects. And what they did was they invested in 
their identity credentials to make those authentication 
technologies as strong as they possibly can so that they know 
who is allowed to be within their network to help prevent those 
people that are not allowed to be in the network from getting 
in the network.
    And the government has adopted this common standard across 
the entire Federal enterprise using secure chip technology and 
have actually extended that technology standard that was set by 
NIST to the commercial entities that also do business with 
government.
    So what has proven to be very effective on the commercial 
side has been government leading by example of protecting 
itself first, extending that level of standard for protection 
for commercial entities doing business with the government, and 
then that in turn has stimulated investment in those 
technologies that are then translated into the commercial 
spaces well.
    Mr. Brookman. I will say that for financial data I think 
the law does provide some pretty strong incentives. Data breach 
notification is incredibly painful and expensive. The PCI rules 
I think put pretty strong incentives there. For other 
categories of consumer data, though, I think they are actually 
very poor, including a lot of health data, right? To the extent 
health data is not governed by HIPAA and HITECH, to the extent 
you give information to an app or to some online service, there 
are very little protections at all security-wise.
    The Federal Trade Commission has tried to be aggressive 
with its consumer protection authority, but even when they win, 
they can't get any money. They just say, okay, promise to use 
better security in the future. So I think there should be 
stronger protections for other categories of consumer data.
    Mr. Chabinsky. On the incentive side, Department of 
Homeland Security is doing good work right now with the 
insurance industry to determine whether or not corporations 
will be able to find a better market in insurance to be able to 
transfer risk, and the insurance industry as a result is trying 
to think of ways that improved security will result in a market 
that will be both cost-effective and beneficial. So I think 
that that is one area that the government is working right now 
on the incentives side.
    Of course in a national data breach notification law, 
should one exist, there is the potential to have certain safe 
harbors if certain encryption methodologies were in place or 
otherwise. So, I think that there are a number of incentives.
    Again, my only caution is using any comparison between the 
private sector and the government with respect to data security 
and network security to have a more realistic discussion about 
the number of breaches that actually are actively being 
incurred against government systems with a lot of resources 
being put against them and mandates no less, not voluntary, and 
yet there still obviously are a lot of issues there.
    Thank you.
    Mr. Kilmer. Thank you. Thank you, Mr. Chairman.
    Chairman Broun. The gentleman's time is expired.
    I want to thank the witnesses for you all's valuable 
testimony. I am southern. Y'all is plural for you all. But I 
want to thank you all for you all's valuable testimony, and I 
really want to thank you for your flexibility and for your 
patience. I know you have been just kind of jerked around a 
little bit by the weather and changing schedules and vote 
series and you all have been extremely patient and extremely 
flexible with us. It has been a great hearing I think. All the 
Members, I am sure, have garnered a tremendous amount of 
information from you all and we appreciate you all considering 
getting back to us.
    I want to remind Members that you all have a short period 
of time to get questions to them. In fact, in two weeks, we 
will submit questions for you all to answer. We call them 
questions for the record and they will be put in the record, 
and we appreciate your help on that.
    So I do remind Members that if you have any additional 
comments or any additional questions to please get them in 
expeditiously.
    Thank you all. You all are excused. This hearing is now 
adjourned.
    [Whereupon, at 11:57 a.m., the Subcommittees were 
adjourned.]





[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


                                 [all]
