[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]



 
   PROTECTING YOUR PERSONAL DATA: HOW LAW ENFORCEMENT WORKS WITH THE 

                  PRIVATE SECTOR TO PREVENT CYBERCRIME
=======================================================================



                             FIELD HEARING

                               before the

                     SUBCOMMITTEE ON CYBERSECURITY,

                       INFRASTRUCTURE PROTECTION,

                       AND SECURITY TECHNOLOGIES

                                 of the

                     COMMITTEE ON HOMELAND SECURITY

                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED THIRTEENTH CONGRESS

                             SECOND SESSION

                               __________

                             APRIL 16, 2014

                               __________

                           Serial No. 113-65

                               __________

       Printed for the use of the Committee on Homeland Security
                                     

[GRAPHIC] [TIFF OMITTED] 


                                     

      Available via the World Wide Web: http://www.gpo.gov/fdsys/

                               __________



                  U.S. GOVERNMENT PRINTING OFFICE
88-784                    WASHINGTON : 2014
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC 
20402


                     COMMITTEE ON HOMELAND SECURITY

                   Michael T. McCaul, Texas, Chairman
Lamar Smith, Texas                   Bennie G. Thompson, Mississippi
Peter T. King, New York              Loretta Sanchez, California
Mike Rogers, Alabama                 Sheila Jackson Lee, Texas
Paul C. Broun, Georgia               Yvette D. Clarke, New York
Candice S. Miller, Michigan, Vice    Brian Higgins, New York
    Chair                            Cedric L. Richmond, Louisiana
Patrick Meehan, Pennsylvania         William R. Keating, Massachusetts
Jeff Duncan, South Carolina          Ron Barber, Arizona
Tom Marino, Pennsylvania             Dondald M. Payne, Jr., New Jersey
Jason Chaffetz, Utah                 Beto O'Rourke, Texas
Steven M. Palazzo, Mississippi       Filemon Vela, Texas
Lou Barletta, Pennsylvania           Eric Swalwell, California
Richard Hudson, North Carolina       Vacancy
Steve Daines, Montana                Vacancy
Susan W. Brooks, Indiana
Scott Perry, Pennsylvania
Mark Sanford, South Carolina
Vacancy
                   Brendan P. Shields, Staff Director
          Michael Geffroy, Deputy Staff Director/Chief Counsel
                    Michael S. Twinchek, Chief Clerk
                I. Lanier Avant, Minority Staff Director
                                 ------                                

SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY 
                              TECHNOLOGIES

                 Patrick Meehan, Pennsylvania, Chairman
Mike Rogers, Alabama                 Yvette D. Clarke, New York
Tom Marino, Pennsylvania             William R. Keating, Massachusetts
Jason Chaffetz, Utah                 Filemon Vela, Texas
Steve Daines, Montana                Vacancy
Scott Perry, Pennsylvania, Vice      Bennie G. Thompson, Mississippi 
    Chair                                (ex officio)
Michael T. McCaul, Texas (ex 
    officio)
               Alex Manning, Subcommittee Staff Director
                    Dennis Terry, Subcommittee Clerk



                            C O N T E N T S

                              ----------                              
                                                                   Page

                               STATEMENTS

The Honorable Patrick Meehan, a Representative in Congress From 
  the State of Pennsylvania, and Chairman, Subcommittee on 
  Cybersecurity, Infrastructure Protection, and Security 
  Technologies...................................................     1
The Honorable Yvette D. Clarke, a Representative in Congress From 
  the State of New York, and Ranking Member, Subcommittee on 
  Cybersecurity, Infrastructure Protection, and Security 
  Technologies...................................................     4
The Honorable Mike Fitzpatrick, a Representative in Congress From 
  the State of Pennsylvania......................................     5

                               WITNESSES
                                Panel I

Mr. Ari Baranoff, Assistant Special Agent In Charge, Criminal 
  Investigative Division, United States Secret Service:
  Oral Statement.................................................     7
  Prepared Statement.............................................     9
Mr. Richard P. Quinn, Assistant Special Agent In Charge, 
  Philadelphia Field Office, Federal Bureau of Investigation:
  Oral Statement.................................................    16
  Prepared Statement.............................................    18
Mr. John J. ``Jack'' Whelan, District Attorney, Delaware County, 
  Pennsylvania:
  Oral Statement.................................................    21
  Prepared Statement.............................................    23

                                Panel II

Mr. Frederick ``Ted'' Peters, Chairman and CEO, Bryn Mawr Trust:
  Oral Statement.................................................    37
  Prepared Statement.............................................    39
Mr. Thomas Litchford, Vice President of Retail Technology, 
  National Retail Federation:
  Oral Statement.................................................    40
  Prepared Statement.............................................    42
Mr. Matthew Rhoades, Director, Cyberspace and Security Program, 
  Truman National Security Project and Center for National 
  Policy:
  Oral Statement.................................................    45
  Prepared Statement.............................................    47


   PROTECTING YOUR PERSONAL DATA: HOW LAW ENFORCEMENT WORKS WITH THE 
                  PRIVATE SECTOR TO PREVENT CYBERCRIME

