b'<html>\n<title> - DATA SECURITY: EXAMINING EFFORTS TO PROTECT AMERICANS\' FINANCIAL INFORMATION</title>\n<body><pre>[House Hearing, 113 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n\n \n                  DATA SECURITY: EXAMINING EFFORTS TO\n                PROTECT AMERICANS\' FINANCIAL INFORMATION\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                 SUBCOMMITTEE ON FINANCIAL INSTITUTIONS\n                          AND CONSUMER CREDIT\n\n                                 OF THE\n\n                    COMMITTEE ON FINANCIAL SERVICES\n\n                     U.S. HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED THIRTEENTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                             MARCH 5, 2014\n\n                               __________\n\n       Printed for the use of the Committee on Financial Services\n\n                           Serial No. 113-68\n\n\n                                 ______\n\n                   U.S. GOVERNMENT PRINTING OFFICE \n88-530                     WASHINGTON : 2014\n____________________________________________________________________________ \nFor sale by the Superintendent of Documents, U.S. Government Printing Office, \nhttp://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202\xef\xbf\xbd09512\xef\xbf\xbd091800, or 866\xef\xbf\xbd09512\xef\xbf\xbd091800 (toll-free). E-mail, <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="8deafde2cdeef8fef9e5e8e1fda3eee2e0a3">[email&#160;protected]</a>  \n\n\n                 HOUSE COMMITTEE ON FINANCIAL SERVICES\n\n                    JEB HENSARLING, Texas, Chairman\n\nGARY G. MILLER, California, Vice     MAXINE WATERS, California, Ranking \n    Chairman                             Member\nSPENCER BACHUS, Alabama, Chairman    CAROLYN B. MALONEY, New York\n    Emeritus                         NYDIA M. VELAZQUEZ, New York\nPETER T. KING, New York              BRAD SHERMAN, California\nEDWARD R. ROYCE, California          GREGORY W. MEEKS, New York\nFRANK D. LUCAS, Oklahoma             MICHAEL E. CAPUANO, Massachusetts\nSHELLEY MOORE CAPITO, West Virginia  RUBEN HINOJOSA, Texas\nSCOTT GARRETT, New Jersey            WM. LACY CLAY, Missouri\nRANDY NEUGEBAUER, Texas              CAROLYN McCARTHY, New York\nPATRICK T. McHENRY, North Carolina   STEPHEN F. LYNCH, Massachusetts\nJOHN CAMPBELL, California            DAVID SCOTT, Georgia\nMICHELE BACHMANN, Minnesota          AL GREEN, Texas\nKEVIN McCARTHY, California           EMANUEL CLEAVER, Missouri\nSTEVAN PEARCE, New Mexico            GWEN MOORE, Wisconsin\nBILL POSEY, Florida                  KEITH ELLISON, Minnesota\nMICHAEL G. FITZPATRICK,              ED PERLMUTTER, Colorado\n    Pennsylvania                     JAMES A. HIMES, Connecticut\nLYNN A. WESTMORELAND, Georgia        GARY C. PETERS, Michigan\nBLAINE LUETKEMEYER, Missouri         JOHN C. CARNEY, Jr., Delaware\nBILL HUIZENGA, Michigan              TERRI A. SEWELL, Alabama\nSEAN P. DUFFY, Wisconsin             BILL FOSTER, Illinois\nROBERT HURT, Virginia                DANIEL T. KILDEE, Michigan\nMICHAEL G. GRIMM, New York           PATRICK MURPHY, Florida\nSTEVE STIVERS, Ohio                  JOHN K. DELANEY, Maryland\nSTEPHEN LEE FINCHER, Tennessee       KYRSTEN SINEMA, Arizona\nMARLIN A. STUTZMAN, Indiana          JOYCE BEATTY, Ohio\nMICK MULVANEY, South Carolina        DENNY HECK, Washington\nRANDY HULTGREN, Illinois\nDENNIS A. ROSS, Florida\nROBERT PITTENGER, North Carolina\nANN WAGNER, Missouri\nANDY BARR, Kentucky\nTOM COTTON, Arkansas\nKEITH J. ROTHFUS, Pennsylvania\n\n                     Shannon McGahn, Staff Director\n                    James H. Clinger, Chief Counsel\n       Subcommittee on Financial Institutions and Consumer Credit\n\n             SHELLEY MOORE CAPITO, West Virginia, Chairman\n\nSEAN P. DUFFY, Wisconsin, Vice       GREGORY W. MEEKS, New York, \n    Chairman                             Ranking Member\nSPENCER BACHUS, Alabama              CAROLYN B. MALONEY, New York\nGARY G. MILLER, California           RUBEN HINOJOSA, Texas\nPATRICK T. McHENRY, North Carolina   CAROLYN McCARTHY, New York\nJOHN CAMPBELL, California            DAVID SCOTT, Georgia\nKEVIN McCARTHY, California           AL GREEN, Texas\nSTEVAN PEARCE, New Mexico            KEITH ELLISON, Minnesota\nBILL POSEY, Florida                  NYDIA M. VELAZQUEZ, New York\nMICHAEL G. FITZPATRICK,              STEPHEN F. LYNCH, Massachusetts\n    Pennsylvania                     MICHAEL E. CAPUANO, Massachusetts\nLYNN A. WESTMORELAND, Georgia        PATRICK MURPHY, Florida\nBLAINE LUETKEMEYER, Missouri         JOHN K. DELANEY, Maryland\nMARLIN A. STUTZMAN, Indiana          DENNY HECK, Washington\nROBERT PITTENGER, North Carolina\nANDY BARR, Kentucky\nTOM COTTON, Arkansas\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHearing held on:\n    March 5, 2014................................................     1\nAppendix:\n    March 5, 2014................................................    51\n\n                               WITNESSES\n                        Wednesday, March 5, 2014\n\nFortney, David, Senior Vice President, Product Management and \n  Development, The Clearing House Payments Company...............    38\nGarcia, Gregory T., Advisor, Financial Services Information \n  Sharing and Analysis Center (FS-ISAC)..........................    36\nLeach, Troy, Chief Technology Officer, Payment Card Industry \n  (PCI) Security Standards Council (SSC).........................    34\nMierzwinski, Edmund, Consumer Program Director, U.S. PIRG........    39\nNoonan, William, Deputy Special Agent in Charge, Criminal \n  Investigative Division, Cyber Operations Branch, United States \n  Secret Service.................................................     7\nZelvin, Larry, Director, National Cybersecurity and \n  Communications Integration Center (NCCIC), U.S. Department of \n  Homeland Security..............................................     9\n\n                                APPENDIX\n\nPrepared statements:\n    Waters, Hon. Maxine..........................................    52\n    Fortney, David...............................................    54\n    Garcia, Gregory T............................................    57\n    Leach, Troy..................................................    67\n    Mierzwinski, Edmund..........................................    73\n    Noonan, William..............................................    84\n    Zelvin, Larry................................................    95\n\n              Additional Material Submitted for the Record\n\nCapito, Hon. Shelley Moore:\n    Written statement of the American Bankers Association (ABA)..   101\n    Written statement of the Credit Union National Association \n      (CUNA).....................................................   111\n    Written statement of the Independent Community Bankers of \n      America (ICBA).............................................   116\n    Written statement of the National Association of Federal \n      Credit Unions (NAFCU)......................................   118\n    Written statement of the National Retail Federation (NRF)....   122\nHeck, Hon. Denny:\n    Letter to Financial Services Committee Chairman Jeb \n      Hensarling requesting a data security hearing, dated \n      January 10, 2014...........................................   136\nSinema, Hon. Kyrsten:\n    Written responses to questions submitted to Larry Zelvin.....   138\n\n\n                    DATA SECURITY: EXAMINING EFFORTS \n                         TO PROTECT AMERICANS\' \n                         FINANCIAL INFORMATION\n\n                              ----------                              \n\n\n                        Wednesday, March 5, 2014\n\n             U.S. House of Representatives,\n             Subcommittee on Financial Institutions\n                               and Consumer Credit,\n                           Committee on Financial Services,\n                                                   Washington, D.C.\n    The subcommittee met, pursuant to notice, at 10:03 a.m., in \nroom 2128, Rayburn House Office Building, Hon. Shelley Moore \nCapito [chairwoman of the subcommittee] presiding.\n    Members present: Representatives Capito, Bachus, McHenry, \nPearce, Posey, Fitzpatrick, Luetkemeyer, Stutzman, Pittenger, \nBarr, Cotton, Rothfus; Meeks, Maloney, Scott, Green, Lynch, \nDelaney, and Heck.\n    Ex officio present: Representatives Hensarling and Waters.\n    Also present: Representatives Royce and Sinema.\n    Chairwoman Capito. The subcommittee will come to order. \nWithout objection, the Chair is authorized to declare a recess \nof the subcommittee at any time.\n    I now recognize myself for the purpose of making an opening \nstatement.\n    Over the last 6 months, we have learned about a series of \nbreaches of American businesses\' data--millions and millions \nhave had their personal data compromised. We will not know the \ntrue extent of the impact on American consumers until \ninvestigators from Federal agencies and private entities are \ndone with the investigation.\n    These breaches raise, I believe, really legitimate \nquestions about the storage and usage of personal data by \nprivate industry. The prosperous have long sought access to \nthis type of information, but the recent breaches demonstrated \nan evolving sophistication of attacks that seek to exploit and \nconfuse consumers.\n    As we have learned in previous subcommittee hearings, these \ncriminals often reside in nations that fail to cooperate with \nUnited States law enforcement agencies. In some cases, these \nnations not only protect these criminals from prosecution but \nthey celebrate them as heros.\n    The data these criminals steal is often sold on the black \nmarket and can potentially be used for fraudulent purposes. \nWhile possibilities for such fraudulent charges may be the \nsource of stress and frustration for consumers, many payment \nnetworks have zero fraud policies to protect consumers from \nfraudulent transactions.\n    Today, we will learn more about why these breaches are \noccurring, existing payment security standards, what happens \nduring and after a breach, and new payment technologies \nauthorized to help prevent future breaches.\n    One area that is of critical importance is information-\nsharing, both during and after a breach.\n    We have representatives from the National Cybersecurity and \nCommunications Integration Center (NCCIC) and the Financial \nServices Information Sharing and Analysis Center (FS-ISAC) who \nwill testify about the existing information-sharing efforts \nbetween the private sector and government agencies. On February \n13th, members of the retail financial services communities \npublicly announced their efforts at information-sharing amongst \nall parties that are a part of the payment system. I applaud \nthis effort instructing all parties to strive for a more \nefficient, thorough, and effective information-sharing system \nto prevent data breaches in the future.\n    The final area that this hearing will cover is future \npayment systems that may provide consumers with a more secure \nmethod of transmitting their financial data. I have great \ninterest in the progression and diversification of our payment \nsystem. In the past, we learned about developments in mobile \npayments. Today, we will learn about a cloud-based tokenization \nproposal which will transfer payments without the need to store \nsignificant amounts of consumer financial data.\n    If sensitive payment data is not being stored \nunnecessarily, the payment systems could be much less \nattractive to future hackers. The high degree of innovation in \nthe payment space is exciting for consumers, but we also need \nto ensure that the new payment systems that are developed \nincrease the level of security and reduce the threat of future \nbreaches.\n    I would like to thank our witnesses for joining us this \nmorning. Each of you plays a critical role in helping to \nprevent future data breaches.\n    I now yield time to the ranking member of the subcommittee, \nMr. Meeks, for an opening statement.\n    Mr. Meeks. Thank you, Madam Chairwoman.\n    In recent months, a number of banking and U.S. retailers \nincluding Target, Neiman Marcus, and Nike have announced data \nbreaches which stole the payment card account and sensitive \npersonal information of millions of Americans. Although \nforensic investigations of recent breaches are still ongoing, \nnews reports and announcements by the retailers themselves \nindicate that these breaches may be the largest breaches ever \nin the history of our country as of today.\n    On December 19, 2013, Target announced that 40 million \ncredit and debit accounts had been compromised through its in-\nstore credit card magnetic strips, allowing hackers to access \ncustomer names, credit and debit card numbers, and security \ncodes. Less than a month later, on January 10, 2014, Target \nannounced that the breach was significantly larger and that the \npersonal information of 70 million customers was also stolen.\n    Americans need to have the security that when they shop at \na retail store, or when they use their credit or their debit \ncards, their account and personal information will be \nprotected. We must make sure that happens.\n    It is further troubling that we see the line fall behind \nEurope and Canada in terms of technology and security \nstandards. Some reports even indicate that we are behind \ncertain countries in Latin America and Africa, who are using \nthe latest mobile technology for processing payments, as a \nresult of the fact that they started late in adopting such \ntechnology, and therefore immediately adopted the latest \ninnovations.\n    We have to improve our technology to make sure that we are \nmore up-to-date. We need to take our security more seriously in \nthis country. The security breaches at Target were only \nreminders of existing national security issues, and there are, \nindeed, a lot of issues which we will seek to clarify in our \nhearing. How is it that this could happen in the world\'s most \nadvanced economy and financial market in the world?\n    What have we learned, and how do we prevent these serious \nincidents from ever happening again? And what technologies and \nstandards need to be adopted instead so that we can protect \nAmericans and the Nation?\n    I want to thank all of the witnesses who are here, and I \nlook forward to your participation and to listening to your \ntestimony.\n    Chairwoman Capito. Thank you.\n    I now recognize Mr. Fitzpatrick for 2 minutes for an \nopening statement.\n    Mr. Fitzpatrick. Thank you, Madam Chairwoman, for calling \nthis hearing, and I also thank the witnesses for their time \ntoday.\n    I spend a considerable amount of time at home--as do my \ncolleagues--visiting my discrict, visiting with businesses and \nfinancial instutions, and also talking to their customers. Most \nif not all of these groups, when asked, would identify \ncybersecurity, identity theft, and national safety as a \nconcern.\n    My staff and I spent some time looking into this and \nquickly learned that hackers and thieves are by and large not \nonly attacking financial institutions directly and literally \ndownloading customers\' back accounts to either deceive people \ninto giving up their security information or they are stealing \noutright from some other source. Those sources are many times \nunsuspecting businesses or financial institutions that are \nstoring or transferring personal information in ways that are \nquite vulnerable to attack.\n    That is not to say that the burden of data security lies \ndisproportionately with any one group, but I think these facts \nspeak to the importance of working in a collaborative manner on \ndeveloping a system that protects personal financial data \nthrough the process--from the individual, to the business, to \nthe processor, and then to the bank or credit union.\n    There is a level of trust necessary for an economy to \nfunction in this new virtual era, where cash is becoming a \npreferred payment method for fewer and fewer people. I look \nforward to the testimony and hearing what these experts can \nshare with us about how we can protect people from theft and \nmaintain and possibly restore trust in our cybersecurity \nsystem.\n    And I thank the Chair.\n    Chairwoman Capito. Thank you.\n    I now recognize Mrs. Maloney for 2 minutes for an opening \nstatement.\n    Mrs. Maloney. I want to thank you, Madam Chairlady, and \nRanking Member Meeks, for holding this incredibly important \nhearing. I would say that most Americans have had their \nidentity stolen, including myself, and it is very costly to law \nenforcement, and certainly to our stakeholders, our financial \ninstitutions, and individuals.\n    And I am particularly interested in the second panel, the \nindustry itself, and what they have to say on new technologies. \nWhy can\'t we just protect the number and have transactions take \nplace?\n    This is something really, really important: When the data \nbreach occurs, the party who is most exposed when you look at \nit is the consumer. It is typically the retailer that is in the \nbest position to know about the breach, although it is often \nthe bank who discovers the breach before the retailer because \nthe bank notices a spike in fraudulent transactions and then \ntraces it back to the retailer that was breached.\n    In my opinion, this makes it all much more reasonable to \nmake the banks and financial institutions liable for all the \nfraudulent transactions that occur after the breach. This would \ngive the banks and financial institutions an incentive to \ninvest publicly in fraud-detecting technologies, which are \nremarkably effective at identifying fraudulent activities on \nyour credit or debit card.\n    If retailers were liable for all fraudulent costs after a \nbreach, then there would be probably like a legal Fort Knox. \nAnd if payment networks were liable, there would be more robust \nsecurity systems, as well. The point is that sometimes \nassigning blame, and in this case, assigning liablitity, is, in \nfact, important, because it incentivizes different parties to \ninvest or not invest in fraud-reducing technology to protect \nconsumers and our overall economy and it makes it more \ndifficult for criminals.\n    So I really look forward to this hearing. I think it is \nincredibly important and I look forward to hearing of new \ninnovations to protect identity and therefore, hopefully, our \nbanking system.\n    Thank you very much. I yield back.\n    Chairwoman Capito. Thank you.\n    I recognize Mr. Pittenger for 2 minutes for an opening \nstatement.\n    Mr. Pittenger. Thank you, Chairwoman Capito, for allowing \nme to properly make this opening statement.\n    And thank you to each of the witnesses for coming today to \ntestify.\n    We are here today to listen to experts from Homeland \nSecurity and the Secret Service and representatives of industry \nto learn about the ongoing effort to protect our fellow \ncitizens\' private information. We have seen over the past \nseveral years advancements in technology when Americans shop to \npay for goods.\n    But with these new advancements certainly comes the \nresponsibility of protecting the integrity of the system. As \npayment systems increasingly rely on electronic transmissions \nof personal financial data, Americans have a right and an \nexpectation to know how that data is being protected, where it \nis stored, the extent to which the government has access to it, \nand the protocols that ought to be in place in private or \npublic sector entities who mishandle, improperly disclose, or \notherwise fail to ensure the security of personal financial \ninformation.\n    Over the last 6 months, several American companies and \nuniversities have experienced significant data breaches--my \nwife and I had a breach just yesterday--and while the details \nof these breaches remain under investigation by Federal and \nState law enforcement authorities, these episodes have \ndisclosed a serious threat to financial privacy and data \nsecurity posed by individuals and criminal syndicates.\n    We have to remain vigilant in our fight against these \nindividuals and organizations. I know it is a difficult task to \nask to be prepared to prevent 100 percent of the cyber attacks. \nBut the consequences of not being equipped to handle the threat \ncould ruin the lives and threaten the security of millions of \nAmericans.\n    Thank you again for coming before the committee, and I look \nforward to hearing your testimony.\n    Chairwoman Capito. Thank you.\n    I would like to recognize Mr. Scott for 2 minutes for an \nopening statement.\n    Mr. Scott. Thank you very much, Madam Chairwoman. And this \nis indeed a very, very interesting and important hearing as \nmore and more Americans shift to electronic payment systems and \nonline shopping.