                              ----------                              


                       Wednesday, April 16, 2014

             U.S. House of Representatives,
                    Committee on Homeland Security,
 Subcommittee on Cybersecurity, Infrastructure Protection, 
                                 and Security Technologies,
                                                  Philadelphia, PA.
    The subcommittee met, pursuant to call, at 10:18 a.m., at 
the Paul Peck Alumni Center, Drexel University, 3142 Market 
Street, Philadelphia, PA, Hon. Patrick Meehan [Chairman of the 
subcommittee] presiding.
    Members present: Representatives Meehan, Fitzpatrick, and 
Clarke.
    Mr. Meehan. The Committee on Homeland Security, 
Subcommittee on Cybersecurity, Infrastructure Protection, and 
Security Technologies will come to order. We are waiting for a 
moment, although we will begin, because by the time I am 
concluded with our opening statements and other things--my 
partner, Ms. Clarke, the Ranking Member from New York, had a 
little bit of trouble with the trains this morning, but she is, 
I know, out of the train and on her way up, so I think we will 
try to get the hearing started, and I will look forward to 
having her make her opening statement as soon as we begin.
    I am--want to first express my deep appreciation to Drexel 
University for allowing us to use this beautiful venue for this 
hearing, and to also take a moment to plug the tremendous work 
that Drexel University is doing with the creation of their new 
cyber institute, which is not only using research and 
development to work with--the educational sector to work with 
the private sector and the Government sector in identifying the 
newest and best ways to deal with the threat of cyber--with 
cybersecurity, and dealing with the threats to information, but 
they are also going to be training the next generation of 
participants in the process of helping us to create better 
protections. I think it is a remarkable new area, and we are 
very grateful to have that kind of a commitment here in this 
region. I know it is something shared with other universities 
as well, but particularly what Drexel is doing is noteworthy 
around the country.
    I also have to make note of this, guys, and it is not 
customary, because of the angles of the sun, it is generally 
law enforcement that has people locked in rooms with lights 
shining in their faces. Then they, you know, then they ask the 
tough questions. So this is kind of turnabout. We will have to 
see how you enjoy that aspect of it.
    At this moment I am going to ask unanimous consent for 
Congressman Mike Fitzpatrick to participate in the hearing. 
Hearing no objection, so ordered. I want to express my deep 
appreciation to Congressman Fitzpatrick, not only for the work 
that he does in the broad spectrum of issues for our region, 
but because Congressman Fitzpatrick is growing in his 
importance on the Financial Services Committee. This is an area 
in which he has been spending time as well, and I am very 
grateful for his participation. When my colleague, Ms. Clarke, 
arrives, I will take a moment to comment on our relationship. 
But allow me to begin by doing an opening statement.
    I want to welcome all of the witnesses, and extend my 
thanks for participating in today's hearing, and I appreciate 
the effort taken on behalf of all of those involved in this 
important field hearing. This is an official Congressional 
hearing, as opposed to a town hall meeting, or something else 
that we would traditionally do, so we have to abide by certain 
rules of the Committee on Homeland Security, and the House of 
Representatives. This is as if we are sitting in the House 
today, so photography, and cameras and other things are limited 
to accredited press, and we want to make sure that we respect 
the decorum and the rules of the committee.
    I am going to give my colleague a moment to collect herself 
as I do my opening statement, but I would also--I did want to 
take a moment while Congresswoman Clarke was here to share with 
you--we have had the great fortune to be working together for 
much of the last term on this important committee. While, 
certainly, there are a few occasions where we have to zealously 
argue for our philosophical positions, the fact of the matter 
is it has been a remarkable working relationship. We have had 
the ability to collectively identify and work on a number of 
issues with respect to cybersecurity, including some very 
substantial legislation that has passed the committee 
unanimously, and in a bipartisan fashion, and has been a real 
joy to be able to work with Congresswoman Clarke in this 
capacity. I want to express my deep appreciation for you taking 
the time to come down from New York to join with us today at 
this field hearing. So I will recognize myself for an opening 
statement.
    Recent cyber breaches at retailers, including Target, 
Nieman Marcus, and Michael's, have once again brought the 
public's attention to the threat of criminals accessing their 
personal information. Unfortunately, such data breaches are 
neither new nor rare. The Target attack alone comprised the 
information of approximately 110 million consumers, and it 
could be months, or even years, before we know how many of 
those customers will eventually be victims of fraud. In 2012, 
an estimated 16.6 million Americans experienced identity theft, 
costing consumers nearly $25 billion, so this problem is not 
going away. Just last week many people learned about the so-
called Heartbleed vulnerability that affects the encryption 
software used in many e-commerce sites.
    While fraud is nothing new, the techniques and scope have 
risen to a new level. Our increasingly interconnected world, 
and the advancement of on-line shopping and banking, has made 
our lives much more convenient, but it has also meant that a 
sophisticated criminal can steal your account information 
without ever being in the country. In fact, the biggest hotbed 
of hackers is in Eastern Europe, where criminals can buy, sell, 
and trade various pieces of software used to attack systems and 
steal information.
    The question then becomes: What is being done about it? 
From the retailers responsible for protecting the information 
in their systems, to the banks who are liable for fraudulent 
charges, to law enforcement at every level, and that means 
local, State, and Federal, who are charged with going after the 
criminals, all of the stakeholders here play a role, and are 
working hard to counter cyber fraud and identity theft. I add 
that this is an issue that is well within the boundaries of our 
committee, and I am pleased to be able to work with 
Congresswoman Clarke as we engage in a series of hearings that 
will unfold in dealing with this important question.
    Consumers must also do their part to protect themselves. 
Simple steps to increase cyber hygiene including creating 
strong passwords and changing them regularly, using anti-virus 
software, and keeping it updated, and most importantly, keeping 
an eye out for suspicious activity on your computer, and in 
bank accounts. So I am looking forward to hearing from all of 
our witnesses about the outreach they do to inform consumers to 
better protect themselves.
    Our first panel of witnesses is directly responsible for 
investigating cyber crimes at the Federal and local level. In 
addition to its role as the lead agency investigating the 
recent retail breaches, we will hear from the Secret Service 
about the tools at their disposal, including the National Cyber 
Forensics Institute, which trains local law enforcement 
officials to investigate and prosecute cyber crimes, the Cyber 
Intelligence Section that collects, analyzes, and disseminates 
data, and the Electronic Crimes Task Force, that brings 
together law enforcement, academia, and the private sector to 
combat computer-based threats to our financial systems and 
critical infrastructure.
    Similarly, I am pleased to have the Federal Bureau of 
Investigation, who will testify about their role in 
investigating cyber-related crimes, and about the National 
Cyber Investigative Joint Task Force, which was created in 
partnership with the Department of Defense and the intelligence 
community, also including law enforcement and the private 
sector, to coordinate and share information. That is critical 
as we deal with real-time transactions.
    We are also going to hear from the local level, which is 
vitally important, and I am pleased that District Attorney Jack 
Whelan of Delaware County is able to be here, and he has a 
criminal investigation division which leads local efforts to 
fight cyber crime. District Attorney Whelan will share with us 
thoughts on how he uses his resources to deal with the 
investigations which have an effect on the community, and then, 
in addition, how we are doing at the Federal level in 
coordinating and helping to engage those resources at the local 
level.
    Our second panel will discuss efforts in the private sector 
to prevent and respond to cyber attacks. They are the ones on 
the front lines, fighting the problem, and continue to suffer 
significant financial losses. I know we will likely hear, 85 
percent of the assets that are engaged in the world of cyber 
are in the hands of private entities. This partnership is more 
critical than perhaps any other area. I am particularly 
interested in hearing from them about how they interact with 
law enforcement, and how we can help protect their customers. I 
look forward to hearing from all of our witnesses today, and 
want to thank everybody for their attendance.
    Let me just conclude by saying one last thing. There are so 
many different aspects of cyber. You know, we deal with the 
threat of terrorism on a regular basis. We have State-sponsored 
activities, which is quite sophisticated, and often deals with 
the question of cyber espionage, and other kinds of things. 
There is the reality that the cyber world is a new dimension 
for warfare. In fact, there is a great deal of activity that 
takes place with the Department of Defense, the intelligence 
community, and others that operate in that domain.
    But today we are focused on, how does this question come 
back to the local level, to the local consumer, to the person 
out there, to the small businessman, to the community banker? 
Because in the aftermath of the major issues that we have 
recently seen, such as Target, we realize that real lives are 
affected, and so our purpose today is to focus in that unique 
area, and I am grateful for the tremendous witnesses we have.
    So I now recognize the Ranking Minority Member of the 
subcommittee, the gentlelady from New York, Ms. Clarke, for any 
statement she may have.
    Ms. Clarke. I want to thank you, Mr. Chairman, for holding 
this field hearing in Philadelphia today, a place I know that 
is close to your heart, and I might say the City of Brotherly, 
and I might add ``Sisterly'', Love, here on the campus of 
Drexel University. It is certainly my honor and privilege to 
come, and to hear from the witnesses today, and to thank you 
for taking us into the field, where we will have an opportunity 
to really reflect on how this type of cyber activity impacts on 
our local communities.
    Modern-day criminals increasingly rely on the internet and 
advanced technologies to spread their criminal operations. I 
think everyone would agree that the internet technology has now 
emerged as a key factor for the majority of organized crime 
activity. For instance, criminals can leverage the properties 
of the internet to carry out traditional street crime, such as 
distributing illicit drugs and sex trafficking. But what we are 
here to talk about today is how criminals exploit the digital 
world to assist crimes that are often technology-driven, 
including identity theft, payment card fraud, and intellectual 
property theft.
    As we will hear today, the FBI considers high-tech crimes 
to be the most significant crimes confronting the United States 
as a Nation, and we, on the subcommittee, have shown an 
increasing interest in guaranteeing the Federal Government has 
the tools and capabilities to combat modern-day crime, 
particularly those with cyber components, while safeguarding 
privacy rights.
    Today's cyber criminals make their crimes more profitable 
by choosing specialties, and creating cyber networks of 
colleagues. These types of criminals can victimize individuals 
and organizations alike. They generally are motivated by self-
interest and profit, but cyber crimes can have public health 
and National security consequences, especially when cyber 
crimes are directed towards critical infrastructure, such as 
our hospitals, water systems, Governmental entities, or our 
Nation's financial systems.
    U.S. officials face the challenging task of identifying the 
perpetrators of malicious cyber incidents, in which victim and 
criminal can be far removed from one another. The person or 
persons behind an incident can range from lone actors to 
expansive criminal networks, or even nation-states. This 
challenge of attribution is further compounded by the anonymity 
afforded by the digital realm.
    It can sometimes be difficult to determine the actor's 
motivation. Is the criminal driven by greed or glory, in the 
forms of recognition among fellow criminals in the cyber world, 
or does the criminal have broader ideological motives? Finding 
the answers to these questions is key to distinguishing between 
cyber crimes and other cyber threats, such as cyber attacks, 
cyber espionage, and cyber warfare. Relevant distinctions exist 
between these various malicious activities in the cyber domain, 
just as lines have been drawn between their real-world 
counterparts, and today's hearing will help us understand those 
distinctions.
    In July 2011 the Obama administration released a strategy 
to combat transnational organized crime, addressing converging 
threats to National security. This strategy provides the 
Federal Government's first broad conceptualization of 
transnational organized crime, highlighting it as a National 
security concern. It highlights 10 primary threat categories 
posed by transnational organized cyber crime, penetration of 
state institutions, corruption, and the threats to governance, 
threats to the economy, threats to U.S. competitiveness in 
strategic markets, the nexus between criminals, terrorists, and 
insurgents, expansion of drug trafficking, human smuggling, 
trafficking in persons, weapons trafficking, intellectual 
property theft, and finally, cyber crime.
    The President's strategy outlies, excuse me, outlines key 
actions to counter the range of threats posed by building 
international capacity, cooperation, and partnerships, and 
taking shared responsibility to identify what actions Federal, 
State, and local entities can take to protect against the 
threat, and impact on transnational cyber crime.
    We are here today to discuss complex prosecutorial and 
investigative problems that face law enforcement officials and 
companies when dealing with cyber crime, and I look forward to 
your testimony. With that, Mr. Chairman, I yield back.
    Mr. Meehan. I want to thank the Ranking Member for her 
opening statement, and I want to express now my deep 
appreciation to my colleague from Bucks County, Congressman 
Fitzpatrick, for joining us today, and I recognize him for any 
opening statement he may like to make.
    Mr. Fitzpatrick. This is an issue that affects just about 
every sector of our lives, sector of our industry. As the 
Chairman did thank Drexel University, not only for hosting us, 
but for your interest in the issue of cyber terrorism, for what 
you have done so far in teaching students, and being involved 
in the community, and what we know you will continue to do in 
the future.
    The committee on which I serve, which is Financial 
Services, held a subcommittee hearing on this exact subject 
just last month, and we were also joined at the subcommittee 
hearing by law enforcement and financial service industry 
representatives, and it was a really informative hearing.
    The subject of this morning's hearing is an important 
subject that we cannot spend enough time on. Cybersecurity has 
privacy, financial, law enforcement, and, quite frankly, 
National defense implications. This is a critical issue that is 
not only--that is only going to grow in importance as we come 
to rely even more on digital and cyber infrastructure, and 
cyber transactions.
    During the Financial Services hearing I mentioned, the 
feedback that I was hearing, and from small community financial 
institutions back home in my district in Bucks County, 
Pennsylvania, was how they and their customers are increasingly 
concerned about cybersecurity. For them, the cost is not just 
the money that is stolen, but they are also responsible for 
notifying customers and for replacing credit cards and debit 
cards after the incident occurs. That takes manpower. That has 
material costs. These costs are borne by financial institutions 
of all sizes, but are disproportionately burdensome to 
community banks and small financial institutions, and credit 
unions as well.
    Protecting personal information and financial data is a 
shared responsibility. It is going to take collaboration and 
cooperation among retailers, private institutions, and 
financial service providers. As this hearing will explore, the 
Government has an important role to play not only in law 
enforcement, but ensuring that individuals, businesses, and 
public property are protected. After all these are homeland 
security issues. It is not just criminals who are seeking to 
exploit security lapses, but also nation-states, and non-state 
enemies of the United States who could, and have, attacked our 
banking sectors, as well as other critical infrastructure 
areas.
    So, again, I am very interested in this topic. I appreciate 
the Chairman calling the hearing here in the City of Brotherly 
Love, the city of Philadelphia. We are all looking forward to 
the testimony of the two panels today, and I appreciate the 
chance to participate.
    Mr. Meehan. I thank the Congressman for being here. We are 
pleased as well to have two distinguished panels of witnesses 
before us today on this important topic. I am going to 
introduce the first panel, and then recognize each of you for 
your testimony.
    First, to my left, is Mr. Ari Baranoff. He is an assistant 
special agent in charge of the criminal investigative division 
with the United States Secret Service. Mr. Baranoff has had 
over 19 years of Federal law enforcement experience, the 
majority of which has been with the Secret Service. He is 
currently assigned to the Secret Service headquarters in 
Washington, DC, and is the manager of the cyber investigations 
branch, where he has overseen the investigation and capture of 
the Secret Service's most wanted financial criminals.
    Prior to assuming command of the cyber investigations 
branch, Mr. Baranoff led the New York Electronic Crimes Task 
Force, and it is a--I am greatly appreciative that you would 
travel from Washington to be with us here today. All of our 
witnesses are among the Nation's top experts in these areas.
    Richard Quinn, from the Federal Bureau of Investigation, is 
an assistant special agent in charge here in the Philadelphia 
field office. He focuses on National security issues. Prior to 
his work in the Philadelphia field office, Mr. Quinn was an FBI 
counterterrorism agent in New York. Mr. Quinn witnessed the 
horrific attacks on the World Trade Center on September 11, 
2011, and was one of five agents assigned to the primary team 
to investigate the aftermath. That is the kind of an incident 
that always lingers in our minds, and I think one day after the 
first anniversary of the Boston bombings as well, we still live 
with a very real recognition that--a lot of why we are here 
today, and the great work you are doing protecting our homeland 
from the threat of terror, in addition to things like the cyber 
threat.
    Here from the local law enforcement community, representing 
his colleagues from across the region, is district attorney for 
Delaware County, Pennsylvania, Jack Whelan. Jack was elected in 
November 2011. As a district attorney, DA Whelan's responsible 
for the prosecution of criminal offenses within the 
jurisdiction of Delaware County, including homicides and drug 
enforcement, as well as cyber crime. Before becoming district 
attorney, Mr. Whelan served as the chairman of the Delaware 
County Council, where he took a lead on many public safety 
issues that focused on homeland security. I might add, the 
Internet Crimes Against Children Task Force is housed in the 
District Attorney's Office for the State-wide region in 
Delaware County, and it has been a mechanism by which that 
office, working with a consortium, has been at the cutting edge 
of cyber investigations across the board.
    So I want to thank all of you for being here. The full 
written statements of the witnesses will appear in the record. 
So we don't have the usual demands that we might customarily 
have because of the size of our committee here this morning, 
but I will still ask you to do your best to stay within the 
time frames, to the extent that you can. So, at this point, I 
will recognize Mr. Baranoff for your opening statement.

 STATEMENT OF ARI BARANOFF, ASSISTANT SPECIAL AGENT IN CHARGE, 
 CRIMINAL INVESTIGATIVE DIVISION, UNITED STATES SECRET SERVICE

    Mr. Baranoff. Thank you, sir. Good morning, Chairman 
Meehan, Ranking Member Clarke, and distinguished Members of the 
subcommittee. Thank you for the opportunity to testify here at 
Drexel University on behalf of the Department of Homeland 
Security regarding the cyber crime threats our Nation faces, 
and how law enforcement works with the private sector to 
prevent cyber crime.
    Our modern financial system depends on information 
technology for convenience and efficiency. Accordingly, 
criminals motivated by greed have adapted their methods, and 
are increasingly using cyber space to exploit our Nation's 
financial payment systems to engage in fraud and other illicit 
activities. The widely-reported payment card data breaches of 
Target, Nieman Marcus, White Lodging, and other retailers are 
just recent examples of this trend. The U.S. Secret Service is 
investigating these recent data breaches, and we are confident 
that we will bring the criminals responsible to justice.
    However, what you don't hear in the news coverage is the 
numerous data breaches the Secret Service prevents by 
discreetly working with businesses to disrupt and thwart the 
plans of cyber criminals. This year is the 30th anniversary of 
when Congress first defined as specific Federal crimes both 
unauthorized access to computers and access device fraud, while 
explicitly assigning the Secret Service authority to 
investigate these crimes. Over the past 3 decades the Secret 
Service has continuously innovated in how we investigate these 
crimes to defeat the criminal organizations responsible for 
major data breaches.
    In support of the Department of Homeland Security's mission 
to safeguard and secure cyber space, the Secret Service uses a 
variety of investigative methods to develop information 
regarding the most capable cyber threat actors. To prevent 
losses, we share information with victim companies of on-going 
or planned network intrusions to prevent any financial losses.
    To accomplish this mission, the Secret Service currently 
operates a network of 35 electronic crimes task forces, which 
in 2001 Congress assigned the mission of preventing, detecting, 
and investigating various forms of electronic crimes, including 
potential terrorist attacks against critical infrastructure and 
financial payment systems. In addition, through our 
department's National Cybersecurity and Communications 
Integration Center, the NCCIC, the Secret Service also widely 
shares technical cybersecurity information, while protecting 
civil rights and civil liberties in order to enable other 
organizations to reduce their cyber risks by mitigating 
technical vulnerabilities. As a result of our cyber crime 
investigations over the past 4 years, the Secret Service has 
arrested nearly 5,000 cyber criminals. In total, these 
criminals were responsible for over a billion dollars in fraud 
losses. We estimate our investigations prevented over $11 
billion in fraud losses.
    Secret Service is committed to building the cybersecurity 
capacity of our Nation, and developing a greater understanding 
of cybersecurity threats. Universities and research 
institutions like Drexel, and its recently-opened cybersecurity 
institute, are critical partners of the Secret Service in these 
efforts. Drexel University continues to be a valued member of 
our Philadelphia Electronic Crimes Task Force, and this highly-
productive partnership is an excellent example of the sort of 
relationships the Secret Service has developed with over 200 
academic institutions Nation-wide to our electronic crimes task 
forces. The Secret Service also partners with the private 
sector and academia to research cyber threats, and publish 
information on cyber crime trends, through reports like the 
Carnegie-Mellon CERT Insider Threat Study, the Verizon Data 
Breach Investigations Report, and the Trustwave Global Security 
Report.
    Secret Service develops the capability of State and local 
law enforcement to investigate cyber crime. At our National 
Computer Forensics Institute in Hoover, Alabama, the Secret 
Service trains hundreds of State and local law enforcement in 
methods for investigating cyber crime. Since opening in 2008, 
the institute has held over 150 cyber and digital forensics 
courses in 16 separate subjects, and trained and equipped more 
than 3,000 police investigators, prosecutors, and judges from 
all 50 States, and three U.S. territories. These graduates 
represent more than 1,000 agencies Nation-wide, and include 52 
law enforcement officials right here in the Philadelphia 
Metropolitan area.
    Secret Service has a long history of protecting our 
Nation's financial system from threats. In 1865 the threat we 
were founded to address was that of counterfeit currency. As 
our financial payment system has evolved from paper, to 
plastic, to now digital information, so too has our 
investigative mission. The Secret Service is committed to 
continuing to protect our Nation, even as criminals 
increasingly use cyber space to engage in criminal activity.
    Thank you for the opportunity to testify on this important 
topic, and I look forward to your questions.
    [The prepared statement of Mr. Baranoff follows:]
                   Prepared Statement of Ari Baranoff
                             April 16, 2014
    Good morning Chairman Meehan, Ranking Member Clarke, and 
distinguished Members of the subcommittee. Thank you for the 
opportunity to testify here at Drexel University on the risks and 
challenges the Nation faces from cyber crime and the importance of 
partnering with the private sector to address these challenges. Based 
on the United States Secret Service's (Secret Service) 3 decades of 
experience investigating cyber crime and the understanding we have 
developed regarding the modern transnational organized cyber crime 
threat to our Nation, I hope to provide this subcommittee useful 
insight into these issue from a Federal law enforcement perspective.
                     the role of the secret service
    The Secret Service was founded in 1865 to protect the U.S. 
financial system from the counterfeiting of our National currency. As 
the Nation's financial system evolved from paper to plastic to 
electronic transactions, so too has the Secret Service's investigative 
mission. Today, our modern financial system depends heavily on 
information technology for convenience and efficiency. Accordingly, 
criminals have adapted their methods and are increasingly using cyber 
space to exploit our Nation's financial payment system by engaging in 
fraud and other illicit activities. This is not a new trend; criminals 
have been committing cyber financial crimes since at least 1970.\1\
---------------------------------------------------------------------------
    \1\ Beginning in 1970, and over the course of 3 years, the chief 
teller at the Park Avenue branch of New York's Union Dime Savings Bank 
manipulated the account information on the bank's computer system to 
embezzle over $1.5 million from hundreds of customer accounts. This 
early example of cyber crime not only illustrates the long history of 
cyber crime, but the difficulty companies have in identifying and 
stopping cyber criminals in a timely manner--a trend that continues 
today.
---------------------------------------------------------------------------
    Congress promulgated 18 USC  1029-1030 as part of enacting the 
Comprehensive Crime Control Act of 1984. Those subsections explicitly 
assigned the Secret Service authority to investigate these criminal 
violations.\2\ They first established as specific Federal crimes 
unauthorized access to computers \3\ and the fraudulent use, or 
trafficking of, access devices \4\--defined as any piece of information 
or tangible item that is a means of account access that can be used to 
obtain money, goods, services, or other thing of value.\5\
---------------------------------------------------------------------------
    \2\ See 18 USC  1029(d) & 1030(d)(1).
    \3\ See 18 USC  1030.
    \4\ See 18 USC  1029.
    \5\ See 18 USC  1029(e)(1).
---------------------------------------------------------------------------
    Secret Service investigations have resulted in the arrest and 
successful prosecution of cyber criminals involved in the largest known 
data breaches, including those of TJ Maxx, Dave & Buster's, Heartland 
Payment Systems, and others. Over the past 4 years Secret Service cyber 
crime investigations have resulted in over 4,900 arrests, associated 
with approximately $1.37 billion in fraud losses and the prevention of 
over $11.24 billion in potential fraud losses, with a 99.5% conviction 
rate in cases that go to trial. Through our work with our partners at 
the Department of Justice (DOJ), in particular the local U.S. Attorney 
Offices, the Computer Crime and Intellectual Property Section (CCIPS), 
the International Organized Crime Intelligence and Operations Center 
(IOC-2), and others, we are confident we will continue to bring the 
cyber criminals that perpetrate major data breaches to justice.
                  the transnational cyber crime threat
    Advances in computer technology and greater access to personally 
identifiable information (PII) via the internet have created on-line 
marketplaces for transnational cyber criminals to share stolen 
information and criminal methodologies. As a result, the Secret Service 
has observed a marked increase in the quality, quantity, and complexity 
of cyber crimes targeting private industry and critical infrastructure. 
These crimes include network intrusions, hacking attacks, malicious 
software, and account takeovers leading to significant data breaches 
affecting every sector of the world economy. The recently reported data 
breaches of Target and Neiman Marcus are just the most recent, well-
publicized examples of this decade-long trend of major data breaches 
perpetrated by cyber criminals who are intent on targeting our Nation's 
retailers and financial payment systems.
    The increasing level of collaboration among cyber criminals allows 
them to compartmentalize their operations, greatly increasing the 
sophistication of their criminal endeavors as they develop expert 
specialization. These specialties raise both the complexity of 
investigating these cases, as well as the level of potential harm to 
companies and individuals. For example, illicit underground cyber crime 
marketplaces allow criminals to buy, sell, and trade malicious 
software, access to sensitive networks, spamming services, payment card 
data, PII, bank account information, brokerage account information, 
hacking services, and counterfeit identity documents. These illicit 
digital marketplaces vary in size, with some of the more popular sites 
boasting membership of approximately 80,000 users. These digital 
marketplaces often use various digital currencies, and cyber criminals 
have made extensive use of digital currencies to pay for criminal goods 
and services or launder illicit proceeds.
    The Secret Service has successfully investigated many underground 
cyber criminal marketplaces. In one such infiltration, the Secret 
Service initiated and conducted a 3-year investigation that led to the 
indictment of 11 perpetrators allegedly involved in hacking nine major 
U.S. retailers and the theft and sale of more than 40 million credit 
and debit card numbers. The investigation revealed that defendants from 
the United States, Estonia, China, and Belarus successfully obtained 
credit and debit card numbers by hacking into the wireless computer 
networks of major retailers--including TJ Maxx, BJ's Wholesale Club, 
Office Max, Boston Market, Barnes & Noble, Sports Authority, and Dave & 
Buster's. Once inside the networks, these cyber criminals installed 
``sniffer'' programs \6\ that would capture card numbers, as well as 
password and account information, as they moved through the retailers' 
credit and debit processing networks. After the data was collected, the 
conspirators concealed the information in encrypted computer servers 
that they controlled in the United States and Eastern Europe. The 
credit and debit card numbers were then sold through on-line 
transactions to other criminals in the United States and Eastern 
Europe. The stolen numbers were ``cashed out'' by encoding card numbers 
on the magnetic strips of blank cards. The defendants then used these 
fraudulent cards to withdraw tens of thousands of dollars at a time 
from ATMs. The defendants were able to conceal and launder their 
illegal proceeds by using anonymous internet-based digital currencies 
within the United States and abroad, and by channeling funds through 
bank accounts in Eastern Europe.\7\
---------------------------------------------------------------------------
    \6\ Sniffers are programs that detect particular information 
transiting computer networks, and can be used by criminals to acquire 
sensitive information from computer systems.
    \7\ Additional information on the criminal use of digital 
currencies can be referenced in testimony provided by U.S. Secret 
Service Special Agent in Charge Edward Lowery before the Senate 
Homeland Security and Governmental Affairs Committee in a hearing 