\n    One of my professors at graduate school in economics and \nfinance was an economist, John Kenneth Galbraith, and he \nproduced a book about 40 years ago called, ``The New Industrial \nState.\'\' I bring that up because he made a very interesting \nstatement. He said, ``Very shortly we in our country, and \nperhaps around the world, will soon become the victims and \nservants of the very machine that was created to serve us.\'\'\n    I think we are at that point now. As payment systems \nincreasingly rely on electronic transmission of personal \nfinancial data, Americans certainly have a right and an \nexpectation to know how that data is protected. They need to \nknow where it is stored, who has access to that data, and to \nwhat extent.\n    Americans have a right and an expectation to know the \nprotocols that are and ought to be in place when entities, \nwhether public or private, mishandle or improperly disclose or \notherwise fail to ensure the security of their personal \ninformation.\n    We have the big picture here. We have to hold everybody \naccountable. Financial institutions must be held accountable to \nthe same accountability as our retailers.\n    We have had over 110 million Americans impacted by this \nsituation. Earlier, I had a very interesting conversation with \none of our panelists, Mr. Troy Leach, and I think he is on to \nsomething here with the Security Standards Council. Perhaps we \nare indeed working on this, giving too much information, making \ntoo much information available, and that maybe we can cut down \non some of that information so we don\'t make it so easy for \nhackers to access it.\n    I look forward to the hearing, Madam Chairwoman, and I \nyield back.\n    Chairwoman Capito. Thank you.\n    I now recognize the chairman emeritus of the full Financial \nServices Committee, Mr. Bachus, for 2 minutes for an opening \nstatement.\n    Mr. Bachus. Thank you, Madam Chairwoman.\n    One of Yogi Berra\'s most famous quotes is, ``It is deja vu \nall over again.\'\' A little more than a decade ago, this \ncommittee investigated a series of data breaches involving New \nYork City restaurants, cable companies, retail businesses of \nall kinds, banks, universities, and all branches of government \nfrom local to State to Federal. People\'s credit was being \nruined, and their good names being used for criminal purposes. \nBut identity theft suddenly became a national issue.\n    I remember this because I was chairman of the Financial \nInstitutions Subcommittee at the time. I am proud of this \ncommittee because at the time, we held numerous hearings like \nthe one today, that resulted in the Fair and Accurate Credit \nTransactions (FACT) Act or (FACTA), which was bipartisan \nlegislation passed almost unanimously by this committee and \nsigned into law by President Bush in December 2003.\n    The legislation created a number of protections, which I am \nconvinced have helped prevent numerous cases of identity theft \nover the last 10 years. That is why your full credit card \nnumber is no longer on store or restaurant receipts, and you \ncan place fraud alerts on your credit report. Very \nsignificantly, it is why consumers are entitled to be provided \nwith free copies of their credit report from the three major \nreporting bureaus.\n    But I am having deja vu again because the same arguments \nthat were being used then are being used again today against \nthe adoption of marked chip and PIN cards. It won\'t be a total \nsolution, and it wouldn\'t have prevented the Target breach, but \nit would prevent that information from then being used in \ncredit transactions.\n    It wouldn\'t be a total solution. It wouldn\'t be easy. It \nwould be complicated. It would be expensive. All of that is \ntrue. It was then, and it is now. But still, something needs to \nbe done.\n    Let me close by saying, Mr. Noonan, you mentioned the \nNational Computer Forensic Institute, and I want to compliment \nthe Secret Service. They joined with the Alabama district \nattorney\'s office in the State of Alabama, Shelby County, and \nresponded with that, and it has really helped, and I want to \ncommend the Secret Service for that.\n    That building that it is housed in was donated by a county \nand a city in Birmingham--a modern facility at no cost to the \ntaxpayers. And it is a way that we can inexpensively respond \nwith innovative thinking. The people being trained there--it is \nin his testimony on page 8, and I commend you for mentioning \nthat.\n    Thank you.\n    Chairwoman Capito. Thank you.\n    With that, I ask unanimous consent to allow members of the \nfull Financial Services Committee who are not members of this \nsubcommittee to sit in on today\'s hearing. Without objection, \nit is so ordered.\n    And with that, I would like to recognize Ms. Sinema for 1 \nminute for an opening statement.\n    Ms. Sinema. Thank you, Madam Chairwoman.\n    And thank you, Ranking Member Meeks.\n    I believe that it is critical for public and private sector \nleaders to continue to push for the development of a strong \ncybersecurity industry that can protect our economic and \nnational security interests. The nature of cyber means that \nnongovernment institutions and private sector companies alike \nneed tools and resources to protect Americans\' personal \ninformation from cyber attacks.\n    Several large companies such as Honeywell, Schwab, and \nAmerica\'s Best have some or all of their security space in \nArizona; and several smaller innovative companies like Bishop \nFox and Securosis are among the significant and growing number \nof cybersecurity businesses in my home State.\n    Arizona is a hub for innovation. We are ahead of the curve \non tech growth, thanks to entrepreneurial programs at Arizona \nState University, the University of Advancing Technology, and \nAmerica\'s community colleges.\n    Thank you for the opportunity to highlight this critically \nimportant issue. Through your collaboration with government and \ninnovative private institutions, I believe we can meet the \ncybersecurity challenges of today and tomorrow.\n    Thank you, Madam Chairwoman.\n    Chairwoman Capito. Thank you.\n    Mr. Green, for 2 minutes.\n    Mr. Green. Thank you, Madam Chairwoman. I will be pithy and \nconcise. I would like to thank you for the hearing, and thank \nthe ranking member, as well.\n    And I would like to, if I may, indicate to the public that \nwhile a hearing is titled, ``Data Security: Examining Efforts \nto Protect Americans\' Financial Information,\'\' the actual \nconcern is much broader and much bigger. We are also concerned \nabout medical information. We are also concerned about your \ntravel history. We are concerned about the materials that you \npurchase--your reading materials.\n    This has implications that are far-reaching, that can have \nan impact on privacy beyond which we can\'t imagine currently. I \nam excited about the hearing and I am interested to find out \nhow we can prevent this kind of encroachment on privacy.\n    I thank you, and I yield back.\n    Chairwoman Capito. The gentleman yields back.\n    All time has expired for opening statements, and I would \nlike to welcome our first panel of distinguished witnesses. \nEach of you will be recognized for 5 minutes to give an oral \npresentation of your testimony. And without objection, each of \nyour written statements will be made a part of the record.\n    Our first witness is Mr. William Noonan, Deputy Special \nAgent in Charge, Criminal Investigative Division, Cyber \nOperations Branch, United States Secret Service.\n    Welcome, Mr. Noonan.\n\n STATEMENT OF WILLIAM NOONAN, DEPUTY SPECIAL AGENT IN CHARGE, \n   CRIMINAL INVESTIGATIVE DIVISION, CYBER OPERATIONS BRANCH, \n                  UNITED STATES SECRET SERVICE\n\n    Mr. Noonan. Good morning, Chairwoman Capito, Ranking Member \nMeeks, and distinguished members of the subcommittee. Thank you \nfor the opportunity to testify on behalf of the Department of \nHomeland Security regarding the ongoing trend of criminals \nexploiting cyberspace to obtain sensitive financial and \nidentity information as part of a complex criminal scheme to \ndefraud our Nation\'s payment systems.\n    Our modern financial system depends heavily on information \ntechnology for convenience and efficiency. Accordingly, \ncriminals motivated by greed have adapted their methods and are \nincreasingly using cyberspace to exploit our Nation\'s financial \npayment systems to engage in fraud and other illicit \nactivities.\n    The widely reported payment card data breaches of Target, \nNeiman Marcus, White Lodging, and other retailers are just \nrecent examples of this trend. The Secret Service is \ninvestigating these recent data breaches and we are confident \nwe will bring the criminals responsible to justice.\n    However, data breaches like these recent events are part of \na long trend. In 1984, Congress recognized the risk posed by \nincreasing use of information technology and established 18 USC \nSections 1029 and 1030 through the Comprehensive Crime Control \nAct. These statutes define access device fraud and misuse of \ncomputers as Federal crimes and explicitly assign the Secret \nService authority to investigate these crimes.\n    In support of the Department of Homeland Security\'s mission \nto safeguard cyberspace, the Secret Service has developed a \nunique record of success in investigating cyber crime through \nthe efforts of our highly trained special agents and the work \nof our growing network of 35 electronic crimes task forces, \nwhich Congress assigned the mission of preventing, detecting, \nand investigating various forms of electronic crimes, including \npotential terrorist attacks against critical infrastructure and \nfinancial payment systems.\n    As a result of our cyber crime investigations, over the \npast 4 years the Secret Service has arrested nearly 5,000 cyber \ncriminals. In total, these criminals were responsible for over \n$1 billion in fraud losses, and we estimate our investigations \nprevented over $11 billion in fraud losses.\n    Data breaches like the recently reported occurrences are \njust one part of a complex criminal scheme executed by \norganized cyber crime. These criminal groups are using \nincreasingly sophisticated technology to conduct a criminal \nconspiracy consisting of five parts: one, gaining unauthorized \naccess to computer systems carrying valuable, protected \ninformation; two, deploying specialized malware to capture and \nexfiltrate this data; three, distributing or selling this \nsensitive data to their criminal associates; four, engaging in \nsophisticated and distributed frauds using the sensitive \ninformation obtained; and five, laundering the proceeds of \ntheir illicit activity.\n    All five of these activities are criminal violations in and \nof themselves, and when conducted by sophisticated, \ntransnational networks of cyber criminals, this scheme has \nyielded hundreds of millions of dollars in illicit proceeds.\n    The Secret Service is committed to protecting our Nation \nfrom this threat. We disrupt every step of their five-part \ncriminal scheme through proactive criminal investigations and \ndefeat these transnational cyber criminals through coordinated \narrests and seizure of assets.\n    Foundational to these efforts are our private industry \npartners as well as our close partnerships with State, local, \nFederal, and international law enforcement. As a result of \nthese partnerships, we were able to prevent many cyber crimes, \nby sharing criminal intelligence regarding the plans of cyber \ncriminals and by working with the victim companies and \nfinancial institutions to minimize financial losses.\n    Through our Department\'s National Cybersecurity and \nCommunications Integration Center, the NCCIC, the Secret \nService also quickly shares technical cybersecurity information \nwhile protecting civil rights and civil liberties in order to \nenable other organizations to reduce their cyber risks by \nmitigating technical vulnerabilities.\n    We also partner with the private sector and academia to \nresearch cyber threats and public information on cyber crime \ntrends through reports like the Carnegie Mellon CERT Insider \nThreat Study, the Verizon Data Breach Investigations Report, \nand the Trustwave Global Security Report.\n    The Secret Service has a long history of protecting our \nNation\'s financial systems from threats. In 1865, the threat we \nwere founded to address was that of counterfeit currency. As \nour financial payment system has evolved from paper, to \nplastic, and now digital information, so too has the \ninvestigative mission.\n    The Secret Service is committed to continuing to protect \nour Nation\'s financial system even as criminals increasingly \nexploit it through cyberspace. Through the dedicated efforts of \nour special agents, our electronic crimes task forces, and by \nworking in close partnership with the Department of Justice--in \nparticular, the computer crimes and intellectual property \nsection--and local U.S. attorneys\' offices, the Secret Service \nwill continue to bring cyber criminals who perpetrate major \ndata breaches to justice.\n    Thank you for the opportunity to testify on this important \ntopic, and we look forward to your questions.\n    [The prepared statement of Deputy Special Agent in Charge \nNoonan can be found on page 84 of the appendix.]\n    Chairwoman Capito. Thank you.\n    Mr. Zelvin, you are recognized for 5 minutes.\n\nSTATEMENT OF LARRY ZELVIN, DIRECTOR, NATIONAL CYBERSECURITY AND \n COMMUNICATIONS INTEGRATION CENTER (NCCIC), U.S. DEPARTMENT OF \n                       HOMELAND SECURITY\n\n    Mr. Zelvin. Chairwoman Capito, Ranking Member Meeks, and \ndistinguished members of the subcommittee, thank you for the \nopportunity to appear before you today. In my brief opening \ncomments, I would like to highlight the DHS National \nCybersecurity and Communications Integration Center (NCCIC\'s) \nrole in preventing, responding to, and mitigating cyber \nincidents, and then discuss our activities during the recent \npoint-of-sale compromises.\n    As you well know, the Nation\'s economic vitality and \nnational security depend on a secure cyberspace where \nreasonable risk decisions can be made on digital goods, \ntransactions, and online interactions so that they can occur \nsafely and reliably.\n    In order to meet this objective, we must share the \ntechnical characteristics of malicious cyber activity in a \ntimely fashion so cyber defenders can discover, address, and \nmitigate information technology threats and vulnerabilities. It \nis increasingly clear that no single country, agency, company, \nor individual can effectively respond to the ever-rising \nthreats of malicious cyber activity alone.\n    Effective responses require a whole-of-nation effort, \nincluding close coordination among entities like: DHS\'s NCCIC; \nthe Secret Service; the Department of Justice, to include the \nFederal Bureau of Investigation; the intelligence community; \nsector-specific agencies, such as the Department of the \nTreasury; private sector entities, who are simply critical to \nthese efforts; and State, local, tribal, territorial, and \ninternational governments. In carrying out our particular \nresponsibilities, the NCCIC promotes and implements a unified \napproach to cybersecurity, which enables the efforts of \nbringing these diverse partners to quickly share cybersecurity \ninformation in a manner that ensures the protection of \nindividuals\' privacy, civil rights, and civil liberties.\n    As you may already know, the NCCIC is a civilian \norganization that provides an around-the-clock center where key \ngovernment, private sector, and international partners can work \ntogether in both physical and virtual environments. The NCCIC \nis composed of four branches: the United States Computer \nEmergency Readiness Team, or US-CERT; the Industrial Control \nSystems CERT; the National Coordination Center for \nCommunications; and Ops and Integration.\n    In response to the recent retailer compromises, the NCCIC \nspecifically leveraged the resources and capabilities of US-\nCERT, whose mission focuses specifically on computer network \ndefense, including prevention, protection, mitigation, and \nresponse activities. In executing this mission, the NCCIC and \nUS-CERT regularly publish technical and nontechnical \ninformation products analyzing the characteristics of malicious \ncyber activities and improving the ability of organizations and \nindividuals to reduce risk.\n    When appropriate, all NCCIC components have onsite response \nteams that can assist owners and operators at their facilities. \nIn addition, US-CERT has global partnerships with over 200 \nCERTs worldwide that allow the teams to work directly with \nanalysts across international borders.\n    Increasingly, data from the NCCIC and US-CERT can be shared \nin machine-readable formats, such as the Structured Threat \nInformation Expression, also known as STIX, which is currently \nbeing implemented and utilized.\n    In the recent point-of-sale compromises NCCIC/US-CERT \nanalyzed the malware provided to us by the Secret Service as \nwell as other relevant technical data and used these findings, \nin part, to create a number of information-sharing products. \nThe first, which is publicly available and can be found on the \nUS-CERT Web site, provides a nontechnical overview of risks to \npoint-of-sale systems along with recommendations on how \nbusinesses and individuals can better protect themselves and \nmitigate their losses in the event of an incident that has \nalready occurred. Other products have been more limited in \ndistribution and they are meant for cybersecurity professionals \nand provide technical analysis and mitigation recommendations \nto better enable expert-level protection, discovery, response, \nand recovery efforts.\n    As a matter of strategic intent, the NCCIC\'s goal is always \nto share information as broadly as possible. These efforts \nensured that actionable details associated with major cyber \nevents are shared with the right partners so they can protect \nthemselves, their families, their businesses and organizations \nquickly and accurately.\n    In the case of the point-of-sale compromises, we especially \nbenefited from the close coordination with the Financial \nServices Information Sharing and Analysis Center, or the FS-\nISAC. In particular, the FS-ISAC\'s Payments Processing \nInformation Sharing Council has been useful in that they \nprovide a forum for sharing information about fraud, threats, \nvulnerabilities, and risk mitigation in the payments industry.\n    In conclusion, I want to highlight again that we in DHS and \nacross the NCCIC strive every day to enhance the security and \nresilience across cyberspace and information technology \nenterprise. At every opportunity the NCCIC, in close \ncoordination with our partners, publishes technical and \nnontechnical products to better enable our national critical \ninfrastructure, businesses, and our citizens to protect against \ncyber threats, while also providing onsite technical assistance \nwhenever necessary.\n    We will accomplish our mission through voluntary means, \never mindful of the need to respect privacy, civil liberties, \nand the law. I truly appreciate the opportunity to speak with \nyou today and look forward to your questions.\n    [The prepared statement of Mr. Zelvin can be found on page \n95 of the appendix.]\n    Chairwoman Capito. Thank you.\n    And I am offering my sincere apologies to you, as the first \npanel, and to the next panel, and to the members of this \nsubcommittee, but we are going to call a recess subject to the \ncall of the Chair. We expect it to be a half hour, so that \nwould be 11:05; hopefully, we can call back in sooner.\n    Again, I apologize.\n    [recess]\n    Chairwoman Capito. I am going to go ahead and reconvene the \nhearing. Thank you for your patience.\n    Mr. Meeks will be here in a few minutes, but I am going to \ngo ahead and begin my questioning so we can move along a little \nbit.\n    Mr. Noonan, in your statement you mentioned that the Secret \nService had either arrested or gotten 5,000 criminals. Was that \nthe number that you used?\n    Mr. Noonan. Yes, ma\'am.\n    Chairwoman Capito. Those, I assume, are all American \ncitizens in the United States? Because we hear about how a lot \nof this is occurring offshore. Are you coordinating in any \ninternational fashion, or--if you could just kind of give me a \nlittle background on that?\n    Mr. Noonan. Sure, ma\'am. That figure comprises all of the \ncases that we have made arrests on that have any connection \nback to the use of cyber in those crimes.\n    So to say that they are domestic or international, it is \nboth.\n    Chairwoman Capito. It is both.