titled, ``Beyond Silk Road: Potential Risks, Threats, and Promises of 
Virtual Currencies'' (November 18, 2013).
---------------------------------------------------------------------------
    In data breaches like these the effects of the criminal acts 
extended well beyond the companies compromised, potentially affecting 
millions of individual card holders. Proactive and swift law 
enforcement action protects consumers by preventing and limiting the 
fraudulent use of payment card data, identity theft, or both. Cyber 
crime directly impacts the U.S. economy by requiring additional 
investment in implementing enhanced security measures, inflicting 
reputational damage on U.S. firms, and direct financial losses from 
fraud--all costs that are ultimately passed on to consumers.
           secret service strategy for combating this threat
    The Secret Service proactively investigates cyber crime using a 
variety of investigative means to infiltrate these transnational cyber 
criminal groups. As a result of these proactive investigations, the 
Secret Service is often the first to learn of planned or on-going data 
breaches and is quick to notify financial institutions and the victim 
companies with actionable information to mitigate the damage from the 
data breach and terminate the criminal's unauthorized access to their 
networks. One of the most poorly understood facts regarding data 
breaches is that it is rarely the victim company that first discovers 
the criminal's unauthorized access to their network; rather it is law 
enforcement, financial institutions, or other third parties that 
identify and notify the likely victim company of the data breach by 
identifying the common point of origin of the sensitive data being 
trafficked in cyber crime marketplaces.
    A trusted relationship with the victim is essential for confirming 
the crime, remediating the situation, beginning a criminal 
investigation, and collecting evidence. The Secret Service's global 
network of field offices, including our 35 Electronic Crimes Task 
Forces (ECTFs), are essential for building and maintaining these 
trusted relationships, along with the Secret Service's commitment to 
protecting victims' privacy and the confidentiality of their 
information.
    When the Secret Service identifies a potential network intrusion, 
the Secret Service contacts the owner of the suspected compromised 
computer systems in order to assess the data breach and to stop the 
continued theft of sensitive information and the exploitation of a 
network. Once the victim of a data breach confirms that unauthorized 
access to their networks has occurred, the Secret Service works with 
the local U.S. Attorney's office, or appropriate State and local 
officials, to begin a criminal investigation of the potential violation 
of 18 USC  1030. During the course of this criminal investigation, the 
Secret Service identifies the malware and means of access used to 
acquire data from the victim's computer network. In order to enable 
other companies to mitigate their cyber risk based on current cyber 
crime methods, we quickly share information concerning the 
cybersecurity incident with the widest audience possible, while 
protecting grand jury information, the integrity of on-going criminal 
investigations, and the victims' privacy and confidentiality. We share 
this cybersecurity information through:
   Our Department's National Cybersecurity & Communications 
        Integration Center (NCCIC);
   The Information Sharing and Analysis Centers (ISAC);
   Our ECTFs;
   The publication of joint industry notices;
   Our numerous partnerships developed over the past 3 decades 
        in investigating cyber crimes; and,
   Contributions to leading industry and academic reports like 
        the Verizon Data Breach Investigations Report, the Trustwave 
        Global Security Report, and the Carnegie Mellon CERT Insider 
        Threat Study.
    As we share cybersecurity information discovered in the course of 
our criminal investigation, we also continue our investigation in order 
to apprehend and bring to justice those involved. Due to the inherent 
challenges in investigating transnational crime, particularly the lack 
of cooperation of some countries with law enforcement investigations, 
occasionally it takes years to finally apprehend the top tier criminals 
responsible. For example, Dmitriy Smilianets and Vladimir Drinkman were 
arrested in June 2012, as part of a multi-year investigation by the 
Secret Service, while they were traveling in the Netherlands thanks to 
the assistance of Dutch law enforcement. The alleged total fraud loss 
from their cyber crimes exceeds $105 million.
    As a part of our cyber crime investigations, the Secret Service 
also targets individuals who operate illicit infrastructure that 
supports the transnational organized cyber criminal. For example, in 
May 2013 the Secret Service, as part of a joint investigation through 
the Global Illicit Financial Team, shut down the digital currency 
provider Liberty Reserve. Liberty Reserve is alleged to have had more 
than 1 million users worldwide and to have laundered more than $6 
billion in criminal proceeds. This case is believed to be the largest 
money laundering case ever prosecuted in the United States and is being 
jointly prosecuted by the U.S. Attorney's Office for the Southern 
District of New York and DOJ's Asset Forfeiture and Money Laundering 
Section. In a coordinated action with the Department of the Treasury, 
Liberty Reserve was identified as a financial institution of primary 
money laundering concern under Section 311 of the USA PATRIOT Act, 
effectively cutting it off from the U.S. financial system.
    collaboration with other federal agencies and international law 
                              enforcement
    While cyber criminals operate in a world without borders, the law 
enforcement community does not. The increasingly multi-national, multi-
jurisdictional nature of cyber crime cases has increased the time and 
resources needed for successful investigation and adjudication. The 
partnerships developed through our ECTFs, the support provided by our 
Criminal Investigative Division, the liaison established by our 
overseas offices, and the training provided to our special agents via 
Electronic Crimes Special Agent Program are all instrumental to the 
Secret Service's successful network intrusion investigations.
    One example of the Secret Service's success in these investigations 
is the case involving Heartland Payment Systems. As described in the 
August 2009 indictment, a transnational organized criminal group 
allegedly used various network intrusion techniques to breach security 
and navigate the credit card processing environment. Once inside the 
networks, they installed ``sniffer'' programs to capture card numbers, 
as well as password and account information. The Secret Service 
investigation, the largest and most complex data breach investigation 
ever prosecuted in the United States, revealed that data from more than 
130 million credit card accounts were at risk of being compromised and 
exfiltrated to a command-and-control server operated by an 
international group directly related to other on-going Secret Service 
investigations. During the course of the investigation, the Secret 
Service uncovered that this international group committed other 
intrusions into multiple corporate networks to steal credit and debit 
card data. The Secret Service relied on various investigative methods, 
including subpoenas, search warrants, and Mutual Legal Assistance 
Treaty (MLAT) requests to identify three main suspects. As a result of 
the investigation, these primary suspects were indicted for various 
computer-related crimes. The lead defendant in the indictment pled 
guilty and was sentenced to 20 years in Federal prison. This 
investigation is on-going with over 100 additional victim companies 
identified.
    Recognizing these complexities, several Federal agencies are 
collaborating to investigate cases and identify proactive strategies. 
Greater collaboration within the Federal, State, and local law 
enforcement community enhances information sharing, promotes efficiency 
in investigations, and facilitates efforts to de-conflict in cases of 
concurrent jurisdiction. For example, the Secret Service has 
collaborated extensively with DOJ's CCIPS, which ``prevents, 
investigates, and prosecutes computer crimes by working with other 
government agencies, the private sector, academic institutions, and 
foreign counterparts.''\8\ The Secret Service's ECTFs are a natural 
complement to CCIPS, resulting in an excellent partnership over the 
years. In the last decade, nearly every major cyber investigation 
conducted by the Secret Service has benefited from CCIPS contributions.
---------------------------------------------------------------------------
    \8\ U.S. Department of Justice. (n.d.). Computer Crime & 
Intellectual Property Section: About CCIPS. Retrieved from http://
www.justice.gov/criminal/cybercrime/.
---------------------------------------------------------------------------
    The Secret Service also partners with numerous international law 
enforcement agencies, including the FBI. For example, in August 2010, a 
joint operation yielded the seizure of 143 computer systems--one of the 
largest international seizures of digital media obtained by U.S. law 
enforcement--consisting of 85 terabytes of data, which was transferred 
to law enforcement authorities in the United States. The data was 
seized from a criminal internet service provider located in Odessa, 
Ukraine, also referred to as a ``Bullet Proof Hoster.''
    The case of Vladislav Horohorin is another example of successful 
cooperation between the Secret Service and its law enforcement partners 
around the world. Mr. Horohorin, one of the world's most notorious 
traffickers of stolen financial information, was arrested while 
traveling in France on August 25, 2010, pursuant to a request for his 
provisional arrest with a view toward extradition to the United States. 
Mr. Horohorin created the first fully-automated on-line store which 
held stolen credit card data for sale. Both CCIPS and the Office of 
International Affairs at DOJ played critical roles in this 
apprehension.
    Apprehending transnational cyber criminals like these is made 
possible by the Secret Service's 24 international field offices 
developing close partnerships with numerous foreign law enforcement 
agencies in order to combat transnational crime. To strengthen our 
ability to investigate transnational cyber crime, the Secret Service 
maintains ECTFs in London and Rome, has assigned agents to INTERPOL and 
EUROPOL, and operates cyber crime working groups in the Netherlands, 
Estonia, Lithuania, Latvia, Ukraine, and Germany. The Secret Service 
also trains numerous international partners on investigating cyber 
crime; in the past 3 years the Secret Service has trained over 500 law 
enforcement officials representing over 90 countries in investigating 
cyber crimes.
    The Secret Service investigations of transnational crime are 
facilitated by the dedicated efforts of both the Department of State 
and the DOJ's Office of International Affairs to execute MLATs and 
other forms of international law enforcement cooperation, in addition 
to the personal relationships that develop between Secret Service 
agents and their foreign counterparts through these working groups and 
training efforts.
    Within DHS, the Secret Service benefits from a close relationship 
with Immigration and Customs Enforcement's Homeland Security 
Investigations (ICE-HSI). Since 1997, the Secret Service, ICE-HSI, and 
IRS-CI have jointly trained on computer investigations through the 
Electronic Crimes Special Agent Program (ECSAP). ICE-HSI is also a 
member of Secret Service ECTFs, and ICE-HSI and the Secret Service have 
partnered on numerous cyber crime investigations including the recent 
take-down of the digital currency Liberty Reserve.
    To further its cybersecurity information-sharing efforts, the 
Secret Service has strengthened its relationship with the National 
Protection and Programs Directorate (NPPD), including the NCCIC. As the 
Secret Service identifies malware, suspicious IPs, and other 
information through its criminal investigations, it shares information 
with our Department's NCCIC. The Secret Service continues to build upon 
its full-time presence at NCCIC to coordinate its cyber programs with 
other Federal agencies.
    As a part of these efforts, and to ensure that information is 
shared in a timely and effective manner, the Secret Service has 
personnel assigned to the following DHS and non-DHS entities:
   NPPD's National Cybersecurity & Communications Integration 
        Center (NCCIC);
   NPPD's Office of Infrastructure Protection;
   DHS's Science and Technology Directorate (S&T);
   The National Cyber Investigative Joint Task Force (NCIJTF);
   Each FBI Joint Terrorism Task Force (JTTF), including the 
        National JTTF;
   Department of the Treasury--Office of Terrorist Financing 
        and Financial Crimes (TFFC);
   Department of the Treasury--Financial Crimes Enforcement 
        Network (FinCEN);
   Central Intelligence Agency;
   DOJ's International Organized Crime and Intelligence 