\n    Mr. Noonan. Yes. We have a very unique success of bringing \ninternational, transnational cyber criminals to justice here \ndomestically, but that figure that we have provided for you \nthere is domestic and international.\n    Chairwoman Capito. Okay.\n    Mr. Zelvin, you are from Homeland Security, and Mr. Noonan \nis with the Secret Service. I think sometimes we find that when \nthere is coordination between Federal agencies, who is in \ncharge, I guess is always a good question. I know it is a \ncollaborative effort, but who is really leading this in your \nmind, from your agency\'s perspective?\n    Mr. Zelvin. Yes, ma\'am. It is a team effort so there is a \nvariety, depending on which area you are looking at. As you are \nlooking at the law enforcement aspect, the Secret Service and \nthe Federal Bureau of Investigation have the primacy, depending \non the cyber case. When you look at the intelligence field, \nobviously the National Security Agency, the Central \nIntelligence Agency, and others have primacy, whether you are \ntalking about electronics intelligence or human intelligence.\n    We at the NCCIC specifically really focus on those network \ndefense measures--understanding the intrusions, understanding \nhow to plug those holes, and then preventing them from \nreoccurring. We have the responsibility, as well, of protecting \nthe Federal dot-gov space, and that is a big part of our \neffort, and then we work across the private sector at 16 \ncritical infrastructures, and as I mentioned in my opening \nstatement, the international partnerships.\n    Chairwoman Capito. Mr. Noonan, would you concur with Mr. \nZelvin in terms of who is in charge or the coordinative aspect \nof what you are doing? I know we talk a lot about coordination, \nand both of you did in your statements, but I am trying to make \nsure that if Mr. Meeks and I say we are both in charge, but \nthen something goes wrong, and I say, ``But he was in charge,\'\' \nso--\n    Mr. Noonan. Yes, for sure. In an investigation like this \nlaw enforcement generally takes charge of the investigative \npiece--\n    Chairwoman Capito. Right.\n    Mr. Noonan. --and information-sharing we do through a bunch \nof different mechanisms. Our primary source for information-\nsharing is through the NCCIC, but we also partner, as well, \nwith the FS-ISAC. Obviously, the Secret Service has a rich \nhistory of working in the financial services sector.\n    Chairwoman Capito. Right.\n    Mr. Noonan. So the FS-ISAC, who is going to be on the next \npanel, is another great partner that we use to push information \nout to the financial services sector.\n    In addition to that, we have 35 electronic crimes task \nforces. And those electronic crimes task forces that we have \naren\'t just made up of law enforcement; they are made up of the \nprivate sector, so we have members from the private sector \nworking side by side with agents, where we share information \nback and forth, as well as academia. So that is another method \nthat the Secret Service uses to push information that is going \nto better protect the private industry and the critical \ninfrastructure that we have.\n    Chairwoman Capito. When there is a data breach from a \nretailer, say, such as what happened with Target--and I know \nthe investigation is ongoing so not specifically that, I am \njust using it as an example--is the way that you are made aware \nof this through individuals whose cards have been corrupted, or \ndoes the company itself, whatever company it is, is it \nincumbent upon them to come to you? How does that reach your \nlevel of understanding of what is going on?\n    Mr. Noonan. It depends on the case, ma\'am. I brought up in \nmy oral remarks that we have a proactive approach to law \nenforcement. And there is a reactive approach, in which the \ncrime has already occurred, and we are chasing the clues back \nto the criminal to identify who the criminal is to affect an \narrest.\n    Chairwoman Capito. Right.\n    Mr. Noonan. The proactive approach of what we do in law \nenforcement is we are out working with sources, we are out \nworking undercover operations, we are working with private \nsector banking investigators, and in our proactive approach \nthere are many times where we identify a potential breach \nbefore it has occurred. And we find that it is more valuable--\nit is critical for law enforcement, then, to make notification \nto that industry, to that private sector partner, to be able to \nstop the crime from occurring.\n    Chairwoman Capito. Okay. Let me stop you there because I am \nrunning out of time, but I am curious to know, in the case of a \nretailer where this could have an effect on their future sales, \ndo you find that they are willing to make this breach public \nand really better inform everybody who could be affected by \nsuch a breach?\n    Mr. Noonan. Again, it depends on the company--\n    Chairwoman Capito. Right.\n    Mr. Noonan. --and it depends on the case, so--\n    Chairwoman Capito. Yes.\n    Mr. Noonan. --I can\'t give you a yes-or-no answer.\n    Chairwoman Capito. Right. You can see both sides of it. I \nwould think more and more it is in the company\'s best interest, \nobviously, to be as open and transparent as possible in \nsomething of this nature.\n    Mr. Meeks?\n    Mr. Meeks. Thank you, Madam Chairwoman.\n    Let me start with Mr. Noonan, and let me maybe ask a \nquestion that might not even be fair because I am going to ask \nyou how to help me do my job. You urge Congress to take \nlegislative action that could help to improve the Nation\'s \ncybersecurity, reduce regulatory costs on U.S. companies, and \nstrengthen law enforcement\'s ability to conduct effective \ninvestigations. I think that was part of your testimony.\n    And, I am sure that all parties agree with this in general, \nwhen you make the general assessment, but there are differing, \nat times, interests, and sometimes even competing interests \nthat individuals would have. For example, there may be \ndifferent interests between card issuers, merchants, and \nconsumers. They can all overlap, but ultimately there could be \ndivergent visions of how the government can best solve these \nproblems.\n    So, we are going to be trying to dig into this and talking \nto a number of different folks, but I would like to get your \nopinion. How would you suggest as lawmakers we balance these \ninterests and create a plan that can satisfy the core concerns \nof all parties? Because we have this balancing act that we have \nto do but we need to--we want to help you also, so how would \nyou suggest we do that?\n    Mr. Noonan. Yes, sir. So from the law enforcement \nperspective--and that is what I can provide to you--I think it \nis important and it is critical for companies that have been \nexposed, companies that have knowledge of a potential breach, \nto bring that to law enforcement\'s attention. Law enforcement, \nat that point, is critical in the fact that it can, obviously, \ncollect evidence to try to make a difference, make a physical \narrest of a criminal. But I think it is also important that at \nthat point in time, is when the information-sharing piece \nbegins. Because if law enforcement is brought in early and we \nare able to draw the cybersecurity concerns out of the \ninvestigation, the evidence out of that, and we are able to \ntake that information, we are able to minimize that information \nand protect the victim. We are able to then share that \ninformation with my partners over at the NCCIC and get that out \nto the greater infrastructure of this Nation so that they can \nbetter protect themselves from an additional potential attack \nto other pieces or other avenues of infrastructure.\n    Mr. Meeks. Should the notification that goes out to you, go \nout to the consumer or the customer at the same time? For \nexample, I was just wondering how long do most companies wait \nbefore they even notify you and/or notify the customer that \ntheir sensitive personal information may have been breached.\n    Mr. Noonan. I would agree, sir. I think that it should be \nin a short period of time that the information should be put \nout to the customers. I, too, fell victim to a data breach as \nwell, where it was inconvenient for myself and my family. So I \nthink I am able to better respond as a customer to help support \nmy family, but I think there is also a law enforcement concern \nthere, as well, where there are situations and there are points \nin time wherein law enforcement may or may not need a window of \nopportunity to run operations to determine what has happened or \nwho is behind the effort or the attack.\n    Mr. Meeks. Let me just also, in that regard, ask Mr. Zelvin \na question. I know in your testimony you also talked about the \nvarious virtual currencies as a means of laundering illicit \nproceeds, and I was wondering whether or not the Secret Service \nor other regulators have taken any action to address some of \nthose concerns? And in your view, do regulators have--do you \nhave sufficient authority to address the risk that these \ncurrencies pose as identified in your testimony?\n    Mr. Noonan. Yes, sir. Just as early as last year the Secret \nService, along with HSI and IRS, was successful in taking down \na virtual currency or a digital currency called Liberty \nReserve. Liberty Reserve was one of those digital currencies \nwhich the criminal underground used in which they would launder \ntheir money anonymously, and we were effective in taking that \nmarketplace out of the criminal underground, as well as we were \nable and successful in arresting the people who were behind the \nsetup of that operation. So it is more important than just \ntaking the operation off, but we also arrested the people \nbehind it.\n    Mr. Meeks. Thank you.\n    Really quick, Mr. Zelvin, what about individual criminal \nactivity outside of the United States? What can be done to go \nafter these illicit actors? And what tools do you have to \nensure that foreign individuals are also held accountable? Does \nthat fit within our--\n    Mr. Zelvin. Ranking Member Meeks, that is a question I \nwould recommend for the FBI and the Secret Service--I will talk \nfrom the US-CERT perspective. We work with 200 like-minded \nCERTs around the world. We are in contact with them in many \ncases on a weekly basis and we are able to work our \nmitigations. I was in London about 3 weeks ago, and when we \nwere meeting with our counterparts, they said the point-of-sale \nproduct that we had from US-CERT was very helpful to them \nbecause they were bringing it to their industries, because what \nhad happened here in the United States they felt was probably \nhappening in the U.K. and around Europe, and this was \ninstructive for them, as well.\n    Mr. Meeks. Thank you.\n    Chairwoman Capito. Thank you.\n    Mr. Pearce?\n    Mr. Pearce. Thank you, Madam Chairwoman.\n    I appreciate both of the witnesses being here. Mr. Rothfus \nand I have decided we are going to cut up our cards right here \namong us while we are listening to you, so if you have any \nscissors, pass them on up.\n    Mr. Zelvin, has the CFPB called you all? Are you all \nworking with them in any way?\n    Mr. Zelvin. Congressman, the CFPB?\n    Mr. Pearce. Yes.\n    Mr. Zelvin. The Consumer Financial Protection Bureau?\n    Mr. Pearce. Yes.\n    Mr. Zelvin. No, we haven\'t been in contact with them \ndirectly.\n    Mr. Pearce. Mr. Noonan?\n    Mr. Noonan. No, sir.\n    Mr. Pearce. No. They are collecting 990 million records. \nTarget lost 40 million. They are collecting 990 million. It \nseems like they would be calling the Nation\'s best to say, \n``What do we do for data security?\'\' Amazing.\n    What kind of protection is available against a Snowden-type \nattack? In other words, he is working inside and pulls those \nrecords, downloads a three-mile-high stack of records, and is \nthere any protection?\n    Either one of you?\n    Mr. Noonan. From the Federal Government standpoint, when we \nare talking about retail-type positions, there is nothing that \nwe have that would stop an insider threat.\n    Mr. Pearce. I guess I didn\'t make it clear. The CFPB is--\nwould be parallel to the NSA. I don\'t want to carry that \nanalogy too far, but they are a government agency and they are \ncollecting a massive amount of data--massive--almost a billion \ncredit cards. And so I guess I am interested in if somebody \ninside the agency wants to release documents, like Mr. Snowden \nwas inside the agency, it wasn\'t planned, and the agency didn\'t \napprove of it, so is there any protection for the Snowden-type \nattack from inside the agencies?\n    Mr. Zelvin. Congressman, I can answer the question broadly, \nnot specifically. So broadly, the insider threat is one of the \nmost difficult things we face. I think the one that is probably \nalmost as bad is if somebody was into what we call the supply \nchain.\n    The ability to defend against the insider threat is \ndeveloping quickly but we are not where we need to be by a long \nshot. There are things in the financial community which are \nleading the way that we are taking as lessons, but as you \nrightly point out, it is a vulnerability and a weakness that we \nneed to get better on, and we need to do so quickly.\n    Mr. Pearce. Okay.\n    Mr. Noonan, your testimony had some numbers in it, but I \ndon\'t know that I saw the scope. In other words, I saw 4,900--\nthat is the people that we had--that you have had 4,900 \narrests. What is the scope? How many cyber attacks are there \neach day, roughly?\n    Mr. Noonan. I can\'t comment on the number of attacks that \noccur every day.\n    Mr. Pearce. Because it is too secret, or you just don\'t \nknow?\n    Mr. Noonan. No, we don\'t compile our data in that manner. \nWe have active investigations, so--\n    Mr. Pearce. What would you guess? Hundreds of thousands a \nday? Is that too high?\n    Mr. Noonan. I think there are cyber criminals who are \nprobing our systems every day. I think every moment, they are \nprobing our systems.\n    Mr. Pearce. Yes, every day, hundreds of thousands, and I \nsuspect that your agency is probably strained for resources. To \nput it in perspective, in your testimony you talk about the 11 \nthat you have indicted; how many convictions have you been able \nto get through the system?\n    Mr. Noonan. Numerous convictions. We have had--\n    Mr. Pearce. Numerous. How many? Like 20,000?\n    Mr. Noonan. No, sir.\n    Mr. Pearce. 22,000? What is numerous?\n    Mr. Noonan. I would say that it is in the range of several \nhundred a year.\n    Mr. Pearce. Several hundred. In the paragraph right above \nwhere you are talking about the 11, you are talking about how \none system has 80,000 users. That is an illicit system--80,000 \nusers and we are getting 11. That is absolutely frightening, \nthe scope that is coming at us and the system is, again, very \ndifficult to work in, with almost no protections against inside \nattacks where people knowingly download and give away \ninformation.\n    Snowden gave away, again, 1.8 million documents, and I \njust--I worry the CFPB has not even talked to you. Mr. Cordray \ngot somewhat offended at the line of questioning and began to \nrewrite the question. I didn\'t accuse him of--going to do it, I \njust said that any agency--this information is widely viewable \nby almost everybody in the agency and widely accessible, and \nyet they haven\'t even called the best people in the Nation.\n    I would recommend that the next time we have the CFPB come \nin and sit down and talk about the protections, maybe they have \nbetter operations than these two guys were able to present, but \nI find it stunning that they have not even contacted either one \nof you.\n    Thank you. I yield back.\n    Mr. Luetkemeyer [presiding]. Thank you.\n    Now, the Chair recognizes the gentlelady from New York, \nMrs. Maloney.\n    Mrs. Maloney. Thank you so much. And I feel this is an \nincredible challenge for our country. Just talking to four \nfriends on the panel, all four of us have had our identity \nstolen. The fact that 40 billion people lost their--40 million, \nI guess it was, from Target. That is staggering.\n    So the cost to individuals, law enforcement, and \ninstitutions is absolutely huge. One of the problems I see is \nthat the reaction time is so slow. By the time we put something \nin place, say the data breach chip by 2015, the hackers will \nhave gone on to the next stage of how to hack that.\n    And it seems to me the next phase is going to be online. \nMost of the transactions are online. So the tokenism idea and \ntechnology seems the most promising to me.\n    When you do find a breach, Mr. Noonan, and you said that \nyou are sometimes the first to notice it--who do you notify? Do \nyou notify the financial institution, the consumer, or the \nretailer, or all three? What do you when you notice a breach? \nWhat do you do?\n    Mr. Noonan. It depends on who the victim is, ma\'am. If it \nis a retailer, we would obviously contact the security \ndepartment of that retailer and we would suggest to them \ndifferent steps to look at their system to be able to determine \nif, in fact--\n    Mrs. Maloney. Okay. Do you tell them to also notify the \nbank and notify the consumer? Who does--\n    Mr. Noonan. Yes, ma\'am.\n    Mrs. Maloney. Okay.\n    Mr. Noonan. So the part we would do is we would have them \nwork closely with the financial institutions and the processing \nsystem which they use.\n    Mrs. Maloney. Now you also said that--and also retailers \nhave said--that the reason that they don\'t immediately disclose \na data breach is that public disclosure would hinder law \nenforcement efforts to catch the criminal. Is that true?\n    Mr. Noonan. Not in all cases, ma\'am.\n    Mrs. Maloney. And why would public disclosure hinder an \ninvestigation?\n    Mr. Noonan. Just at a point in time where there was \npotentially an undercover operation, it could hamper the \nconclusion of that undercover operation. So the time that we \nare talking is a very small window of time.\n    Mrs. Maloney. I believe most public policy and resources \nare directed when we have good data, so who is keeping the data \non how big a problem it is in the United States? It is huge in \nterms of the national security and financial security and \neconomic security of our country.\n    Somebody has to be tracking the overall picture of the \nextent and the depth of it and the techniques. Who is doing \nthat if the CIA is not doing it? Who is doing the overall--we \nhave to be collecting that data in a broad way to analyze \ntrends and movements.\n    Who is collecting that data? Somebody has to be collecting \nit. If they aren\'t, then someone should be. Who is collecting \nthat data--the FBI, the CIA, Homeland Security?\n    Mr. Zelvin. Congresswoman, let me answer the question this \nway: We are all collecting data in areas in which we have the \nability to see the information.\n    Mrs. Maloney. Okay, but then who is getting the overall \npicture for our national security and economic security?\n    Mr. Zelvin. Again, it is being looked at by Homeland \nSecurity. We in the NCCIC look at the overall picture. But it \nis a matter of looking at the Internet service providers, and \nmanaged security service providers, and others, and taking that \ndata and aggregating it.\n    But I will tell you that we still don\'t have the visibility \non everything. It is still just a snapshot. But those snapshots \nare useful because they show trends and then our ability to \nprovide mitigations.\n    So if you look at these security reports that Mr. Noonan \nhas here, they will talk about things like spearphishing and \nman-in-the-middle attacks and all these other things, and we \nare defending against those things, so we have a lot of work to \ndo as we take this data to build security measures so they are \nnot successful. But that aggregation, it doesn\'t exist; we are \njust compiling data from a lot of sources.\n    Mrs. Maloney. Before 9/11, we had 18 different intelligence \norganizations working independently, not sharing their \ninformation. The most important reform was that we created the \nDepartment of Homeland Security and combined all of our \nintelligence so we are working in a coordinated way.\n    We have to do the same thing with cybersecurity. Somebody \nhas to be in charge of the overall picture.\n    And I know everybody is doing a good job in their \ndepartment, and I would say the private sector is doing a \npretty good job, too. Who is coordinating with finding the top \nthings the private sector is doing with the top things the \ngovernment is doing?\n    This is a number one national security issue; it is not \njust an economic issue. And so, who is doing that? Is it \nHomeland Security? Somebody has to be pulling it all together. \nWho is in charge of doing that?\n    Mr. Zelvin. Congresswoman, I will tell you, I think it is \nour responsibility at the NCCIC, as you describe it, to bring \nthat all together, especially on the network defense side--so \nto be able to work with the private sector; to work with the \ncritical infrastructure sectors; to work with State, local, \ntribal, territorial; to work with our international partners. \nThat is what we are doing on a daily basis.\n    Last year alone, the Center had 240,000 cyber incidents \nreported to us. But again, that is probably a fraction of the \ngreater whole. But our numbers are increasing upwards at about \n60 percent a year as far as--\n    Mrs. Maloney. And is the private sector also sending you \ntheir information?\n    Mr. Zelvin. Yes, Congresswoman, they are, but it is done on \na voluntary basis. They have no requirement to do so. The \nFederal Government has requirements to report to US-CERT under \npolicy and other requirements, but the private sector reporting \nis voluntary and that is why one of the initiatives that has \nbeen asked for is the data breach reporting requirement.\n    Mrs. Maloney. Okay. Thank you.\n    Mr. Luetkemeyer. I thank the gentlelady.\n    With that, it is my turn to ask the questions, so the Chair \nnow allows himself 5 minutes to engage the witnesses, as well.\n    I want to follow up on Mr. Pearce\'s comments with regards \nto the CFPB. I was kind of stunned, taken aback that you \ngentleman hadn\'t heard of or weren\'t aware of the CFPB, and I \nwould certainly echo the concerns of Mr. Pearce from the \nstandpoint that in committee, they actually testified \nthemselves that they have access and take in at least 80 \npercent of the credit card transactions per day that occur in \nthis country.\n    That sort of access, that sort of accumulation of data in \none agency is, quite frankly, scary. You are looking at what \nhappened with Target and Neiman Marcus and some of the other \nmerchants, and now you have a government agency that has 80 \npercent of all the credit card transactions going on in this \ncountry on a daily basis accumulating in their files and they \nare not coordinating with each of you? That certainly scares \nthe dickens out of me, so I would certainly urge you to contact \nthose folks and see once if there is a way that you can \ncoordinate with them to see if there is something that they \nfind which needs to be checked out.\n    With that, I was curious--I assume that you have \njurisdiction to go to any individual company or group or \nindustry, whatever, if there is a challenge or some sort of a \ncyber breakdown within that group that deals with personal \ninformation. Is that correct?\n    Mr. Noonan. The authority to go actually into the \norganization itself?\n    Mr. Luetkemeyer. Yes.\n    Mr. Noonan. We would use the court process to be able to \nwork with that company so--\n    Mr. Luetkemeyer. Okay.\n    Mr. Noonan. --if somebody was reluctant or there was a \ncompany that was reluctant, we could potentially use the court \nprocess to do that, sir.\n    Mr. Luetkemeyer. The reason I asked the question is that \nwhen--we are talking mostly this morning about financial \ninstitutions and merchants, but there are other entities out \nthere that have personal information, sometimes have monetary \ntransactions that occur. One of the things, for instance, you \nare looking at different kinds of, for instance, schools, \nassociations--I kind of made a list here of other groups--\nhospitals--medical information is huge these days, as well as \ncredit bureaus.\n    So have you taken any actions or coordinated with any of \nthose kind of groups before with regards to this?\n    Mr. Noonan. Yes, sir. Again, through our electronic crimes \ntask forces, we would partnering with those different \ninstitutions, as well.\n    We go after any sort of cyber criminal which is seeking to \nbenefit through the monetization of whatever that they are \ntrying to accomplish or steal. So in many of these situations \nthat you have brought up, personally identifiable information \nis a piece that is of great concern to us, which the criminal \nunderground can monetize and gain from.\n    So any opportunity that we can work with a potential victim \ncompany before it occurs or as it has occurred to be able to go \nat those cyber criminals who are--\n    Mr. Luetkemeyer. One of the reasons I bring that up is a \nlot of those folks, for instance, are not as aware of the \nability of somebody to get into their records because they \nprobably don\'t deal with financial matters as much. But yet, \nthey are probably more at risk than anybody else because their \nsystems probably aren\'t protected as well as, I would think, \nfor instance, financial institutions. So, just kind of an \nobservation.\n    One of the questions I also had was, what about penalties? \nDo you guys ever catch anybody? How many folks have you caught \nin the last 5 years?\n    Mr. Noonan. As a matter of fact, yes. I am talking about \ninternational, the higher-level cyber criminals.\n    Going back, starting in 2005, the Secret Service \nsuccessfully arrested Roman Vega out of the Ukraine. He was \nsentenced to 18 years, sir. In 2008, out of Estonia, Alexander \nSuvorov was sentenced to 7 years. In 2010, Russian Israeli \ncitizen Vladislav Horohorin received 88 months, and Igor \nShevelev, a citizen of the Ukraine, was sentenced to 13 to 40 \nyears in New York.\n    Mr. Luetkemeyer. Are they serving time in the United \nStates?\n    Mr. Noonan. They are serving time here domestically, sir.\n    Mr. Luetkemeyer. They sound like they are all--and you \nindicated they are all from foreign countries--\n    Mr. Noonan. They are all international, transnational--\n    Mr. Luetkemeyer. Okay.\n    Mr. Noonan. --cyber criminals that we were able to \nsuccessfully arrest internationally, and have extradited back \nto the United States where they are serving their sentences \ndomestically here in the United States--\n    Mr. Luetkemeyer. Now, are there other tools or other things \nthat you need to be able to do your job better or to have \nbetter access to be able to bring charges against individuals? \nIs there something we need to do to help you do your job \nbetter?\n    Mr. Noonan. Sir, what we are doing, which is bringing great \nsuccess in the arena of going after international cyber \ncriminals, is our partnerships with our international law \nenforcement partners as well as the international offices that \nwe have and the international working groups that we have \noverseas. Because cyber crime knows no borders, we think it is \nimportant to be working outside of our own borders and \ndeveloping these partnerships.\n    So anything that we can get--continue to grow in the area \nof our international partnerships is where we find value right \nnow in bringing these targets to justice.\n    Mr. Luetkemeyer. Okay. Thank you.\n    My time has expired.\n    Mr. Noonan. Thank you.\n    Mr. Luetkemeyer. With that, we will recognize the ranking \nmember of the full Financial Services Committee, Ms. Waters.\n    Ms. Waters. Thank you very much. And I ask unanimous \nconsent to submit my opening statement for the record.\n    Mr. Luetkemeyer. Without objection, it is so ordered.\n    Ms. Waters. I would like to thank our witnesses for being \nhere today. We are also very interested in this subject, and I \nthink that there was a bipartisan effort to support this \nhearing.\n    I would like to know, in light of the fact that the \nintrusion of Target came through a set of compromised vendor \ncredentials, what, if any, updated guidance is being given to \ncompanies to heighten their due diligence of vendors to ensure \nthey are, in fact, legitimate actors?\n    Mr. Noonan. So surrounding the information of the \npotential--of the attacks that have occurred over the past \nseveral months, as we learn information on those attacks we are \nable to learn what criminal tools the perpetrators are \nutilizing. We take that information, and we analyze that \ninformation with the help of the NCCIC, and the NCCIC is the \nmain operation that sends out the information to other \nindustry.\n    It is also partnered closely with the FS-ISAC, which is the \nFinancial Services Information Sharing and Analysis Center, to \ntake the information learned and push the tactics and trends of \nwhat is happening out to industry. And Mr. Zelvin could \nprobably comment a little bit more on exactly how they are \ndoing that.\n    Mr. Zelvin. Yes, ma\'am. We got the malware, or the \nmalicious software, from the Secret Service. We analyzed it.\n    We actually put out three different products. Informational \nproducts--the first one went to law enforcement so they could \ngo out and hopefully find the actors who did this. The second \none was a more technical product that went out to cyber \ndefenders not only at the financial services companies and the \nretailers but also to the cyber defense community, managed \nsecurity service providers, and Internet service providers, but \nthe people who really understand one-zeros and backslashes and \nhashtags. Lastly, we have on the US-CERT Web site for consumers \nand the general population guidance on what they can do to \nprotect themselves, and if they have been a victim, what they \ncan do to recover from these events.\n    Ms. Waters. So you do have some specific vendor information \nso that these companies can make a decision about whether or \nnot they are credible vendors?\n    Mr. Zelvin. Yes, ma\'am. The government has put out \ninformation, the Financial Services ISAC has put out \ninformation, and also, the industry writ large is working hard \nat the problem. So, it is being attacked from a number of \nareas.\n    Internationally, I will tell you we have gotten some focus \nthere in working with our partners, because this is a global \nproblem, not just a U.S. problem.\n    Ms. Waters. I would like to ask Mr. Noonan a question about \nAttorney General Eric Holder\'s recent urging of Congress to \nestablish a national standard for notifying Americans of data \nbreaches in light of the theft, of course, of customer data at \nTarget and other major retailers. Would you support a national \nbreach notification standard? And if so, do you have any \nspecific recommendations for how that should be crafted?\n    I heard what you just said about all the things that are \nbeing done, but I think what is being urged by Attorney General \nHolder is a little bit different. Are you familiar with that? \nAnd what do you think?\n    Mr. Noonan. Yes, ma\'am. The Secret Service does support any \ninitiative which would bring a data breach to the attention of \na law enforcement agency with jurisdiction to be able to help \nbring criminals to justice and also to help in the aid of \ninformation-sharing.\n    Ms. Waters. So you would consider that Congress does not \nneed to establish a national standard for notifying Americans \nof data breaches? I appreciate that you have come up with some \nways to approach this, including the notification of Americans, \nbut there is nothing in law where we have set a standard.\n    Do you think Congress should do that or could be helpful to \nyou in doing that? Would you want to put something like that \ntogether as a recommendation for us to place in law?\n    Mr. Noonan. Yes. Absolutely.\n    Ms. Waters. Okay. Mr. Zelvin?\n    Mr. Zelvin. Ma\'am, I would absolutely agree. Last year at \nthe Center, we had 240,000 incidents reported, but we know that \nis only a fraction of what is actually happening out there. \nThere is no requirement.\n    We would be supportive of that. We think it should be a \npublic-private discussion to build what is the most appropriate \nway to come up with that standard, but we would support it.\n    Ms. Waters. Thank you so very much.\n    Mr. Chairman, I yield back the balance of my time.\n    Mr. Luetkemeyer. Thank you.\n    With that, we recognize the gentleman from Alabama, the \nchairman emeritus of the full Financial Services Committee, Mr. \nBachus, for 5 minutes.\n    Mr. Bachus. I thank the gentleman from Missouri.\n    The Target incident has focused a lot of attention on data \nbreaches at the point of sale, and I will ask Mr. Noonan, does \nthe National Computer Forensic Institute (NCFI) have experience \nwith these type of cases, and are there any lessons we can draw \nor any successful prosecutions?\n    Mr. Noonan. Yes, sir. NCFI is an operation where the Secret \nService brings State and locals to understand cyber crime the \nsame way that Secret Service understands cyber crime.\n    We teach them computer forensics; we teach them network \nintrusion capabilities; we teach them cell phone forensics, as \nwell, and a litany of other courses to bring State and local \nlaw enforcement to the same level of understanding of cyber \ncrime as the Secret Service. We utilize that facility as a \ncapacity-building to help local law enforcement understand and \nbe able to go after the small and medium-sized compromises, as \nwell.\n    A great success that we have out of the NCFI is a case in \nwhich a national restaurant chain was compromised in the same \nway that Target was compromised, through a POS case--intrusion \ncase. Our office in Manchester, New Hampshire, worked this case \nand they worked it with the support of State and local law \nenforcement. And it was the State and local law enforcement \nthat we were able to train at NCFI in understanding the \nforensics that were going on that actually were critical in \nbringing, in that case, three international, transnational \ncyber criminals to justice.\n    So it is a force multiplication effort of the Secret \nService, by training State and local law enforcement that are \nin your communities to have the same level of training, the \nsame level of tools that the Secret Service has to go after \nthese types of criminals.\n    Not to mention that State and locals can\'t use that same \nequipment and that same training to do other types of cyber \ncrime that is important to them in their communities, as well. \nSo we know that agents or officers that we have trained and \ndetectives that we have trained have also used those skills to \nbring homicide suspects to justice, pedophile suspects to \njustice, and a litany of other suspects.\n    It doesn\'t stop at State and local law enforcement. We also \nhave trained numerous State and local prosecutors as well as \njudges at that facility. So in the past 4 years, we have \ntrained over 2,000 State and local members there.\n    Mr. Bachus. Let me ask both of you this question, and it \nreally goes into what Congresswoman Waters was saying: With \nTarget, they delayed announcing anything until a blogger \nbasically put on his blog that there had been a security \nbreach, and then they disclosed the 40 million on their debit \ncards. But I think, Mr. Zelvin, you may have referred to this, \nthey didn\'t report the 70 million on the personally \nidentifiable information, which actually is almost a worse \nproblem than the credit or the debit cards, because you can \nchange the debit card. They didn\'t change the PPIs, and it is \npretty hard to change your address or your grandmother\'s maiden \nname or the community you were born in, which are all used for \npasswords, so, there was all kinds of information. You are \nprobably not going to change your phone number, and so those \nthings are pretty difficult.\n    And there has been a lot of discussion, and I have \nadvocated before for some uniform Federal standard for \ndisclosing this information--who you disclose it to and the \ntimeframe. Because right now, they operate under--it depends on \nwhat State, and the disclosure laws are all different in \ndifferent States.\n    So if you would like to address the need for a--what we \nwill call a uniform Federal standard?\n    Mr. Zelvin. Congressman, I think one of the better examples \nis on the Federal side, the dot-gov side, the Federal \ndepartments and agencies, at least in the Executive Branch. You \nhave a requirement to report if you had an intrusion, if you \nhad a denial of service, if you have had a number of cyber \nevents. That doesn\'t exist outside the dot-gov domain.\n    So it really is incumbent upon that company to decide what \nthey want to do and how they want to do it, and I know they \ntalk about it at the highest levels, they bring in their \nsecurity professionals who bring their attorneys, and then \nthere is a decision made and the decision is either to disclose \nor not to disclose. They have to make a risk management \ndecision of whether or not it is better to say something.\n    I think we would--what I worry about is someday there could \nbe that cyber 9/11, Pearl Harbor, whatever your analogy is, and \nthe Congress will be asking, ``What do you need?\'\' This will be \ntop on our list because if we don\'t know, we can\'t help to \nprotect and secure the Nation.\n    Mr. Bachus. Mr. Noonan?\n    Mr. Noonan. Yes, sir. I would agree that a lot of times \ncompanies have to make a decision based on--they do make a \ndecision based on a business need as opposed to what is right \nfor the victim.\n    Mr. Bachus. Right.\n    Thank you.\n    Chairwoman Capito. The gentleman\'s time has expired.\n    Mr. Scott?\n    Mr. Scott. Thank you very much.\n    In light of everything that has happened, do each of you \nbelieve that our retailers are held accountable and responsible \nfor cybersecurity at the same standard and level as our \nfinancial institutions?\n    Mr. Zelvin. Congressman, let me answer your question this \nway: We don\'t have national standards; we are building them \nnow. That is part of the President\'s Executive Order and--\nforgive me--let me make sure I get the name right--there is the \nCyber Critical Infrastructure Community Voluntary Program, the \nC3 program.\n    Mr. Scott. But don\'t our financial institutions have \nstandards now? My point is that, are the retailers held to that \nsame level as our financial institutions? Because quite \nhonestly, if not, much of what we are doing here is in vain: \n110 million Americans have suffered mainly because, in my \nhumble opinion, retailers are not held to as high a standard in \nthis issue as the financial institutions, and it is critical \nthat we get those two on the same page quickly.\n    Mr. Zelvin. Agreed, sir. The standards can be legislated; \nthey can be put out by regulators; they can be enforced by the \nindustry themselves. And I think your point is there are \ncertain places in industry where they don\'t have standards and \nit would be very helpful to do so.\n    Mr. Scott. Let\'s talk about that for a moment because, as \nyou notice from the questions from our committee, we are eager \nhere in Congress to respond to this issue. This is almost like \na Poseidon tidal wave coming at us.\n    As you rightly point out in your testimony, there are now \nover 2 billion Internet users. There are over 12 billion \ncomputers and other instruments that are used, and satellite \ndevices, and so forth. And in the next 10 years that is \nestimated to possibly double.\n    So the issue becomes, can we win this? Can we with this \nbattle? That is especially true because not only--even if we \njust existed over the next 10 years at the same level of \nsophistication of these technical devices, which we have become \nsort of servants to instead of servants to us.\n    So the question becomes, with the rapid advancements in \ntechnology--just think: Ten years ago, we didn\'t have what we \nhave now, and what we have now, my God, is going to be ancient \n10 years from now and we are going to have double the people \nwith it. So I think the American people are looking for some \nconfidence here that their vital security is at stake, and then \nmore than that, the Nation\'s security is at stake.\n    Let me ask you an interesting question, Mr. Noonan. What \nwas very interesting about your comment, because I wanted to \nget to--you said you caught some people and you mentioned \nsentencing of these people. Are there any possibilities for \nparole in this or negotiation or anything like that?\n    Mr. Noonan. In the Federal system, my understanding is that \nthere can be downward departures of sentences, but not that I \nknow of as--\n    Mr. Scott. That is interesting. Why so? Because you see, \nthese national conspiracies, as you so aptly put it, are very \nsophisticated. And it could be that they are even more \nsophisticated than you or us or where we are.\n    So why are there plea agreements? Why don\'t we have stiff, \nhard criminal sanctions and put these folks who do wrong in \njail for what they are doing to the country?\n    The other point I wanted to ask is that you mentioned that \nall of these were foreigners attacking us. Now, that begs the \nquestion, why aren\'t they attacking--I don\'t want them to \nattack France or Germany or Great Britain--but the question is, \nwhy us? Is there something that these other nations are doing \nthat deters them, and we are vulnerable where other nations \naren\'t? Is that a possibility, since the only ones that you \nhave been able to get ahold of and put away, hopefully for a \nwhile, are foreigners?