        Operations Center (IOC-2);
   Drug Enforcement Administration's Special Operations 
        Division;
   EUROPOL; and
   INTERPOL.
    The Secret Service is committed to ensuring that all its 
information-sharing activities comply with applicable laws, 
regulations, and policies, including those that pertain to privacy, 
confidentiality, and civil liberties.
                        secret service framework
    To protect our financial infrastructure, industry, and the American 
public, the Secret Service has adopted a multi-faceted approach to 
aggressively combat cyber and computer-related crimes.
Electronic Crimes Task Forces
    In 1995, the Secret Service New York Field Office established the 
New York Electronic Crimes Task Force (ECTF) to combine the resources 
of academia, the private sector, and local, State, and Federal law 
enforcement agencies to combat computer-based threats to our financial 
payment systems and critical infrastructures. In 2001, Congress 
directed the Secret Service to establish a Nation-wide network of ECTFs 
to ``prevent, detect, and investigate various forms of electronic 
crimes, including potential terrorist attacks against critical 
infrastructure and financial payment systems.''\9\
---------------------------------------------------------------------------
    \9\ See Public Law 107-56 Section 105 (appears as note following 18 
U.S.C.  3056).
---------------------------------------------------------------------------
    Secret Service field offices currently operate 35 ECTFs, including 
two based overseas in Rome, Italy, and London, England. Membership in 
our ECTFs includes: Over 4,000 private-sector partners; over 2,500 
international, Federal, State, and local law enforcement partners; and 
over 350 academic partners. By joining our ECTFs, our partners benefit 
from the resources, information, expertise, and advanced research 
provided by our international network of members while focusing on 
issues with significant regional impact.
Cyber Intelligence Section
    Another example of our partnership approach with private industry 
is our Cyber Intelligence Section (CIS) which analyzes evidence 
collected as a part of Secret Service investigations and disseminates 
information in support of Secret Service investigations world-wide and 
generates new investigative leads based upon its findings. CIS 
leverages technology and information obtained through private-sector 
partnerships to monitor developing technologies and trends in the 
financial payments industry for information that may be used to enhance 
the Secret Service's capabilities to prevent and mitigate attacks 
against the financial and critical infrastructures. CIS also has an 
operational unit that investigates international cyber criminals 
involved in cyber intrusions, identity theft, credit card fraud, bank 
fraud, and other computer-related crimes. The information and 
coordination provided by CIS is a crucial element to successfully 
investigating, prosecuting, and dismantling international criminal 
organizations.
Electronic Crimes Special Agent Program
    A central component of the Secret Service's cyber crime 
investigations is its Electronic Crimes Special Agent Program (ECSAP), 
which is comprised of nearly 1,400 Secret Service special agents who 
have received at least one of three levels of computer crimes-related 
training.
    Level I--Basic Investigation of Computers and Electronic Crimes 
(BICEP).--The BICEP training program focuses on the investigation of 
electronic crimes and provides a brief overview of several aspects 
involved with electronic crimes investigations. This program provides 
Secret Service agents and our State and local law enforcement partners 
with a basic understanding of computers and electronic crime 
investigations and is now part of our core curriculum for newly-hired 
special agents.
    Level II--Network Intrusion Responder (ECSAP-NI).--ECSAP-NI 
training provides special agents with specialized training and 
equipment that allows them to respond to and investigate network 
intrusions. These may include intrusions into financial sector computer 
systems, corporate storage servers, or various other targeted 
platforms. The Level II trained agent will be able to identify critical 
artifacts that will allow for effective investigation of identity 
theft, malicious hacking, unauthorized access, and various other 
related electronic crimes.
    Level III--Computer Forensics (ECSAP-CF).--ECSAP-CF training 
provides special agents with specialized training and equipment that 
allows them to investigate and forensically obtain digital evidence to 
be utilized in the prosecution of various electronic crimes cases, as 
well as criminally-focused protective intelligence cases.
    These agents are deployed in Secret Service field offices 
throughout the world and have received extensive training in forensic 
identification, as well as the preservation and retrieval of 
electronically-stored evidence. ECSAP-trained agents are computer 
investigative specialists, qualified to conduct examinations on all 
types of electronic evidence. These special agents are equipped to 
investigate the continually evolving arena of electronic crimes and 
have proven invaluable in the successful prosecution of criminal groups 
involved in computer fraud, bank fraud, identity theft, access device 
fraud, and various other electronic crimes targeting our financial 
institutions and private sector.
National Computer Forensics Institute
    The National Computer Forensics Institute (NCFI), located in 
Hoover, AL, is the result of a partnership between the Secret Service, 
NPPD, the State of Alabama, and the Alabama District Attorney's 
Association. The goal of this facility is to provide a National 
standard of training for a variety of electronic crimes investigations. 
The program offers State and local law enforcement officers and 
prosecutors the training necessary to perform computer forensics 
examinations, respond to network intrusion incidents, and to conduct 
electronic crimes investigations, while judges receive general 
education in these areas. Since opening in 2008, the institute has held 
over 150 cyber and digital forensics courses in 16 separate subjects 
and trained and equipped more than 3,000 State and local officials, 
including more than 2,300 police investigators, 840 prosecutors, and 
230 judges from all 50 States and three U.S. territories. These NCFI 
graduates represent more than 1,000 agencies Nation-wide.
    State and local agencies greatly benefit from this Secret Service-
provided education on investigating cyber crime. In some of the 
advanced forensics and network intrusion courses, students are issued 
all of the hardware, software, and licenses necessary to conduct 
investigations. NCFI students receive the same equipment and advanced 
software as U.S. Secret Service special agents--a considerable benefit 
as it allows both the local officer and the Federal agent to operate on 
common systems.
    Graduates of the NCFI return to their respective agencies and apply 
their newly-acquired skills and equipment to investigating computer-
based crimes. Additionally, these graduates are offered the chance to 
participate in the Secret Service's Electronic Crimes Task Force (ECTF) 
program. State and local ECTF members work alongside other Federal 
agencies and private-sector entities to combat the systemic flood of 
cyber-related crimes targeting both private citizens and our Nation's 
financial infrastructure. These ECTF members also serve as force 
multiplier for the U.S. Secret Service ECSAP program.
Partnerships with Academia
    The Secret Service has a long history of closely partnering with 
academia as a part of our mission. For example, Drexel University is a 
valued member of our Philadelphia ECTF, and this highly productive 
partnership to address the challenges of cyber crime is an excellent 
example of the sort of partnerships the Secret Service has developed 
with over 200 academic institutions Nation-wide through our ECTFs. The 
Secret Service is continually expanding its partnerships with academia 
through its 35 Electronic Crimes Task Forces. In addition to the 
numerous universities that are ECTF members, the Secret Service has a 
close, collaborative relationship with both Carnegie Mellon and the 
University of Tulsa.
    In August 2000, the Secret Service and Carnegie Mellon University 
Software Engineering Institute (SEI) established the Secret Service 
CERT \10\ Liaison Program to provide technical support, opportunities 
for research and development, as well as public outreach and education 
to more than 150 scientists and researchers in the fields of computer 
and network security, malware analysis, forensic development, training, 
and education. Supplementing this effort is research into emerging 
technologies being used by cyber-criminals and development of 
technologies and techniques to combat them.
---------------------------------------------------------------------------
    \10\ CERT--not an acronym--conducts empirical research and analysis 
to develop and transition socio-technical solutions to combat insider 
cyber threats.
---------------------------------------------------------------------------
    The primary goals of the program are: To broaden the Secret 
Service's knowledge of software engineering and networked systems 
security; to expand and strengthen partnerships and relationships with 
the technical and academic communities; partner with CERT-SEI and 
Carnegie Mellon University to support research and development to 
improve the security of cyberspace and improve the ability of law 
enforcement to investigate crimes in a digital age; and to present the 
results of this partnership at the quarterly meetings of our ECTFs.
    In August 2004, the Secret Service partnered with CERT-SEI to 
publish the first ``Insider Threat Study'' examining the illicit cyber 
activity and insider fraud in the banking and finance sector. Due to 
the overwhelming response to this initial study, the Secret Service and 
CERT-SEI, in partnership with DHS Science & Technology (S&T), updated 
the study and released the most recent version just last year, which is 
published at http://www.cert.org/insider_threat/.
    To improve law enforcement's ability to investigate crimes 
involving mobile devices, the Secret Service opened the Cell Phone 
Forensic Facility at the University of Tulsa in 2008. This facility has 
a three-pronged mission: (1) Training Federal, State, and local law 
enforcement agents in embedded device forensics; (2) developing novel 
hardware and software solutions for extracting and analyzing digital 
evidence from embedded devices; and (3) applying the hardware and 
software solutions to support criminal investigations conducted by the 
Secret Service and its partner agencies. To date, investigators trained 
at the Cell Phone Forensic Facility have completed more than 6,500 
examinations on cell phone and embedded devices Nation-wide. Secret 
Service agents assigned to the Tulsa facility have contributed to over 
300 complex cases that have required the development of sophisticated 
techniques and tools to extract critical evidence.
    These collaborations with academia, among others, have produced 
valuable innovations that have helped strengthen the cyber ecosystem 
and improved law enforcement's ability to investigate cyber crime. The 
Secret Service will continue to partner closely with academia and DHS 
S&T, particularly the Cyber Forensics Working Group, to support 
research and development of innovative tools and methods to support 
criminal investigations.
               legislative action to combat data breaches
    While there is no single solution to prevent data breaches of U.S. 
customer information, legislative action could help to improve the 
Nation's cybersecurity, reduce regulatory costs on U.S. companies, and 
strengthen law enforcement's ability to conduct effective 
investigations. The administration previously proposed law enforcement 
provisions related to computer security through a letter from OMB 
Director Lew to Congress on May 12, 2011, highlighting the importance 
of additional tools to combat emerging criminal practices. We continue 
to support changes like these that will keep pace with rapidly-evolving 
use of information technology and associated cybersecurity risks.
                               conclusion
    The Secret Service is committed to safeguarding the Nation's 
financial payment systems by investigating and dismantling criminal 
organizations involved in cyber crime. Responding to the growth in 
these types of crimes and the level of sophistication these criminals 
employ requires significant resources and greater collaboration among 
law enforcement and its public and private-sector partners. 
Accordingly, the Secret Service dedicates significant resources to 
improving investigative techniques, providing training for law 
enforcement partners, and raising public awareness. The Secret Service 
will continue to be innovative in its approach to cyber crime and 
cybersecurity and is pleased that the subcommittee recognizes the 
magnitude of these issues, the evolving nature of these crimes, and the 
importance of academic institutions, like Drexel University, in 
addressing these issues.

    Mr. Meehan. I want to thank Mr. Baranoff for his testimony, 
and the Chairman now recognizes Mr. Quinn for your testimony.

   STATEMENT OF RICHARD P. QUINN, ASSISTANT SPECIAL AGENT IN 
     CHARGE, PHILADELPHIA FIELD OFFICE, FEDERAL BUREAU OF 
                         INVESTIGATION

    Mr. Quinn. Good morning, Chairman Meehan, Ranking Member 
Clarke. Thank you for inviting me here today to discuss the 
FBI's role in cybersecurity, and for your on-going support----
    Mr. Meehan. Special Agent, is--would you check to see if 
your mike is pushed on?
    Mr. Quinn. Test.
    Mr. Meehan. Just pull it closer to you, then, please.
    Mr. Quinn. Got it. Very good. How is this? Very good. Well, 
good morning, Chairman Meehan, and Ranking Member Clarke, and 
Congressman Fitzpatrick. Thank you for inviting me here today 
to discuss the FBI's role in cybersecurity, and for your on-
going support of the Bureau.
    The purpose of this hearing is to discuss Federal, State, 
and local partnerships with private industry as it relates to 
cybersecurity. To that end, it is important to note that the 
FBI recognizes that in order to effectively combat the cyber 
threat, it is imperative we significantly enhance our 
collaboration not only with other Government entities, but with 
the private sector. On one hand, our Nation's companies are the 
primary victims of cyber intrusions, and their networks contain 
the evidence of countless attacks. On the other hand, the 
private sector is the key to defeating this threat. The private 
sector possesses the information, expertise, and knowledge to 
be a crucial partner in this endeavor.
    One of the challenges in the past has been that, while 
private industry has provided us information about the attacks, 
we have not always provided information in return. It is in 
establishing and refining an exchange of valuable information 
about cybersecurity issues that will allow us to leverage the 
capabilities of both public and private sector in defeating 
cyber threats. The FBI's newly established Key Partnership 
Engagement Unit manages a targeted outreach program focused on 
building relationships with senior executives of key private-
sector corporations.
    Through utilizing a tiered approach, the FBI is able to 
prioritize our efforts to better correlate potential National 
security threat levels with specific critical infrastructure 
sectors. The Key Partnership team promotes the FBI's whole-of-
Government and industry approach to cybersecurity in 
investigations by developing a robust information exchange 
platform with corporate partners. Through the FBI's Infraguard 
program, the FBI develops partnerships and working 
relationships with private sector, academic, and other public/
private entity subject-matter experts. Primarily geared towards 
the protection of critical National infrastructure, Infraguard 
promotes on-going dialogue and timely communication between a 
current active membership base of approximately 26,000.
    Infraguard members are encouraged to share information with 
Government that enhances its mission to prevent and address 
criminal and National security issues, and, through the 
utilization of the Guardian for Cyber program, active members 
are able to report cyber intrusion incidents in real time to 
the FBI. Infraguard members also benefit from access to robust 
on- and off-line learning courses, connectivity with other 
members and special interest groups, and relevant Government 
intelligence and updates that enable them to broaden threat 
awareness, and protect their assets.
    The FBI's Cyber Initiative and Resource Fusion Unit 
maximizes and develops intelligence and analytical resources 
received from law enforcement, academia, international and 
critical corporate private-sector subject-matter experts to 
identify and combat significant actors involved in current and 
emerging cyber-related criminal and National security threats. 
CIRFU's core capabilities include a partnership with the 
National Cyber Forensics and Training Alliance in Pittsburgh, 
Pennsylvania, where the unit is co-located. NCFTA acts as a 
neutral platform through which the unit develops and maintains 
a liaison with hundreds of formal and informal working partners 
who share real-time threat information, best practices, and 
collaborate on initiatives to target and mitigate cyber threats 
domestically and abroad.
    The FBI recognizes that industry collaboration and 
coordination is critical in combating cyber threats 
effectively. As part of our enhanced private-sector outreach, 
we have begun to provide partners with Classified threat 
briefings and other information, and tools to better help them 
repel intruders. Earlier this year, in coordination with the 
Treasury Department, we provided a Classified briefing on 
threats to the financial services industry to executives of 
more than 40 banks, who participated via secured video 
teleconferences in FBI offices across the country. We provided 
yet another Classified briefing on threats to the financial 
services industry in April 2014, with 100 banks participating 
via secure video teleconference in those FBI field offices.
    Another illustration of the FBI's commitment to private-
sector outreach is our increase in production of our external 
use products, such as the FBI liaison alert system, and private 
industry notification. We continue to counter the threats we 
face in engaging in an unprecedented level of collaboration 
with the United States Government, the private sector, and we 
are grateful for the committee's support, and look forward to 
continuing to work with you, and expand our partnerships, as we 
determine a successful course forward for the Nation to defeat 
our cyber adversaries. Thank you.
    [The prepared statement of Mr. Quinn follows:]
                 Prepared Statement of Richard P. Quinn
                             April 16, 2014
    Good morning Chairman Meehan and Ranking Member Clarke. I thank you 
for holding this hearing today and I look forward to discussing the 
FBI's role in cybersecurity. On behalf of the men and women of the FBI, 
let me begin by thanking you for your on-going support of the Bureau.
    Today's FBI is a threat-focused, intelligence-driven organization. 
Each employee of the FBI understands that to mitigate the key threats 
facing our Nation, we must constantly strive to be more efficient and 
more effective. Just as our adversaries continue to evolve, so, too, 
must the FBI. We live in a time of acute and persistent terrorist, 
state-sponsored, and criminal threats to our National security, our 
economy, and our communities. These diverse threats facing our Nation 
and our neighborhoods underscore the complexity and breadth of the 
FBI's mission.
    We remain focused on defending the United States against terrorism, 
foreign intelligence, and cyber threats; upholding and enforcing the 
criminal laws of the United States; protecting civil rights and civil 
liberties; and providing leadership and criminal justice services to 
Federal, State, local, and international agencies and partners.
                    the cyber threat & fbi response
    We face cyber threats from state-sponsored hackers, hackers for 
hire, global cyber syndicates, and terrorists. They seek our state 
secrets, our trade secrets, our technology, and our ideas--things of 
incredible value to all of us. They may seek to strike our critical 
infrastructure and our economy.
    Given the scope of the cyber threat, agencies across the Federal 
Government are making cybersecurity a top priority. Within the FBI, we 
are prioritizing high-level intrusions--the biggest and most dangerous 
botnets, state-sponsored hackers, and global cyber syndicates. We want 
to predict and prevent attacks, rather than simply react after the 
fact.
    FBI agents, analysts, and computer scientists are using technical 
capabilities and traditional investigative techniques--such as sources 
and wiretaps, surveillance, and forensics--to fight cyber crime. We are 
working side-by-side with our Federal, State, and local partners on 
Cyber Task Forces in each of our 56 field offices and through the 
National Cyber Investigative Joint Task Force (NCIJTF). Through our 24-
hour cyber command center, CyWatch, we combine the resources of the FBI 
and NCIJTF, allowing us to provide connectivity to Federal cyber 
centers, Government agencies, FBI field offices and legal attaches, and 
the private sector in the event of a cyber intrusion.
    We also work with the private sector through partnerships such as 
the Domestic Security Alliance Council, InfraGard, and the National 
Cyber Forensics and Training Alliance. And we are training our State 
and local counterparts to triage local cyber matters, so that we can 
focus on National security issues.
    In addition, our legal attache offices overseas work to coordinate 
cyber investigations and address jurisdictional hurdles and differences 
in the law from country to country. We are supporting partners at 
Interpol and The Hague as they work to establish international cyber 
crime centers. We continue to assess other locations to ensure that our 
cyber personnel are in the most appropriate locations across the globe.
    We know that to be successful in the fight against cyber crime, we 
must continue to recruit, develop, and retain a highly-skilled 
workforce. To that end, we have developed a number of creative staffing 
programs and collaborative private-industry partnerships to ensure that 
over the long term we remain focused on our most vital resource--our 
people.
    As the committee is well aware, the frequency and impact of cyber 
attacks on our Nation's private sector and Government networks have 
increased dramatically in the past decade, and are expected to continue 
to grow. Since 2002, the FBI has seen an 82 percent increase in the 
number of computer intrusion investigations.
                            recent successes
    While the FBI and our partners have had multiple recent 
investigative successes against the threat, we are continuing to push 
ourselves to respond more rapidly and prevent attacks before they 
occur.
    One area in which we recently have had great success with our 
overseas partners is in targeting infrastructure we believe has been 
used in Distributed Denial of Service (DDOS) attacks, and preventing 
that infrastructure from being used for future attacks. A DDOS attack 
is an attack on a computer system or network that causes a loss of 
service to users, typically the loss of network connectivity and 
services by consuming the bandwidth of the victim network. Since 
October 2012, the FBI and the Department of Homeland Security (DHS) 
have released nearly 168,000 Internet Protocol addresses of computers 
that were believed to be infected with DDOS malware. We have released 
this information through Joint Indicator Bulletins (JIBs) to more than 
130 countries via DHS's National Cybersecurity and Communications 
Integration Center (NCCIC), where our liaisons provide expert and 
technical advice for increased coordination and collaboration, as well 
as our Legal Attaches overseas.
    These actions have enabled our foreign partners to take action and 
reduced the effectiveness of the botnets and the DDOS attacks. We are 
continuing to target botnets through this strategy and others.
    In April 2013, the FBI Cyber Division initiated an aggressive 