\n    Mr. Noonan. Sir, we know that these cyber criminals are not \njust attacking the United States. This is a global issue. This \nis not just a national issue to the United States; this is a \nglobal issue.\n    These particular criminals are attacking wherever they can \nfind wealth and monetize that data.\n    Mr. Scott. How are we doing compared to these other \nnations? Are these other nations putting them away as they \nshould? Is there coordination with other nations?\n    Mr. Noonan. Yes, sir. We are coordinating very closely with \nother nations. And to be honest, we have a very, very rich \nsuccess rate of getting some significant, stiff sentences.\n    Albert Gonzalez was a domestic target that we arrested in \nthe TJX and Heartland Payment Systems breach. He was sentenced \nto 20 years in prison here in the United States.\n    We also have a litany of other huge sentences. I brought up \nearlier Roman Vega out of the Ukraine was sentenced to 18 years \nin prison. Recently, out of Romania, Mr. Oprea was sentenced to \n15 years in prison here domestically for, again, point-of-sale \nbreaches we are talking about today.\n    Chairwoman Capito. The gentleman\'s time--\n    Mr. Scott. And the national breach law is what you \nrecommend we do?\n    Mr. Noonan. Yes, sir.\n    Mr. Scott. Okay.\n    Chairwoman Capito. Thank you.\n    Mr. Stutzman?\n    Mr. Stutzman. Thank you, Madam Chairwoman.\n    And I thank both of the witnesses for being here today.\n    I would like to follow up just a little bit on the \nquestions that you just talked about in, I guess, retailers. I \ncome from a small business background and have small business--\nor a retail small business as well, and obviously any sort of \ncredit card is a convenience for both consumer and for the \nretailer, but the role that retailers play--granted, I am \nsmall, but there are large retailers out there. Can you share \nwith us a little bit of what--how is that data stored? Do they \nkeep that data?\n    For us, we don\'t--we have no interest in it other than the \ntransaction, and so I guess I am trying to follow up and \nunderstand why would we expect the retailers to be held to a \ndifferent standard--or at the same standard as the financial \ninstitutions? Is there an effort out there by retailers even \ntrying to do that?\n    I guess I would be concerned about that to some extent, \nbecause the more information that is held in different groups\' \nhands, the more opportunity there is going to be for breaches. \nI don\'t know if either of you had a comment on that?\n    Mr. Noonan. Yes, sir. Actually on your next panel you have \na witness from PCI who is going to be able to discuss some of \nthose issues, but regulations have changed over the course of \nthe years, so back in 2005, TJX intrusion happened where cyber \ncriminals were able to go after a database where retailers were \nable to, at that time, store credit card data unencrypted in \nservers. So, the criminals were able to exfiltrate a whole \ndatabase of stored credit card data in 2005.\n    Because of that intrusion, industry changed. No longer can \nyou store credit card data on a database within your system.\n    So what the criminals then did is they looked at, where is \nthe path of least resistance, and they attacked Heartland \nPayment Systems, which was a credit card processing company. \nCredit card data during that period of time crossed over the \nsystem from the retailer to the credit card processing company \nto the bank, and in that system it was not encrypted data \nduring that period of time.\n    Again, after that intrusion happened, the standards changed \nand from point to point credit card data and data information \nhad to be encrypted.\n    Today, the criminals are going after, again, where is the \nedge of the fence? So, they have gone after the point-of-sale \nsystems.\n    In domestic retail shops, from the point that you swipe \nyour credit card at the terminal, that data goes to a back-of-\nthe-house server, to a computer in the back that you see it, it \nis probably in the storage room or something of that nature. \nAnd that data, from the point that it is swiped at the keypad \nto the back of the computer, that is where it is vulnerable and \nit is not encrypted. Once it hits that computer and goes \nthrough the processing system, that is where it is encrypted \nand protected.\n    So what happens is continually we change the standard and \nthese complex, sophisticated criminal actors are going to go \nafter and have been going after this data in whatever they see \nas the most advantageous, weakest point in the system.\n    Mr. Stutzman. So are you saying that typically, the weakest \npoint is through retailers\' entry points? How do they use the \nretailers\' entry points? When I am swiping a card, are they \nable to follow that data from--\n    Mr. Noonan. What they have done is they have actually \ninstalled malware into the computer system where it makes the \nswitch from the swipe into the encryption piece, so before it \nis encrypted they have malware which actually captures the data \nat that point and exfiltrates the data back out to a different \nsystem where the criminal is able to collect it.\n    Mr. Stutzman. Do retailers have the ability to--is there \nsoftware out there that can prohibit that sort of activity, or \nwhat could retailers do to protect that information?\n    Mr. Noonan. I am unsure at this point. That would be an \nindustry question to bring up, sir.\n    Mr. Stutzman. All right.\n    Thank you. I will yield back.\n    Chairwoman Capito. The gentleman yields back.\n    Mr. Heck?\n    Mr. Heck. Thank you, Madam Chairwoman.\n    I would like to begin by asking unanimous consent to enter \ninto the record the letter dated January 10, 2014, from 17 \nsignatories to Chairman Hensarling requesting this hearing. At \nthe same time, I would like to express my public appreciation \nto you for conducting this hearing.\n    Chairwoman Capito. Thank you. Without objection, it is so \nordered.\n    Mr. Heck. Thank you.\n    Mr. Noonan, it is a little hard to look at this phenomenon \nwithout coming away with an answer to the question of, ``Are we \nwinning or losing?\'\' of, ``We are losing,\'\' at least as \nmeasured--not in terms of the number of attacks, but the number \nof successful attacks and the dollar amount that has \nsuccessfully been effectively stolen.\n    So for those of us who aren\'t especially geeky, among whom \nI would count myself, can you put this in the simplest terms \npossible: What is the most important takeaway for those of us \nsitting here about what it is we can do as Members of Congress \nto help change that trend line? What is the most important \naction we could take, policy we could enact, in whatever form, \nto help?\n    Mr. Noonan. It is my belief that if Congress were to assist \nin coming up with a reporting requirement where if there is a \ndata breach or a company has knowledge of a data breach, that \nthey were to bring that to law enforcement\'s attention. That is \nmy perspective. That is the Secret Service perspective. Because \nwe are able to, at that point, help with the information-\nsharing piece that has to go forward to better protect what is \ngoing on after the fact.\n    In other words, it is best for industry to have a point of \ncontact at law enforcement--I make the analogy with a fire: \nDon\'t wait until your house is on fire to have the phone number \nto the fire department.\n    If industry partners with law enforcement and already has a \npersonal, a trusted relationship with law enforcement, we, law \nenforcement, are better able to assist a victim company walk \nthrough the process. And in doing so, we are able to grab and \ngather the cybersecurity-related information and share that, \nthen, with the greater infrastructure in an effort to prevent \nother attacks.\n    We use, again, a number of different efforts to share that \ninformation. We use the NCCIC, where they are able to push it \nout through their sources to greater industry. We are able to \nuse our electronic crimes task forces. We are able to push that \nout to our trusted partners in the private sector as well as \nacademia. And we are able to use our partners at the FS-ISAC to \nbe able to take that information and push it.\n    So I think the important part of this whole mechanism that \nwe are talking about is the information-sharing apparatus of \nwhen a breach does occur, what can we learn from that breach, \nand how can we share that information to prevent others?\n    Mr. Heck. I want to ask a follow-up corollary to that, \nwhich is really a follow up to the question--he has left now--\nMr. Luetkemeyer asked, which I didn\'t think you answered; I \ndidn\'t think you were evading it but I didn\'t think you \nactually answered it, and I really thought it was a very good \nquestion, especially given that the nature of this activity \ndoes not respect boundaries of countries whatsoever. He asked \nyou, ``What could we do to help you be more effective \ninternationally?\'\'\n    And basically what you said is, ``Well, these international \npartnerships are really important to us.\'\'\n    But the question, sir, is, what can we do to help you be \nmore effective as it relates to your ability to engage in \neffective enforcement internationally?\n    Mr. Noonan. You can continue to support the Secret Service \nin our efforts of continuing to expand our presence in our \ninternational field offices and expanding that footprint. You \ncan help us in furthering our international working groups that \nwe have. We have working groups in the Ukraine; we have \ninternational working groups--\n    Mr. Heck. Just use one example.\n    Mr. Noonan. I\'m sorry.\n    Mr. Heck. I got it. I have one other question that I want \nto ask, and I apologize--\n    Mr. Noonan. Sure. No problem.\n    Mr. Heck. --for interrupting. I want to go back to Target.\n    It is my understanding that neither Target-branded debit \ncards or credit cards were breached, or successfully--and first \nof all, I would like to know if I have accurate information in \nthat regard. And if it is true, what was the difference? And is \nthere a lesson to be learned there if it is true? What were \nthey doing such that information wasn\'t used against--\n    Mr. Noonan. Sure. So, I just checked, and that information \nis not accurate. Those cards--\n    Mr. Heck. They were breached.\n    Mr. Noonan. --were breached as well, so that was taken.\n    Mr. Heck. Thank you.\n    Mr. Noonan. Yes, sir.\n    Mr. Heck. I yield back the balance of my entire 6 seconds. \nThank you, Madam Chairwoman.\n    Chairwoman Capito. The gentleman yields back.\n    Mr. McHenry?\n    Mr. McHenry. I thank the chairwoman.\n    I just have a broad question for both of you, and if you \ncould answer this. I read news reports that merchants and \nuniversities are finding out about data breaches from the \ngovernment, from financial institutions, from credit card \ncompanies, banks, the whole lot. Why are merchants failing to \ndetect those security breaches?\n    Mr. Noonan. I can\'t answer why they are not detecting the \nsecurity breaches, but law enforcement as well as other parts \nof the private sector--banks, processing companies--have a \nunique perspective of looking at compromised data. So we can be \nworking with bank investigators--you can take any bank for \nexample--and when they start seeing different anomalies with \ntheir customer base of reporting fraud losses, the initial \npoint of report is going to be back to the bank investigator or \nback to the bank.\n    So when they start seeing high percentages of fraud loss \ncoming from the same merchant or the same retailer, that is a \nconcern, so they would either bring it to law enforcement\'s \nattention or actually bring it to the retailer\'s attention at \nthat point. So not necessarily would the retailer have the \nexposure themselves of that--\n    Mr. McHenry. Okay. But to that end, Mr. Noonan, when you \nannounced the data breach with Visa and Target in August of \n2013, right, it was made public then. Am I right on the \ntimeline?\n    Mr. Noonan. Negative. On Target? It wasn\'t until December \nat some point.\n    Mr. McHenry. Okay. So when did you all identify the malware \nfor that data breach?\n    Mr. Noonan. The data breach, when it was brought to--when \nwe were working closely side by side with the forensic \nexaminers that--the third-party forensic examiners that Target \nhad hired, within a week we were able to have that data and be \nable to push that out to--\n    Mr. McHenry. So, you turned it around in a week\'s time?\n    Mr. Noonan. Yes, sir.\n    Mr. McHenry. Okay. So on the next panel, we have a witness \nfrom the Financial Services Information and Sharing and \nAnalysis Center, and they are going to--they are actually \nconducting a study which, ``engages machine-to-machine threat \nintelligence exchange in a way that will more quickly inform \nfinancial infrastructure front line operators and aid their \npreventative and incident response decision-making.\'\' They are \ncalling this the Cyber Threat Intelligence Repository.\n    Are you both familiar with this initiative?\n    Mr. Zelvin. We are, sir. At the NCCIC, we are one of the \nleading proponents and creators of the STIX and TAXII framework \nto which you are referring.\n    Mr. McHenry. So will this speed the response? Tell us the \nvalue of it.\n    Mr. Zelvin. Sure, Congressman. I think one of the best ways \nto highlight this is in September 2012, our financial sector \nwas being attacked about 3 times a week with something called \n``distributed denial of service attacks.\'\' We were getting \ninformation by the hundreds of thousands, and technical \ninformation. We were getting those--and I am going to use some \ngeneralisms just to illustrate the point--in PDFs, so, in a \nvery user-unfriendly format for a cybersecurity defender.\n    We started using spreadsheets like Excel, which was a \nlittle bit better, but there are a variety of different data \nformats that companies use so there wasn\'t a one-size-fits-all. \nThe STIX and TAXII format will enable to us adjust the \ninformation so somebody doesn\'t have to e-mail it, we don\'t \nhave to process it, we then e-mail it back. This will do it in \nan automatic way so what had been taking us days that we got \ndown into hours will hopefully take us seconds.\n    Mr. McHenry. So you move from PDFs to Excel--\n    Mr. Zelvin. To a machine-to-machine format that will take \nthe human out of the equation. Again, it will be up to the--\nwhere the destination goes how they are going to want to \nprocess--\n    Mr. McHenry. My time is short, but can you tell us the \nlegal restrictions that prohibit greater data-sharing? What are \nthe things we could do to make the dissemination of data \nbetter?\n    Mr. Zelvin. Congressman, I am going to highlight something \nthat is--the question that was asked of Mr. Noonan, and you may \nhave asked it. One of the things that we would really ask \nCongress to do is just better define clarity on information-\nsharing. What is information that the private sector and others \ncan share with us?\n    I will tell you, we meet with a lot of C-suite executives, \nthe security folks, and they say, ``By all means, government, \nhere, you can have this information. Proliferate it widely. \nOthers are being attacked. This will help us all.\'\'\n    Then they have others in the company who are giving good \nadvice--their lawyers--saying, ``Look, there is no legal means \nthat allows this. We are assuming some risk, some liability \nhere.\'\' If we could get some clarity as to what can be shared \nwith us and have that in law, that will really speed the \nprocess. And also, it should be respectful of privacy and civil \nliberties.\n    We should not do this without having some governance on us, \nbut it should not stop us from doing it, either.\n    Mr. McHenry. I thank the chairwoman for her advocacy on \nthis important issue.\n    Chairwoman Capito. Mr. Rothfus?\n    Mr. Rothfus. Thank you, Madam Chairwoman.\n    In Pittsburgh, we are fortunate to have premier academic \ninstitutions like Carnegie Mellon University and the University \nof Pittsburgh right at our doorsteps. Both of these \nuniversities are doing exceptional work in the area of data \nsecurity.\n    And, Mr. Noonan, you highlighted in your testimony the work \nof Carnegie Mellon.\n    As you, I think, would both agree, we need to be using \nthese great resources in our fight to combat data-breachers.\n    I am wondering, Mr. Noonan, if you would elaborate a little \nbit on how the Secret Service--and then, Mr. Zelvin, if you \ncould perhaps comment on what DHS has been doing with these and \nsimilarly situated universities around the country?\n    Mr. Noonan. Yes, sir. Thank you.\n    The University Carnegie Mellon, we work closely with their \nSoftware Engineering Institute. We actually have a full-time \nagent who is assigned there, so he is sitting at Carnegie \nMellon, partnered with them. Through academia and observing \nwhat is occurring in a lot of these cyber incidents, we are \nable to develop other tools--technical tools--which the \nSoftware Engineering Institute is able to help us identify \ndifferent situations, different forensic solutions, different \nways of looking at data, which better helps us do our cases, \nour investigations, our information-sharing.\n    Like the institution at Carnegie Mellon, we also have \nrepresentation at the University of Tulsa, where we have the \nCell Phone or Mobile Device Forensics Facility, which we worked \nclosely with students--graduate student level students there--\nand we look at how mobile devices can be affected by criminals. \nWe take highly complex criminal cases and we push them to our \nagent who sits with the University of Tulsa to examine how to \nget at those forensic capabilities and those forensic hurdles \nin mobile devices, too.\n    So it is very important for us to team with academia to \ndecide what is on the horizon of the next threat.\n    Mr. Rothfus. Mr. Zelvin, is DHS similarly engaged with the \nacademic institutions?\n    Mr. Zelvin. Congressman, we are. Carnegie Mellon is one of \nour most critical partners in not only understanding threats \nbut also in the mitigation, so it is an intimate relationship \nand something that we hold in the highest regard.\n    Mr. Rothfus. I want to follow up a little bit on what \nRepresentative McHenry was talking about. I think everyone can \nagree that effective data security is dependent on a voluntary \ncollaboration between the government and members of the private \nsector. Key to establishing this sort of trust-based public-\nprivate partnership is adequate legal liability protection for \nprivate entities that share information with the government.\n    And to that end, could you please elaborate on the current \npolicy regarding legal liability protection for private \nentities that opt to share threat information with agencies \nlike yours? Maybe each of you can--\n    Mr. Zelvin. Congressman, that is one of the central issues \nwith sharing at government is the concern of either breaking \nthe law or potentially having court action in a civil case. So, \nthere is great desire on behalf of the Executive Branch to have \nthe legal liabilities in place so one would not be punished for \nsharing with government. Again, the information should be \nclarified as to what can be shared, but if you do share that \ninformation, one should be able to do so without penalty.\n    Mr. Rothfus. Mr. Noonan, can you comment on, from your \nperspective, the current policy with respect to information-\nsharing?\n    Mr. Noonan. Yes, sir. I don\'t believe there is a policy as \nof right now. So I would concur with Mr. Zelvin. I think there \nis an issue with companies coming forward so they are given \nsome sort of protection, but I cannot comment on existing \npolicy, sir, no.\n    Mr. Rothfus. In both of your written testimonies, you \ndiscuss the increasingly international nature of the threat \nlandscape and the need for close partnerships with foreign law \nenforcement agencies. Which countries are you most concerned \nabout in terms of data security?\n    Mr. Noonan. A number of the international cases that we are \ntalking about today are Eastern European, Russian-speaking \ncyber criminals. I don\'t want to affiliate these type of \ncriminals with one particular country because again, there are \nno borders.\n    We see Eastern European, Russian-speaking cyber criminals \nwho are here domestically in our country that we are able to \narrest and bring to justice. We see these types of criminals \nall over the world.\n    I say this in the fact that these are the most \nsophisticated, in our opinion, cyber criminals who are \nattacking our Nation\'s financial infrastructure. So as far as \nsaying--in trying to lock it down to a particular country of \norigin, there is not one in particular. We are seeing them \nacross-the-board.