approach to disrupt and dismantle the most significant botnets 
threatening the economy and National security of the United States. 
This initiative, named Operation Clean Slate, is the FBI's broad 
campaign to implement appropriate threat neutralization actions through 
collaboration with the private sector, DHS, and other United States 
Government partners, and our foreign partners. This includes law 
enforcement action against those responsible for the creation and use 
of the illegal botnets, mitigation of the botnet itself, assistance to 
victims, public-service announcements, and long-term efforts to improve 
awareness of the botnet threat through community outreach. Although 
each botnet is unique, Operation Clean Slate's strategic approach to 
this significant threat ensures a comprehensive neutralization 
strategy, incorporating a unified public/private response and a whole-
of-Government approach to protect U.S. interests.
    The impact botnets has been significant. Botnets have caused over 
$113 billion in losses globally, with approximately 378 million 
computers infected each year, equaling more than 1 million victims per 
day, translating to 12 victims per second.
    To date, Operation Clean Slate has resulted in several successes. 
Working with our partners, we disrupted the Citadel Botnet. This botnet 
was designed to facilitate unauthorized access to computers of 
individuals and financial institutions to steal on-line banking 
credentials, credit card information, and other personally identifiable 
information. Citadel was responsible for the loss of over a half 
billion dollars. As a result of our actions, over 1,000 Citadel domains 
were seized, accounting for more than 11 million victim computers 
worldwide. In addition, working with foreign law enforcement, we 
arrested a major user of the malware.
    Building on the success of the disruption of Citadel, in December 
2013, the FBI, Europol, together with Microsoft and other industry 
partners, disrupted the ZeroAccess Botnet. ZeroAccess was responsible 
for infecting more than 2 million computers, specifically targeting 
search results on Google, Bing, and Yahoo search engines, and is 
estimated to have cost on-line advertisers $2.7 million each month.
    In January 2014, Aleksandry Andreevich Panin, a Russian national, 
pled guilty to conspiracy to commit wire and bank fraud for his role as 
the primary developer and distributer of the malicious software known 
as ``Spyeye'' which infected over 1.4 million computers in the United 
States and abroad. Based on information received from the financial 
services industry, over 10,000 bank accounts have been compromised by 
Spyeye infections in 2013 alone. Panin's co-conspirator, Hamza 
Bendelladj, an Algerian national who helped Panin develop and 
distribute the malware, was also arrested in January 2013 in Bangkok, 
Thailand.
                    next generation cyber initiative
    The need to prevent attacks is a key reason the FBI has redoubled 
our efforts to strengthen our cyber capabilities while protecting 
privacy, confidentiality, and civil liberties. The FBI's Next 
Generation Cyber Initiative, which we launched in 2012, entails a wide 
range of measures, including focusing the Cyber Division on intrusions 
into computers and networks--as opposed to crimes committed with a 
computer as a modality; establishing Cyber Task Forces in each of our 
56 field offices to conduct cyber intrusion investigations and respond 
to significant cyber incidents; hiring additional computer scientists 
to assist with technical investigations in the field; and expanding 
partnerships and collaboration at the NCIJTF.
    At the NCIJTF--which serves as a coordination, integration, and 
information sharing center among 19 U.S. agencies and our Five Eyes 
partners for cyber threat investigations--we are coordinating at an 
unprecedented level. This coordination involves senior personnel at key 
agencies. NCIJTF, which is led by the FBI, now has deputy directors 
from the NSA, DHS, the Central Intelligence Agency, U.S. Secret 
Service, and U.S. Cyber Command. In the past year we have had our Five 
Eyes partners join us at the NCIJTF. Australia embedded a liaison 
officer in May 2013, the United Kingdom in July 2013, and Canada in 
January 2014. By developing partnerships with these and other nations, 
NCIJTF is working to become the international leader in synchronizing 
and maximizing investigations of cyber adversaries.
    While we are primarily focused with our Federal partners on cyber 
intrusions, we are also working with our State and local law 
enforcement partners to identify and address gaps in the investigation 
and prosecution of internet fraud crimes.
    Currently, the FBI's Internet Crime Complaint Center (IC3) collects 
reports from private industry and citizens about on-line fraud schemes, 
identifies emerging trends, and produces reports about them. The FBI 
investigates fraud schemes that are appropriate for Federal prosecution 
(based on factors like the amount of loss). Others are packaged 
together and referred to State and local law enforcement.
    The FBI is also working to develop the Wellspring program in 
collaboration with the International Association of Chiefs of Police, 
the Major City Chiefs Association, and the National Sheriff's 
Association to enhance the internet fraud targeting packages IC3 
provides to State and local law enforcement for investigation and 
potential prosecution. During the first phase of this program's 
development, IC3 worked with the Utah Department of Public Safety to 
develop better investigative leads for direct dissemination to State 
and local agencies.
    Through IC3, Operation Wellspring provided Utah police 22 referral 
packages involving over 800 victims, from which the FBI opened 14 
investigations. Additionally, another 9 investigations were opened and 
developed from the information provided.
    The following are reported loss totals:
   IC3-referred investigations = $2,135,264;
   Cyber Task Force initiated investigations = $385,630;
   Operation Wellspring/Utah Total = $2,520,894.
    The FBI's newly-established Guardian for Cyber application, being 
developed for Cyber use by the Guardian Victim Analysis Unit (GVAU), 
provides a comprehensive platform that coordinates and tracks U.S. 
Government efforts to notify victims or targets of malicious cyber 
activity.
    The FBI is working toward the full utilization of Guardian for 
Cyber across FBI, OGA's, State, local, Tribal and territorial 
governments (SLTT's) as well as industry partners, in order to increase 
awareness of vulnerabilities in infrastructure, forward understanding 
of cyber-related threats and facilitate a coordinated overall cyber 
incident response by the U.S. Government.
                        private sector outreach
    In addition to strengthening our partnerships in Government and law 
enforcement, we recognize that to effectively combat the cyber threat, 
we must significantly enhance our collaboration with the private 
sector. Our Nation's companies are the primary victims of cyber 
intrusions and their networks contain the evidence of countless 
attacks. In the past, industry has provided us information about 
attacks that have occurred, and we have investigated the attacks, but 
we have not always provided information back.
    The FBI's newly-established Key Partnership Engagement Unit (KPEU) 
manages a targeted outreach program focused on building relationships 
with senior executives of key private-sector corporations. Through 
utilizing a tiered approach the FBI is able to prioritize our efforts 
to better correlate potential National security threat levels with 
specific critical infrastructure sectors.
    The KPEU team promotes the FBI's Government and industry 
collaborative approach to cybersecurity and investigations by 
developing a robust information exchange platform with its corporate 
partners.
    Through the FBI's InfraGard program, the FBI develops partnerships 
and working relationships with private sector, academic, and other 
public-private entity subject-matter experts. Primarily geared toward 
the protection of critical, National infrastructure, InfraGard promotes 
on-going dialogue and timely communication between a current active 
membership base of 25,863 (as of April 2014).
    Members are encouraged to share information with Government that 
better allows Government to prevent and address criminal and National 
security issues. Through the utilization of the Guardian for Cyber 
program, active members are able to report cyber intrusion incidents in 
real time to the FBI. InfraGard members also benefit from access to 
robust on- and off-line learning resources, connectivity with other 
members and special interest groups, and relevant Government 
intelligence and updates that enable them to broaden threat awareness 
and protect their assets.
    The FBI's Cyber Initiative & Resource Fusion Unit (CIRFU) maximizes 
and develops intelligence and analytical resources received from law 
enforcement, academia, international, and critical corporate private-
sector subject-matter experts to identify and combat significant actors 
involved in current and emerging cyber-related criminal and National 
security threats. CIRFU's core capabilities include a partnership with 
the National Cyber Forensics and Training Alliance (NCFTA) in 
Pittsburgh, Pennsylvania, where the unit is collocated. NCFTA acts as a 
neutral platform through which the unit develops and maintains liaison 
with hundreds of formal and informal working partners who share real-
time threat information, best practices, and collaborate on initiatives 
to target and mitigate cyber threats domestically and abroad. In 
addition, the FBI, Small Business Administration and the National 
Institute of Standards and Technology (NIST) partner together to 
provide cybersecurity training and awareness to small business as well 
as citizens leveraging the FBI InfraGuard program.
    The FBI recognizes that industry collaboration and coordination is 
critical in our combating the cyber threat effectively. As part of our 
enhanced private-sector outreach, we have begun to provide industry 
partners with Classified threat briefings and other information and 
tools to better help them repel intruders. Earlier this year, in 
coordination with the Treasury Department, we provided a Classified 
briefing on threats to the financial services industry to executives of 
more than 40 banks who participated via secure video teleconference in 
FBI field offices. We provided another Classified briefing on threats 
to the financial services industry in April 2014, with 100 banks 
participating. Another illustration of the FBI's commitment to private-
sector outreach is our increase in production of our external use 
products such as the FBI Liaison Alert System (FLASH) reports and 
Private Industry Notifications (PINs).
                               conclusion
    In conclusion Chairman Meehan, to counter the threats we face we 
are engaging in an unprecedented level of collaboration within the U.S. 
Government, with the private sector, and with international law 
enforcement.
    We are grateful for the committee's support and look forward to 
continuing to work with you and expand our partnerships as we determine 
a successful course forward for the Nation to defeat our cyber 
adversaries.