\n    But again, the Russian-speaking cyber criminal is using the \nRussian language as a form of OPSEC, if you will, to provide \nsome anonymity to them. Because they use the Internet, they are \nwallowing in the anonymity of the Internet.\n    Mr. Rothfus. Mr. Zelvin, would you agree with the Russian-\nspeaking actors out there? Are there other countries about \nwhich you have particular concerns?\n    Mr. Zelvin. Congressman, I worry about actors in Asia; I \nworry about actors in Europe, to include Eastern Europe. It is \nliterally a global threat environment. So on the financial \nside, I would agree with Mr. Noonan, it is more the Eastern \nEuropean criminal actors, but there is also extraordinary \ncriminal activity in Asia, as well.\n    Mr. Rothfus. Thank you.\n    And thank you, Madam Chairwoman.\n    Chairwoman Capito. Thank you.\n    Mr. Barr?\n    Mr. Barr. Thank you, Madam Chairwoman.\n    I wanted to kind of know from the witnesses what the worst-\ncase scenario would be. In your all\'s professional judgment, \nwhat would be the greatest cybersecurity threat to America\'s \nfinancial system?\n    Mr. Noonan. In my opinion, it is a financial services \nattack that goes unnoticed. So a long, long period of exposure \nto a financial services sector company is my opinion of what \nthe worst case could be.\n    It is through the actions of law enforcement that \nproactively go out and seek these out that brings it to \nindustry\'s attention. And I also think it is important that \nwhen industry itself notices it, that they bring it to our \nattention.\n    It is important for us--law enforcement, the government--to \nbe able to either prevent the attack from happening or see it \nas it is happening to be able to stop the bleeding from \nhappening. If the bleeding occurs for a long, long period of \ntime and there is a long period of exposure, that, in the \nfinancial services sector, would be probably the more \nimportant, more area of concern for that sector.\n    Mr. Barr. Mr. Noonan, what would prevent a victim or \ntargeted company from failing to notice this attack?\n    Mr. Noonan. In my opinion, it is how advanced these \ncriminal actors are. So when we are talking about significant \ncriminal actors that--you have to understand, when they are \ngoing after the financial services sector, they are going into \nthese targeted victim companies stealthily. Their job is to go \nundetected, because if they are detected and they go into these \nsituations loud and disrupt everything, they are going to lose \nwhat their goal is and that is their financial gain; that is \ntheir grabbing the data and being able to monetize that data.\n    So if law enforcement and industry learns about the theft \nof that data and we are able to do something about it, it \nminimizes the criminal profit in what they are attempting to \ndo.\n    Mr. Barr. Have we been able to assess or gauge the \ncapabilities of some of these hackers? Specifically, the kind \nof nightmare scenario would be something along the lines of a \nhacker being able to erase electronic data from a large \nfinancial institution, or worse, effectuate transactions \nthrough hacking into a large, systemically important financial \ninstitution.\n    Are we aware of whether or not cyber terrorists have that \ncapability at this point?\n    Mr. Zelvin. Congressman, let me answer that and then maybe \ngo back to your original question. There are actors out there \nwho have extraordinary sophistication, who are patient and are \nlooking for vulnerabilities and are absolutely capable of \nfinding them quickly, and it is just whether or not they have \nthe intent and the access and then the ability.\n    As I look at the worst-case scenario, to answer the first \npart of your question, I think that if somebody was to find an \nintrusion in the transactional systems that the financial \nsector uses, that would be pretty catastrophic. If there is a \nloss of confidence within the systems themselves where data has \nbeen compromised, that would be pretty catastrophic. If \nconsumers lose the convenience that they rely upon, are unable \nto use their credit cards and their ATMs, that would be pretty \ncatastrophic.\n    There are others but those are the three that really come \nto my mind. You really get to that high impact, low \nprobability.\n    The sector, the institutions are doing extraordinary work \nat this every hour of every day. But ultimately, there are \nvulnerabilities and the actors are using some very creative and \nclever means to come at us, so you have to be very good every \nsingle day because they are trying to come at you every single \nminute of every day.\n    Mr. Barr. And in terms of technological advancements in \nterms of creating defenses to this, there is talk about these \nchip cards and more extensive use of PINs, particularly with \ncredit cards. But I did notice that in the case of the Target \nsituation, that PINs were procured by the hackers, as well. So \nhow effective is expanded use of PINS as a defense mechanism?\n    Mr. Noonan. Any added security measure is going to \ndefinitely help in the monetization of whatever data is stolen. \nIt would not assist in the theft of the data itself.\n    Mr. Barr. Right.\n    Mr. Noonan. Chip and PIN technology will help in limiting \nthe criminal monetization of that data, but it would not help \nin the theft of that data. That data could still be used on \ncard-not-present purchases.\n    So a cyber criminal, though he cannot re-encode that data \nonto a credit card and use that counterfeit credit card, he \ncould go online and type in the 16-digit number and the other \ninformation that is exposed there and still accomplish \nfinancial loss to the victim bank or the victim institution.\n    Mr. Barr. Thank you.\n    I yield back the balance of my time.\n    Chairwoman Capito. Thank you.\n    The gentleman yields back, and that concludes questioning \nfor the first panel.\n    I want to thank both of you gentlemen. I think this has \nbeen very enlightening, and I again apologize for the delay and \nthank you for your patience. You are dismissed.\n    While we are changing over, I am going to ask for unanimous \nconsent to submit several statements for the record from the \nIndependent Community Bankers of America; the National Retail \nFederation; the National Association of Federal Credit Unions; \nthe American Bankers Association; and the Credit Union National \nAssociation.\n    Without objection, it is so ordered.\n    All right. I want to thank the second panel for coming in. \nWe have a second panel of distinguished witnesses.\n    Again, thank you for your patience. I know you have been \nsitting here, as well, while we had our technical difficulties.\n    Each of you will be recognized for 5 minutes to give an \noral presentation of your testimony. And without objection, \neach of your written statements will be made a part of the \nrecord.\n    Our first witness is Mr. Troy Leach, chief technology \nofficer, PCI Security Standards Council.\n    Welcome, Mr. Leach.\n\nSTATEMENT OF TROY LEACH, CHIEF TECHNOLOGY OFFICER, PAYMENT CARD \n        INDUSTRY (PCI) SECURITY STANDARDS COUNCIL (SSC)\n\n    Mr. Leach. Thank you.\n    My name is Troy Leach, and I am the chief technology \nofficer for the PCI Security Standards Council, a global \nindustry initiative that is focused on security payment card \ndata. Our approach to an effective security program is people, \nprocess, and technology as key parts of data protection. Our \ncommunity of over 1,000 of the world\'s leading businesses \ntackles security challenges from simple issues--for example, \nthe word ``password\'\' is still one of the most commonly used \npasswords--to very complex issues, like proper encryption key \nmanagement.\n    We understand when consumers are upset when their payment \ncard data is put at risk and the harm that is caused by \nbreaches. The Council was created as a forum for all \nstakeholders--banks, merchants, manufacturers, and others--to \nproactively protect consumers\' cardholder data against emerging \nthreats.\n    Our standards focus on removing cardholder data if it is no \nlonger needed. Our mantra is simple: If you don\'t need it, \ndon\'t store it. If you do need it, then protect it through a \nmultilayered approach and devalue it through innovative \ntechnologies that reduce incentives for criminals to steal it.\n    Let me explain how we do that. The data security standard \nis built on 12 principles that cover everything from strong \naccess control, monitoring and testing of networks, risk \nassessment, and much more. This standard is updated regularly \nthrough feedback from our global community.\n    In addition, we have developed other standards that cover \npayment software, security manufacturing of cards, point-of-\nsale devices, and much more. We also develop standards and \nguidance on emerging technologies, like tokenization and point-\nto-point encryption, that remove the amount of card data that \nis kept in systems, rendering it useless to cyber criminals.\n    Another technology, EMV chip, has widespread use in Europe \nand other markets and is an extremely effective method of \nreducing card fraud in face-to-face environments. That is why \nthe Council supports the deployment of this technology. In \nfact, today we already certified a securing of chip terminals \nand manufacturing of chip cards.\n    However, EMV chip is only one piece of the puzzle. In \naddition, controls are needed to protect the integrity of \npayments online, on the telephone, and in other channels. These \ncontrols include encryption, proper access, response from \ntampering, malware protection, and more.\n    These are all addressed within the PCI standards today. \nUsed together, EMV chip and PCI standards can provide strong \nprotections for payment card data.\n    But effective security requires more than just standards \nand technology. Without ongoing adherence and supporting \nprograms, these are only tools and not solutions.\n    The Council makes it easy for businesses to choose products \nthat have been independently lab-tested and certified as \nsecure. The Council\'s certification and training programs have \neducated tens of thousands of individuals including assessors, \nmerchants, technology companies, and government. And finally, \nwe conduct global campaigns to raise awareness of payment card \nsecurity.\n    The recent compromises demonstrate the importance of a \nmultilayered approach to payment card security, and there are \nclear ways in which the government can help--for example, by \nleading stronger law enforcement efforts worldwide, \nparticularly because of the global nature of these threats; and \nby encouraging stiff penalties for these crimes. Promoting \ninformation-sharing between the public and private sector also \nmerits attention.\n    The Council is an active collaborator with government. We \nwork with NIST, DHS, and many other government entities, and we \nare ready and willing to do more. We believe that the \ndevelopment of standards to protect payment card data is \nsomething that we are uniquely qualified to do. The global \nreach, expertise, and flexibility of PCI have made it an \nextremely effective mechanism for protecting consumers if \nimplemented correctly.\n    The recent breaches underscore the complex nature of \npayment card security. A multifaceted problem cannot be solved \nby a single technology, mandate, or regulation. It cannot be \nsolved by a single sector of society.\n    Businesses, standards bodies, policymakers, and law \nenforcement must work together to protect the financial and \nprivacy interests of consumers.\n    Today, as this committee focuses on recent breaches, we \nknow that criminals are focusing on inventing the next attack. \nThere is no time to waste. The PCI Council and business must \ncontinue to provide multilayered security protections while \nCongress leads efforts to combat global cyber crimes that \nthreaten us all.\n    We thank the committee for its attention to this, and we \nlook forward to finding a way forward with addressing large \nsecurity concerns of our time.\n    [The prepared statement of Mr. Leach can be found on page \n67 of the appendix.]\n    Chairwoman Capito. Thank you.\n    Our next witness is Mr. Greg Garcia, advisor, Financial \nServices Information Sharing and Analysis Center.\n    Welcome.\n\n  STATEMENT OF GREGORY T. GARCIA, ADVISOR, FINANCIAL SERVICES \n       INFORMATION SHARING AND ANALYSIS CENTER (FS-ISAC)\n\n    Mr. Garcia. Thank you, Chairwoman Capito, Ranking Member \nMeeks, and members of the subcommittee.\n    I am Greg Garcia, president of Garcia Cyber Partners, a \ncybersecurity policy and business development consulting firm. \nI am testifying here today as an advisor to the Financial \nServices Information Sharing and Analysis Center, or FS-ISAC.\n    In light of the recent data breaches in the retail sector, \nthis hearing is timely as we consider how commercial and \ncritical infrastructure sectors can prevent and defend against \nsuch attacks from happening in the future.\n    During my tenure as Assistant Secretary at Homeland \nSecurity and as an executive with the financial services sector \nand IT sectors, I have consistently held up the FS-ISAC as a \nmodel operation. It is a model for how trusted collaboration, \ntimely intelligence, and information-sharing are essential \nelements of any risk management strategy. They are effective \ntools against cyber adversaries who would subvert the integrity \nof the critical infrastructures that maintain the cyber, \nphysical, and economic security of this country and the world.\n    So accordingly, I would like to spend just the next few \nminutes describing some of the major elements of the model and \nput it in the context of the recent data breaches that are the \nsubject of this hearing.\n    The FS-ISAC was founded in 1999 in acknowledgement of a \nPresidential Directive, PDD 63, which urged private industry to \nself-organize around the mission of sector-specific critical \ninfrastructure protection. The FS-ISAC provides a formal \nstructure for its 4,500 member institutions to share valuable \nand actionable cyber intelligence within the sector and with \ntheir industry and government partners. This collaborative \nactivity ultimately benefits the Nation.\n    At FS-ISAC, we use all the tools at our disposal to stay \nahead of adversaries. And just a few of these tools include the \nsecure FS-ISAC member Web portal, where threat indicators are \npublished; e-mail listservs; threat assessment conference \ncalls; best practices advisories; incident response and \nmitigation protocols; cyber exercises; and information-sharing \npartnerships across the sector, with other sectors, and with \ngovernment and cyber operations and intelligence entities, such \nas the NCCIC.\n    We recognize that the threats we face are sophisticated and \nare frequently changing, and that immediate sharing of threat \ndetails and patterns is effective in heading off the changing \nnature of the threats.\n    We also share this sensitive information without the risk \nthat any member company would exploit another\'s misfortune from \ncyber attack for competitive advantage. Members know we are all \nin this together, that an attack on one can very quickly \nescalate to attack on many if all eyes and ears are not working \ntogether.\n    And our organization ensures that even smaller community \ninstitutions have access to threat information alongside the \nlargest financial institutions in the Nation. By way of \nspecific example, allow me to walk you through some of the \nactions taken by the FS-ISAC in the wake of the retailer data \nbreaches that recently occurred.\n    First, when information from forensic investigations became \navailable FS-ISAC published a joint document with the DHS \nNational Cybersecurity and Communications Integration Center \n(NCCIC), the U.S. Secret Service, and ISAC partners regarding \nthe breach. We provided relevant mitigation recommendations and \nnetwork security best practices from an industry owner and \noperator perspective. These security practices are intended to \nhelp vendors and merchants to secure their point-of-sale \nsystems and to defend against malware that are used in those \nsystem attacks.\n    Second, FS-ISAC encouraged its association members to share \nthe joint document broadly with their members, and we also met \nwith and provided the document to a number of retailer \nassociations and encouraged them to share the document with \ntheir members.\n    Third, as information about the attacks was becoming \navailable, members were able to leverage FS-ISAC\'s all-hazards \nplaybook and related best practices to better protect and \ncommunicate with their customers and the general public.\n    Fourth, FS-ISAC provided an assessment of the point-of-sale \nmalware to its members on its biweekly threat calls and the \nassessment examined the malware in several ways--the usage \npatterns in the short term, the growing popularity and \navailability of the malware tools, and threat indicators for \nnetwork defenders.\n    Finally, we continue to work with multiple associations \nrepresenting the retailers to explore ways in which we can help \nthem enhance the security of their systems.\n    Since these data breaches occurred, there has been \nconsiderable discussion in the public domain about \naccountability and assignment of costs associated with these \nbreaches. Indeed, financial institutions have absorbed \nconsiderable costs associated with canceling and reissuing \ncredit and debit cards to their customers.\n    But as I stated at the beginning of my testimony, it is \nclear to us that we are all in this together, that security is \na shared responsibility, and that is why the FS-ISAC was \npleased to see the announcement on February 13th of a new \npartnership between merchant and financial trade associations \nthat will focus on exploring the paths to increased \ninformation-sharing, better card security technology, and \nmaintaining the trust of customers. Discussion regarding the \npartnership was initiated by the Retail Industry Leaders \nAssociation and the Financial Services Roundtable and was \njoined by a dozen other influential financial associations.\n    Madam Chairwoman, that concludes my testimony and I look \nforward to answering any questions the subcommittee may have \nfor me.\n    [The prepared statement of Mr. Garcia can be found on page \n57 of the appendix.]\n    Chairwoman Capito. Thank you.\n    Our next witness is Mr. David Fortney, senior vice \npresident, product manager and development, The Clearing House \nPayments Company.\n    Welcome.\n\n  STATEMENT OF DAVID FORTNEY, SENIOR VICE PRESIDENT, PRODUCT \nMANAGEMENT AND DEVELOPMENT, THE CLEARING HOUSE PAYMENTS COMPANY\n\n    Mr. Fortney. Thank you. Good afternoon, Chairwoman Capito, \nRanking Member Meeks, and members of the subcommittee.\n    My name is David Fortney. I am the senior vice president of \nproduct management for The Clearing House, and I thank you for \nthe opportunity to talk today about issues that are critical to \nall Americans--the security of our payment system and also the \nprotection of sensitive consumer financial information.\n    The Clearing House is the Nation\'s oldest bank association \nand payments company. Our mission includes ensuring the safety, \nsoundness, and efficiency of the payments system.\n    We provide payment services to our 23 owner banks and other \nfinancial institutions, clearing and settling nearly $2 \ntrillion daily. The organization\'s owner banks collectively \nrepresent over half of the Nation\'s deposits and over 70 \npercent of Visa and MasterCard-branded credit cards.\n    The recent escalation of merchant data breaches \ndemonstrates the increasing sophistication of cyber criminals \nand also underscores the urgent need for financial \ninstitutions, merchants, and all who touch the payment system \nto work together to protect against current and future threats.\n    I will focus my testimony today on two payment systems \ntechnologies that are on the horizon and will reduce the risk \nof future breaches: EMV; and tokenization.\n    First, EMV cards contain computer chips and they are \ndesigned to protect against counterfeiting, as compared to the \nmagnetic stripe-based cards used today. However, EMV alone \nwould not have prevented the theft of card information in the \nrecent breaches, as it relies on merchants receiving and \nprocessing the same static information that account numbers \nhave today. As we have heard from prior testimony, those \naccount numbers would still be significantly valuable to cyber \ncriminals for committing fraud online, where most fraud occurs.\n    Additionally, as EMV was designed prior to the Internet, \nprior to mobile phones or tablets, it does not address \ntransactions initiated via those means.\n    The second technology I would like to discuss is one that \nwe have been directly involved in at The Clearing House. It is \ncalled tokenization.\n    Tokenization addresses online and mobile phone payments by \nsubstituting a limited-use random number, called a digital \ntoken, for the customer\'s account number during the \ntransaction. Working behind the scenes, the secure digital \ntoken acts just like a regular account number as it goes \nthrough the system and requires very little change in how \ncustomers and merchants operate. A customer\'s true account \nnumber is never present in the smartphone or in the merchant\'s \nsystem, preventing any malware residing on those systems from \ncapturing that sensitive information in the first place.\n    The implementation of these two technologies--EMV and \ntokenization--will require cooperation amongst the banks and \nmerchants as the tangible benefits can only be achieved by \nmoving in tandem.\n    Turning to e-commerce, today customers provide personal \nfinancial and other data to e-commerce merchants, online \nwallets, alternative payment providers, merchant aggregators, \nand others. This proliferation of live sensitive customer \naccount data increases the risk of breach-related fraud. When \nmy bank recently sent me a new card after a compromise, I \nneeded to update that card information on 47 different merchant \nand payment provider Web sites. In a tokenized environment, \ncustomer account data is held securely behind the bank \nfirewalls and consumers won\'t need to update account \ninformation when cards are reissued.\n    The scale of the payment system is enormous, with hundreds \nof millions of consumers, millions of merchants, thousands of \nbanks and credit unions, and hundreds of networks and \nprocessors. The only way to gain broad adoption of a new \ntechnology such as tokenization is to develop an open standard \nthat is scalable and widely adopted. Open standards promote \ninnovation and allow customers and merchants to choose the best \npoint-of-sale technology that works best for them.\n    Two years ago, The Clearing House and its owner banks began \nworking together to create an open tokenization standard that \nwe call Secure Token Exchange. We are working with mobile \nwallets, networks, merchants, and payment processors to pilot \nand trial the standard. The initial pilot began late last year \nand we will soon expand the trial phase to encompass additional \nbanks, merchants, and cities.\n    This initiative has acted as a catalyst with an increasing \nnumber of payment system participants now working on \ntokenization. We remain very much at the center of this \nactivity.\n    For example, The Clearing House is now working with the \ncard networks, standard bodies, merchants, and processors on \ndigital tokenization efforts with the goal of upholding the \ncore openness, safety, and soundness principles. We also joined \nthe coalition referred to by the prior witness, a coalition of \nmerchant and financial industry trade associations, to form a \ncybersecurity partnership.\n    Thank you again for the opportunity to testify on these \ncritical issues, and I would be happy to answer any questions \nyou may have.\n    [The prepared statement of Mr. Fortney can be found on page \n54 of the appendix.]\n    Chairwoman Capito. Thank you.\n    Our final witness is Mr. Edmund Mierzwinski, consumer \nprogram director, U.S. PIRG.\n    Welcome.\n\n  STATEMENT OF EDMUND MIERZWINSKI, CONSUMER PROGRAM DIRECTOR, \n                           U.S. PIRG\n\n    Mr. Mierzwinski. Thank you, Madam Chairwoman, Ranking \nMember Meeks, and members of the subcommittee.\n    As I did at a Senate hearing last month, I want to try to \nshift the discussion from what it has been in the media anyway, \nwhich is simply data breach notification--I am glad today we \nare talking about a lot more than data breach notification--to \nmany of the other issues surrounding data security.\n    First, regarding the Target breach, I am very concerned \nthat Target dragged out notification to consumers for a long \ntime. If it was because of investigations conducted with law \nenforcement that is one thing, but if it is simply because they \nwanted to drag it out for a long time, I am very disappointed.\n    I am also disappointed in the product that they gave \nconsumers--credit monitoring lite, a product that only tells \nyou if your Experian credit report has any changes made to it, \nbut not if your other two major credit reports have any changes \nmade on them. Further, in order to accept that product, even \nthough it was free, consumers had to agree to a mandatory \narbitration clause limiting their rights against Experian in \nthe future, and that is simply unacceptable to me.\n    But at the same time, I don\'t hold Target, Neiman Marcus, \nor any other company completely to blame for the breaches that \nhave occurred in their stores or in their payment systems. The \nreason for that is they are working with the banks and the card \nnetworks, and the banks and the card networks are forcing them \nto use an obsolete payment system known as the mag-stripe card. \nFor 50 years, or maybe 40 years, we have used the mag-stripe \ncard without upgrading it.\n    I am very pleased to hear that the banks are now talking \nabout open standards to upgrade the systems out there. That is \nvery encouraging to me. But for 40 years, they acted as \nmonopolists with closed standards and required merchants to \naccept a card essentially like a car from the 1950s--no \nairbags, no ABS brakes, no additional safety features, no \nsafety glass.\n    Merchants were forced to continue to adopt new and \ndifferent and ever-changing changes to their systems. It was \njust very difficult for them and it is not all the merchants\' \nfault, and the banks need to be held accountable and the card \nnetworks that were formerly owned by the banks and still are \nlargely controlled by the banks.\n    I have in my written testimony 10 recommendations that I \nwant to go through quickly.\n    First, Congress should make all plastic equal. Credit cards \nare safe by law; debit cards have zero liability by promise \nonly. Plus, with a debit card, again, you are required to use \nan unsafe system on the signature-based network instead of a \nPIN-based network.\n    You are encouraged, anyway, to use it without a PIN, and \nthat is just unfair and unreasonable to consumers who not only \nare breached, who will not only face the problem of fraud or \nidentity theft, but also lose money from their existing account \nuntil the bank replaces it, if it honors the zero liability \npromise. So first, why shouldn\'t debit cards have the same \nconsumer protection as credit cards?\n    Second, be careful not to endorse any specific \ntechnologies. Go forward with open standards that push \ninnovation and that all participants in the system are subject \nto the same rules. Previously, the banks have forced merchants \nto be subject to a different set of rules than they have been \nsubject to, and companies that are under Gramm-Leach-Bliley are \nsubject to a different set of rules than the merchants are \nsubject to--an easier, softer set of rules.\n    Third, look into whether the open standards bodies are \ntruly open. I don\'t think they have been in the past; I am \nencouraged to think that they may be in the future.\n    Fourth, Congress should stay away from an issue that has \nbeen debated in State legislatures, which is that banks try to \nget the merchants, by law, to pay all of their costs. They \nalready do pay most of the banks\' costs. It is impossible to do \nthat by law.\n    Finally, don\'t preempt the States. Even if you come up with \na uniform standard, don\'t preempt the States. You don\'t need \nto. The States will move onto other issues as long as your \nstandard is good enough, but if it isn\'t, we need the States as \nfirst responders.\n    Make sure you allow for private enforcement by consumers of \nany law in State attorneys general as well as a good Federal \nlaw.\n    Don\'t include a harm trigger in your law. Force companies \nthat lost their information to tell us about it.\n    Investigate overpriced credit monitoring. I have already \ntalked about the fact that it is given for free to consumers, \nbut it is something the committee should investigate and the \nCFPB has been looking into quite a bit, as well.\n    Finally, Congress should investigate the over-collection of \nconsumer information generally on the Internet by companies we \ndon\'t even do business with--not only by our banks, and not \nonly by the retailers with whom we do business. There are \ndozens if not hundreds of additional business-to-business \ncompanies collecting information about us that are not \nregulated.\n    Thank you.\n    [The prepared statement of Mr. Mierzwinski can be found on \npage 73 of the appendix.]\n    Chairwoman Capito. Thank you very much, and I want to thank \nall of the witnesses.\n    I will yield myself 5 minutes to begin the questioning.\n    My first question is for Mr. Garcia. On the FS-ISAC, it is \na sharing organization with the financial services community, \nare there now private entities who are in that--retailers and \nsuch that are a member of that community or is it mostly just \nfinancial services?\n    Mr. Garcia. It is mostly financial services, although we do \nhave a retailer member now and we include insurance companies, \nand payment processors. Any organizations that have--that \nessentially are regulated as financial institutions or have \nbanking credit subsidiaries are eligible for membership in the \nFS-ISAC.\n    Chairwoman Capito. Would, say, like a Target be eligible \nfor membership to--\n    Mr. Garcia. Yes. And they are a member.\n    Chairwoman Capito. And they are a member.\n    Mr. Garcia. Yes.\n    Chairwoman Capito. So are you going to encourage other \nretailers--because obviously this is where the--some of the \nbreaches most recently have taken place--\n    Mr. Garcia. Absolutely. We have had a lot of conversations \nwith the retail sector, and certainly Target\'s membership in \nthe FS-ISAC, I think, serves as leadership and opportunity to \nbring on the broader retail sector, provided each individual \norganization is eligible for ISAC membership according to the \nregulatory status, as I mentioned.\n    Chairwoman Capito. All right. Thank you.\n    Mr. Fortney, you mentioned two different types of \ntechnologies, the EMV chip and the tokenization. Is anybody \nusing the tokenization now in the United States with whom we \nwould all be familiar?\n    Mr. Fortney. Tokenization has been used in what I would \ncall point-to-point or proprietary type of environments, but \nwhat is--\n    Chairwoman Capito. Give me an example of that.\n    Mr. Fortney. So, an example would be that instead of using \na true account number in a product that maybe one bank issues, \ninstead embed a digital token. That has been done. Or \nindividual merchants--\n    Chairwoman Capito. In financial transactions, not retail.\n    Mr. Fortney. Correct.\n    Chairwoman Capito. Okay.\n    Mr. Fortney. What is new with this is really talking about \nit in terms of an open standard that could be used widely in \nwhich everyone agrees to the same rules--\n    Chairwoman Capito. Is anybody outside the United States \nusing tokenization in a retail spectrum?\n    Mr. Fortney. I believe the United States is ahead in this \nparticular area, although there is a lot of interest for the \ntechnology globally, and some--\n    Chairwoman Capito. Okay.\n    Mr. Fortney. For instance, some of the institutions in our \nowner base do operate globally. They have strong interest in \nusing this technology across the globe.\n    Chairwoman Capito. Okay. The EMV chip is used in Europe, \ncorrect?\n    Mr. Fortney. That is correct.\n    Chairwoman Capito. Okay. Now I think I read this or heard \nthat Target--and I am using Target as an example, but it might \nnot be the correct example--had originally looked at the EMV \nchip as one of the mechanisms that they would use and actually \nmight have even used it at some point and then ceased using it. \nIs that correct?\n    Mr. Fortney. I read the same thing, and I think it really \ngoes to--it is really impossible for a single entity to \nintroduce a new technology in payment with--and have impact \nwithout moving in tandem with a number of other retailers at \nthe same time and the banks at the same time.\n    Chairwoman Capito. Yes. I think in that same article it \nsaid that it was discontinued because of the ease of service at \nthe checkout. It was holding people up for one reason or \nanother. Anyway, yes, I was just curious about that.\n    Mr. Leach, I know from our previous conversation when we \ntalked about the EMV chip, it is not the be-all and end-all to \nsolve these issues. Could you expound on that a little bit for \nus, please?\n    Mr. Leach. Sure. I would be happy to do so.\n    As you know, our PCI standards are applied in Europe \nalready today, and so we are looking at ways that we can remove \nthe exposure of card data. So in a chip transaction, mag-stripe \ntransaction, the card information is still exposed. And as Mr. \nNoonan in the previous panel explained, you can take that \ninformation and create fraud in online, telephone order, and \nother channels.\n    So our focus is on removing that card information \ncompletely from the merchant environment through tokenization, \npoint-to-point encryption, and other means, so as soon as the \ncustomer puts their information into a point-of-sale terminal, \nit is removed, and it is no longer available to the criminal if \nthey are able to get into that system.\n    Chairwoman Capito. Okay. We have been talking a lot about \ncards, and one of the things I mentioned in my opening \nstatement is my interest in mobile payments, and I don\'t think \nof those as cards, although they are attached to a card number.\n    What about security around these? Is that something that is \npart of what you are looking at for standards, Mr. Leach?\n    Mr. Leach. It is. And we think that this new, innovative \ntechnology--and there is actually going to be a press release \non the framework next week on this--is very exciting. We think \nthat by removing card data, we can actually improve the \nsecurity of mobile transactions, as well.\n    Chairwoman Capito. Okay. Thank you.\n    Mr. Meeks?\n    Mr. Meeks. Thank you, Madam Chairwoman.\n    And let me, as a guy who is not tech-savvy at all, say that \nI appreciate your testimony.\n    I guess I will start with Mr. Leach. Again, in trying to \nfigure out what we can do as Members of Congress, there is \ncurrently no Federal law establishing security standards that \nmerchants and data brokers are required to meet.\n    My first question is, does this matter? And what is the \nappropriate role of the Federal Government, in your estimation, \nin setting a dynamic and effective security standard, and what \nshould the private sector\'s role be?\n    And then, in light of the recent breaches at major U.S. \nretailers, do the existing PCI standards need to be updated?\n    Mr. Leach. I will start with the last question, because it \nis very interesting the timing of these breaches and our most \nrecent update to the standards. Many of the actual incidents \nthat are being reported in the media of how these criminals \nwere able to get into these systems are actually already \naddressed in our PCI standards today. When these forensic \ninvestigations are completed, they typically provide a report \nof what PCI requirements have failed in those environments in \norder for a criminal to actually access and steal consumers\' \ncardholder information.\n    There is enforcement of our standards in the industry \ntoday. It is by contract, so it is a financial institution and \ntheir contractual relationships with their merchants is how we \nenforce in our industry today.\n    For government involvement, I think the FS-ISAC and \ninformation-sharing so that we can take what we learn from \nthese investigations and put that into our standards is where \nwe need to have improvement. I think there has actually been in \nthe last couple of years more engagement between the government \nand the private sector, and we encourage that to go forward.\n    Mr. Meeks. Let me ask, I guess, Mr. Mierzwinski: You \ntestified today, as you did before the Senate Banking Committee \nin early February, where you urged that we should not embrace \nany specific technology but use and encourage the users to use \nthe highest existing standard to prevent by action of rules of \nexisting players from blocking additional technological \nimprovements and security innovations.\n    And I am listening, and I am hearing, on one end, and if I \nget a chance, I will ask Mr. Fortney about tokenization and how \nthat can become a large-scale viable--but could you please \nelaborate on some of the basic pros and cons of each smart chip \ncard variation, keeping in mind the differences in cost and the \nsusceptibility to fraud, and how any of the resulting fraud \nlosses are divided between merchants and card issuers and \nconsumers?\n    Mr. Mierzwinski. Thank you, Congressman. Again, today is \nreally the first time that I have heard the words ``open \nstandards\'\' from the bank and card network industry. They may \nhave talked about it in the past but I have understood the PCI \nstandards body to be totally controlled by the banks and the \ncard networks, and that has been harmful to innovation.\n    Today, EMV is kind of a standard, but it has different \nlevels of protection, and the card networks would like you to \nbelieve that they are moving toward something called ``chip and \nsignature,\'\' and that is good enough. But chip and signature is \ndesigned by them to ride on the old signature-based platform. \nAnybody can forge a signature.\n    Chip and PIN is a better solution. Tokenization is also a \nbetter solution to part of the problem. Online, using virtual \naccount numbers for each transaction, is another part of the \nsolution.\n    So I think as long as we are developing standards in a \ntruly open body where you can promote innovation, we are much \nbetter off.\n    Mr. Meeks. Mr. Fortney, would you alter your answer at all? \nWhat is your opinion on the same question?\n    Mr. Fortney. Yes, so, first of all, in the United States, \nas Mr. Mierzwinski points out, as the chip cards are introduced \nit is not necessarily going to be mandating a PIN. You can call \nit chip and choice, that there will be certain transactions \nthat require a PIN just as they do today, such as an ATM \nmachine or certain retailer transactions. Other transactions \nmay be requiring the signature, and certainly underneath a \ncertain dollar amount there may not be either of those.\n    But regardless of all that, that chip card is fundamentally \nmore secure than the mag-stripe card and is a big advance \nforward.\n    Mr. Meeks. Thank you.\n    Mr. Luetkemeyer [presiding]. Thank you.\n    With that, I will yield myself 5 minutes.\n    One of the things that is concerning to me is at this \npoint, from what I understand, the banks normally are the ones \nleft holding the bag normally whenever you have one of these \nbreaches, and is there something, Mr. Leach, in the discussion \nwith your group, to find a way to put some liability on the \nother--the merchant who didn\'t maybe have the latest technology \nor didn\'t exercise the greatest care with his data so that it \nwas breached? Or am I wrong on that? Is there a sharing of \nliability there?\n    Mr. Leach. The PCI Council is a technical standards body, \nso liability and all of the enforcement of our standards is \nmanaged through those banking relationships between the bank \nand the merchant. What we do is we try to remove that card \ninformation from ever being stored in a merchant location.\n    We heard from other Congressmen earlier who recognize that \nsecurity is a very hard thing to do day in and day out, and \nwhat we are trying to do, to the gentleman\'s point earlier \nabout tokenization, is remove cardholder data from ever being \nexposed in merchant locations so there is no longer an ability \nfor criminals to monetize that data.\n    Mr. Luetkemeyer. Mr. Garcia, is there a movement to have \nhigher standards for the merchants so that they share some of \nthe liability there?\n    Mr. Garcia. We discussed just this recent partnership \nconsortium that has been established between the financial \nservices sector and merchants and payment processors, and I \nthink that is going to go a long way to sort of gaining a \ncommon understanding as to what are our respective \nvulnerabilities, our respective responsibilities, and how do we \nwork together to stay ahead of the adversaries.\n    Mr. Luetkemeyer. Okay. You made mention a while ago that \nthere was a February agreement to that effect. Is that correct?\n    Mr. Garcia. That is correct, February 13th.\n    Mr. Luetkemeyer. Can you explain that just a little bit \nfurther?\n    Mr. Garcia. There are about a dozen industry associations \nthat are signatory to this. It is just in the beginning phases. \nIt is a partnership that is based on the recognition that we \nall--this is a shared challenge and therefore a shared \nresponsibility, and over the coming months we are going to be \nlooking into what are the various initiatives and programs we \ncan engage in together to think about not just new \ntechnological capabilities, but what are standards of practice? \nHow do we interact among each other to have a more secure \necosystem for the commercial and retail financial environments?\n    Mr. Luetkemeyer. Okay. Do you work with foreign countries, \nas well, foreign clearinghouses?\n    Mr. Garcia. No, not that I am aware of at this point. It is \nU.S.-based.\n    Mr. Luetkemeyer. Okay. With your chip technology changing--\nor perhaps changing--where do you go with that when it comes to \ndiscussing it with merchants who--for instance, if I want to \ntake a trip to Italy and now I want to use my credit card, how \nis that going to work if they don\'t have that same technology \nto be able to accept that card?\n    This is going to have to be worldwide, I assume. Either Mr. \nGarcia or Mr. Fortney here?\n    Mr. Fortney. You have hit upon an issue that has been out \nthere for people who travel from country to country, and maybe \nthe card technology they work in one country doesn\'t work fully \nin the other. There are a number of banks today that will issue \ncards that will work internationally, using EMV, and as the \nrest of the U.S. industry issues those cards over the next year \nor two, that problem should diminish greatly.\n    Mr. Luetkemeyer. One of the problems that we have is with \nconvenience comes more exposure, more risk, and that means more \nresponsibility on an individual\'s part, too. Is there something \nan individual can do to protect his cards, his information \nbetter by the way he uses it?\n    Mr. Fortney?\n    Mr. Fortney. You are asking an interesting question because \nI don\'t really put a lot of the responsibility on the end user. \nThe end user, when they are in a payments environment, they \nneed to enter their card information in the way in order to get \nthe purchase done. So I guess I would prefer to focus on what \nare ways that we can actually improve the system, get rid of \nthese card numbers and live static information out of the \nsystem and protect the consumers in that way?\n    Now, to further answer your question, sure there are some \nthings that we all would agree are very bad practices, like if \nyou have a PIN, don\'t write it on the back of your card, and if \nyou are missing a card or you see a fraudulent transaction, \nreport it promptly. I would encourage people to sign up for the \nmobile banking alerts that most financial institutions offer so \nthat you have rapid information if your card has been used, and \nif you don\'t recognize that transaction, take quick action.\n    Mr. Luetkemeyer. Does a consumer need to change his cards \nregularly? In other words, if I have a MasterCard, for \ninstance, do I need to call the company and say, once every 6 \nmonths get a new card with new numbers and--is that a \nprotection or is that just a waste of my time?\n    Mr. Fortney. I don\'t think that is really necessary because \nif your card number were to be breached then your institution \nwould most likely reissue that card. This really would be a \ntremendous hassle for a consumer to proactively go about asking \nfor a new card.\n    If you have reason to believe it has been breached, \nabsolutely, but not just as a preventative measure. I wouldn\'t \nrecommend that.\n    Mr. Luetkemeyer. My wife, this past couple of weeks, has \nbeen in a different State, and as a result, she has used her \ncredit card, and because it was a different State, immediately \nthe credit card company, zam, they said, ``Hey, your card is \nbeing used in a different State. Is this what you want to--are \nyou there or did somebody steal your card?\'\' It was very quick \nbecause the first transaction she did, immediately it was like \nthat, the thing popped up on our e-mail and I was immediately \nnotified to that effect.\n    It was very helpful and it is nice to know that they are \nthat quick to respond. So I guess that is another way that the \ncompanies are trying to prevent some folks from being abused \nwith regards to that.\n    Mr. Fortney. Yes, that is correct. And as you saw in your \npersonal experience, many of the banks--really all of the banks \nnow have this kind of fraud detection technology and they are \nlooking for anything that is outside of the pattern.\n    That can certainly create a hassle if you are traveling and \nit happens to you erroneously, but typically you can call and \nget that--verify the last transaction and the card gets opened \nup again for a full purchase.\n    Mr. Luetkemeyer. Very good. Thank you.\n    With that, we will move to the gentleman from Georgia, Mr. \nScott.\n    Mr. Scott. Thank you very much, Mr. Chairman.\n    Certainly, first, I just want to commend Mr. Leach and the \nPCI. I think you guys are on the right track in lessening the \navailable information out there for the bad guys to work with \nin the first place, and I encourage you to continue with that.\n    But what really disturbs me about this hearing is that \nearlier I asked the Secret Service and Homeland Security why \nthe United States was targeted, is there something other \nnations are doing that we are not doing, and their answer was \nnot an accurate one, if I may say, and I want to address that. \nBecause this is a serious problem and there is a reason why we \nare being targeted, and I want you all to respond to this.\n    The Economist, in its February 15th article, said that \nAmerica--this Nation, the United States--leads the world in \npayment card fraud. It is the only country in which counterfeit \ncard fraud is consistently growing. In fact, the United States \ncurrently accounts for nearly half--47 percent--of all global \npayment card losses.\n    It goes on to say, in part, that fraudsters target the \nUnited States because that is where the cards are. At the end \nof 2013 there were 1.2 billion debit, credit, and prepaid cards \nin circulation in America. That is over half of the 2 billion--\nmore than in any other region. That is nearly five cards per \nadult here.\n    But America also makes things easy for fraudsters. Alone \namong developed countries, it still relies exclusively on cards \nwith magnetic strips, which are far less secure than the chip \nand PIN technology used elsewhere. So clearly, the gentlemen \nwith Homeland Security and the Secret Service are probably not \naware of this.\n    But now that we are aware of this, Mr. Mierzwinski, let me \nask you, given this information from The Economist, given how \nbig this issue is, let me ask you: What makes the United States \npayment card so vulnerable to fraud more than any other nation, \nand what is it that we do differently than other countries \naround the world regarding this?\n    Mr. Mierzwinski. Mr. Scott, I think you answered the \nquestion already. I don\'t know how much I can add to it, but we \nare still using a 40- or 50-year-old magnetic stripe obsolete \ntechnology. We are now starting to move slowly toward chip and \nPIN, tokenization, virtual card numbers on the Internet, and \nother solutions that are going to be better.\n    But the second thing that we do in this country is we \naggressively rolled out debit cards to be used without PINs. \nWhen they were exclusively ATM cards they required a PIN, but \nthe big card networks wanted them to ride along on their \nsignature-based systems and so they said, ``Merchants and \nconsumers, use the unsafe product on the signature-based \nsystem.\'\'\n    So that is why we say, let\'s give consumers greater \nconsumer protection when they use debit cards. And let\'s go \nback to encouraging the use of PIN-based networks. There are \ncompetitor PIN-based networks but the big banks don\'t want you \nto use them because they don\'t own them.\n    Mr. Scott. I see.\n    Let me ask you this, because I am anxious--and all of us on \nthis committee are anxious--to see what we in Congress can do. \nSo let me ask you, is there any reason why Congress shouldn\'t \nmandate that payment card security standards use the most \neffective technology in the marketplace?\n    Mr. Mierzwinski. I agree with you on that completely, and I \nwill leave it up to your legislative counsel to help draft it, \nbut absolutely it should be a standard-based system that \npromotes the highest and most innovative standards.\n    Mr. Scott. And so don\'t you feel--let me just ask you this: \nWhy is it important, in your opinion--and others can comment on \nthis as well--for Congress to improve debit ATM card consumer \nrights and make all plastic equal?\n    Mr. Mierzwinski. Very simply, cards are not protected and \nyour bank account is not protected, and that is a real problem \nfor consumers. I believe that if the consumer rights were \nincreased to the level of credit cards--I only use credit \ncards, by the way, on the Internet, and I only use credits \ncards at the store. It is the safer way to go. But if debit \ncards had higher consumer rights that would focus the mind of \nthe banks on improving protections for those cards.\n    Mr. Scott. And you also mentioned that if fraud victims are \nreimbursed at what you refer to as zero liability, is this zero \nliability policy ubiquitous among all credit card and debit \ncard users?\n    Mr. Mierzwinski. As far as I--zero liability is something \nthat the debit card industry promotes. The credit card law \nmaximizes our liability at $50, but with a debit card, you \ncould lose all the money in your account under some \ncircumstances.\n    Mr. Scott. Okay. My--\n    Mr. Mierzwinski. But as far as I know, all the card \ncompanies do use zero liability but some have more asterisks, \nmore exceptions.\n    Mr. Scott. And so my final point is, because I think the \nAmerican people--I think this is a problem of soaring \nmagnitude, and we are going to be in trouble if we don\'t get a \nhandle on this. We in Congress, there is no national directive \nhere, so I just want to ask each of you, do you feel that the \nmost important thing we can do right now is this national \nbreach legislation that we have been talking about, that we \nhave a national standard, or do you see just leaving it at the \nState level--the various State levels, this hodge-podge that we \nhave?\n    Mr. Mierzwinski. If you are starting with me, I have \nalready testified that I think that we don\'t really need a \nnational standard, but if you do establish one--because a good, \nsmart company can just comply with the strongest State law, but \nif we are going to focus on that as part of the solution, just \ndon\'t preempt the States. Go to a high, good national standard. \nYou won\'t need to preempt the States.\n    Mr. Scott. Okay.\n    Anyone else?\n    Mr. Fortney. Yes. We would support a national standard. We \njust think the most efficient way to deal with these sorts of \nthreats is to be consistent and provide standard consumer \nprotection versus a haphazard, State-by-State approach.\n    Mr. Scott. Yes.\n    Mr. Garcia?\n    Mr. Garcia. Yes. I would agree with that. I think if you \nhave 40-plus State laws that differ in various respects as to \nwhat are the requirements for breach notification, it doesn\'t \nnecessarily improve consumer protection to have multiple \ndifferent forms of communication, and to the extent that you \ncan standardize that kind of communication to the consumer base \nnationally, I think that would be more effective and less \ncostly.\n    Mr. Scott. Okay. Thank you.\n    Mr. Leach, would you--\n    Mr. Leach. Consistency is good. Again, we need to find ways \nto get after these bad guys and remove the monetization of card \ndata, period.\n    Mr. Scott. Okay.\n    Thank you very much, Mr. Chairman. I appreciate the extra \ntime.\n    Mr. Luetkemeyer. Thank you.\n    I just have one follow-up question here, and then I think \nwe are done for the day and we will let you guys go.\n    We have seen in the last year or so a number of breaches, \nand my concern is, how many more are yet to come? And as a \nresult of that, when are we going to get some action taken to \nstop this?\n    And so if you could answer those two questions succinctly \nhere, we will start with Mr. Mierzwinski?\n    Mr. Mierzwinski. I apologize--\n    Mr. Luetkemeyer. I guess the question is, how susceptible \nare we to further breaches, and then where are we going to be 5 \nyears from now? Are we going to take action?\n    Mr. Mierzwinski. I think that further breaches are going to \noccur. I just saw Brian Krebs who is tweeting that--he is the \nguy who broke the Target story; he is a cyber journalist, I \nguess--that there was another breach today of a beauty company. \nAnd so, there will be continued breaches. The question is, what \ndo we do about them?\n    Five years from now, I predict we are going to have a much \nmore sophisticated system. There is innovation coming from \nphone companies, coming from Internet companies, coming from \nalternatives. It is going to force the banks to do a better \njob.\n    Mr. Luetkemeyer. Mr. Fortney?\n    Mr. Fortney. I would agree with most of that. I think it is \nnot just on the banks, however.\n    It is really on the banks and the merchants and everyone to \nwork together to introduce these new technologies. It can\'t be \ndone from one side.\n    Mr. Luetkemeyer. Mr. Garcia?\n    Mr. Garcia. Asking when we are going to stop cyber attacks \nis tantamount to asking when we are going to stop crime. It is \nan ongoing challenge. As long as there is technological \ninnovation, there is technological innovation on the side of \ncriminals as well, finding ways to exploit that.\n    So, as I mentioned before, it isn\'t just about technology, \nbut it is about your practices and your information-sharing and \nyour collaboration. We are all in this together and no single \none of us is as smart as all of us combined, and that is really \nwhat the FS-ISAC is here to talk about today is how we \ncollaborate when those technological solutions aren\'t going to \nfully protect us, but what can we do together as a team.\n    Mr. Luetkemeyer. I guess the follow-up to you would be, \nokay, we recognize we have a problem. Your group is one who \ntries to solve a problem. Are you going to kick it into another \ngear to get this done ASAP?\n    Mr. Garcia. As a matter of fact, we have initiated a new \nprogram that tries to automate--that does automate our \nintelligence and information-sharing and incident response, \nbecause as we know, many cyber attacks happen at Internet \nspeed, and as long as we are operating at human speed, we are \none step behind. So we have invested quite a lot of resources--\nFS-ISAC and its membership--in developing--in automated tools \nusing standardized language for how we characterize threats and \nattacks such that the front-line cyber operators and analysts \nwho are protecting our systems are able to make decisions in a \nmore real-time way and take action in a more real-time way \nagainst those threats and attacks.\n    Mr. Luetkemeyer. Very good.\n    Mr. Leach?\n    Mr. Leach. I would say we can\'t address 2014 threats with \n2004 controls. We need to remove the legacy systems that we \nhave--and part of that is legacy business process and educating \nmerchants that there is no longer a need to store cardholder \ninformation beyond the point of getting an authorization.\n    I think with the legacy systems that we have today, there \nis opportunity for us to improve. You asked about what we will \nsee in about 5 years. I see us no longer having these value \ncard information for criminals to attack. That is where I hope \nwe are going to be in 5 years.\n    Mr. Luetkemeyer. I thank each of the witnesses for being \nhere today. As you can see, we are very concerned on this side \nof the table with regards to the privacy of information and the \nprivacy of financial transactions that take place with our \nconsumers and our constituents and the people of this country.\n    And so, we want to work with you. If you can continue to \nwork with us to point out places where we can be of help, we \ncertainly want to look for that.\n    And again, I thank the chairwoman for the opportunity to \nhave this hearing.\n    The Chair notes that some Members may have additional \nquestions for this panel, which they may wish to submit in \nwriting. Without objection, the hearing record will remain open \nfor 5 legislative days for Members to submit written questions \nto these witnesses and to place their responses in the record. \nAlso, without objection, Members will have 5 legislative days \nto submit extraneous materials to the Chair for inclusion in \nthe record.\n    With that, hearing is adjourned.\n    [Whereupon, at 1:09 p.m., the hearing was adjourned.]\n\n\n                            A P P E N D I X\n\n\n\n                             March 5, 2014\n\n\n[GRAPHIC] [TIFF OMITTED] T8530.001\n\n[GRAPHIC] [TIFF OMITTED] T8530.002\n\n[GRAPHIC] [TIFF OMITTED] T8530.003\n\n[GRAPHIC] [TIFF OMITTED] T8530.004\n\n[GRAPHIC] [TIFF OMITTED] T8530.005\n\n[GRAPHIC] [TIFF OMITTED] T8530.006\n\n[GRAPHIC] [TIFF OMITTED] T8530.007\n\n[GRAPHIC] [TIFF OMITTED] T8530.008\n\n[GRAPHIC] [TIFF OMITTED] T8530.009\n\n[GRAPHIC] [TIFF OMITTED] T8530.010\n\n[GRAPHIC] [TIFF OMITTED] T8530.011\n\n[GRAPHIC] [TIFF OMITTED] T8530.012\n\n[GRAPHIC] [TIFF OMITTED] T8530.013\n\n[GRAPHIC] [TIFF OMITTED] T8530.014\n\n[GRAPHIC] [TIFF OMITTED] T8530.015\n\n[GRAPHIC] [TIFF OMITTED] T8530.016\n\n[GRAPHIC] [TIFF OMITTED] T8530.017\n\n[GRAPHIC] [TIFF OMITTED] T8530.018\n\n[GRAPHIC] [TIFF OMITTED] T8530.019\n\n[GRAPHIC] [TIFF OMITTED] T8530.020\n\n[GRAPHIC] [TIFF OMITTED] T8530.021\n\n[GRAPHIC] [TIFF OMITTED] T8530.022\n\n[GRAPHIC] [TIFF OMITTED] T8530.023\n\n[GRAPHIC] [TIFF OMITTED] T8530.024\n\n[GRAPHIC] [TIFF OMITTED] T8530.025\n\n[GRAPHIC] [TIFF OMITTED] T8530.026\n\n[GRAPHIC] [TIFF OMITTED] T8530.027\n\n[GRAPHIC] [TIFF OMITTED] T8530.028\n\n[GRAPHIC] [TIFF OMITTED] T8530.029\n\n[GRAPHIC] [TIFF OMITTED] T8530.030\n\n[GRAPHIC] [TIFF OMITTED] T8530.031\n\n[GRAPHIC] [TIFF OMITTED] T8530.032\n\n[GRAPHIC] [TIFF OMITTED] T8530.033\n\n[GRAPHIC] [TIFF OMITTED] T8530.034\n\n[GRAPHIC] [TIFF OMITTED] T8530.035\n\n[GRAPHIC] [TIFF OMITTED] T8530.036\n\n[GRAPHIC] [TIFF OMITTED] T8530.037\n\n[GRAPHIC] [TIFF OMITTED] T8530.038\n\n[GRAPHIC] [TIFF OMITTED] T8530.039\n\n[GRAPHIC] [TIFF OMITTED] T8530.040\n\n[GRAPHIC] [TIFF OMITTED] T8530.041\n\n[GRAPHIC] [TIFF OMITTED] T8530.042\n\n[GRAPHIC] [TIFF OMITTED] T8530.043\n\n[GRAPHIC] [TIFF OMITTED] T8530.044\n\n[GRAPHIC] [TIFF OMITTED] T8530.045\n\n[GRAPHIC] [TIFF OMITTED] T8530.046\n\n[GRAPHIC] [TIFF OMITTED] T8530.047\n\n[GRAPHIC] [TIFF OMITTED] T8530.048\n\n[GRAPHIC] [TIFF OMITTED] T8530.049\n\n[GRAPHIC] [TIFF OMITTED] T8530.050\n\n[GRAPHIC] [TIFF OMITTED] T8530.051\n\n[GRAPHIC] [TIFF OMITTED] T8530.052\n\n[GRAPHIC] [TIFF OMITTED] T8530.053\n\n[GRAPHIC] [TIFF OMITTED] T8530.054\n\n[GRAPHIC] [TIFF OMITTED] T8530.055\n\n[GRAPHIC] [TIFF OMITTED] T8530.056\n\n[GRAPHIC] [TIFF OMITTED] T8530.057\n\n[GRAPHIC] [TIFF OMITTED] T8530.058\n\n[GRAPHIC] [TIFF OMITTED] T8530.059\n\n[GRAPHIC] [TIFF OMITTED] T8530.060\n\n[GRAPHIC] [TIFF OMITTED] T8530.061\n\n[GRAPHIC] [TIFF OMITTED] T8530.062\n\n[GRAPHIC] [TIFF OMITTED] T8530.063\n\n[GRAPHIC] [TIFF OMITTED] T8530.064\n\n[GRAPHIC] [TIFF OMITTED] T8530.065\n\n[GRAPHIC] [TIFF OMITTED] T8530.066\n\n[GRAPHIC] [TIFF OMITTED] T8530.067\n\n[GRAPHIC] [TIFF OMITTED] T8530.068\n\n[GRAPHIC] [TIFF OMITTED] T8530.069\n\n[GRAPHIC] [TIFF OMITTED] T8530.070\n\n[GRAPHIC] [TIFF OMITTED] T8530.071\n\n[GRAPHIC] [TIFF OMITTED] T8530.072\n\n[GRAPHIC] [TIFF OMITTED] T8530.073\n\n[GRAPHIC] [TIFF OMITTED] T8530.074\n\n[GRAPHIC] [TIFF OMITTED] T8530.075\n\n[GRAPHIC] [TIFF OMITTED] T8530.076\n\n[GRAPHIC] [TIFF OMITTED] T8530.077\n\n[GRAPHIC] [TIFF OMITTED] T8530.078\n\n[GRAPHIC] [TIFF OMITTED] T8530.079\n\n[GRAPHIC] [TIFF OMITTED] T8530.080\n\n[GRAPHIC] [TIFF OMITTED] T8530.081\n\n[GRAPHIC] [TIFF OMITTED] T8530.082\n\n[GRAPHIC] [TIFF OMITTED] T8530.083\n\n[GRAPHIC] [TIFF OMITTED] T8530.084\n\n[GRAPHIC] [TIFF OMITTED] T8530.085\n\n[GRAPHIC] [TIFF OMITTED] T8530.086\n\n[GRAPHIC] [TIFF OMITTED] T8530.087\n\n[GRAPHIC] [TIFF OMITTED] T8530.088\n\n[GRAPHIC] [TIFF OMITTED] T8530.089\n\n[GRAPHIC] [TIFF OMITTED] T8530.090\n\n[GRAPHIC] [TIFF OMITTED] T8530.091\n\n[GRAPHIC] [TIFF OMITTED] T8530.092\n\n[GRAPHIC] [TIFF OMITTED] T8530.093\n\n\x1a\n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'