    Mr. Meehan. Thank you, Special Agent Quinn. The Chairman 
now recognizes the district attorney of Delaware County, Jack 
Whelan.

   STATEMENT OF JOHN J. ``JACK'' WHELAN, DISTRICT ATTORNEY, 
                 DELAWARE COUNTY, PENNSYLVANIA

    Mr. Whelan. Thank you, Chairman Meehan, Congresswoman 
Clarke, Congressman Fitzpatrick. Good morning. I would like to 
thank you for the opportunity to discuss cybersecurity, and how 
we can work together to better protect the identities of our 
Delaware County residents. It is a great opportunity for me to 
share a local perspective.
    As the committee is well aware, identity theft is the 
Nation's fastest-growing crime. In law enforcement, we define 
cyber crime as any crime where a computer or the internet is 
used to commit or to conceal a crime. In Delaware County our 
detectives seen cyber crime first-hand in cases where identity 
thieves steal personal information and use it to gain access to 
a victim's financial resources. These thieves may steal mail, 
hack into computers, or even enlist employees at companies that 
have legitimate access to personal information. They also use 
e-mail or telephone scams to commit the crime, which is most 
often seen here in Delaware County, and it affects our most 
vulnerable population, our senior citizens.
    With relatively little information, even low-tech, 
inexperienced criminals can begin opening accounts in another 
person's name and run up substantial charges. In one case we 
arrested Dorothy J. Miller of Haverford Township for stealing 
more than $150,000 from her employee--employer, Summers 
Hardwood Floors, located in Sharon Hill. After she assumed the 
identity of the company's owner, John Summers, who had passed 
away, Miller opened a credit card in his name and forged 
numerous checks, using his and his wife's signature. Through 
handwriting analysis, our detectives were able to charge Miller 
with multiple felony counts of theft, forgery, identity theft, 
and conspiracy.
    In Delaware County we also see criminals using the internet 
to trick people into giving them money or merchandise. These 
scams run from the small-time bait-and-switch schemes that you 
might see on Craigslist to more sophisticated false websites 
that are set up to look like genuine websites, such as major 
banks.
    Computers can also be used as instruments of stalking, or 
harassment via e-mail, or social networking sites. Targeting 
another vulnerable population, computers are used in crimes 
against our children, where the internet is used to traffic 
child pornography, and by predators who entice our children to 
meet them for sexual purposes. Dramatic increases in technology 
and its availability on the consumer level, coupled with a 
decline in cost, have given those who would exploit children a 
remarkable, effective, and far-reaching ability with which to 
do so.
    To combat these crimes, detectives with the Delaware County 
Criminal Investigation Division, Economic Crime Unit, and the 
office's forensic crime lab, they investigate financial crime. 
The unit receives complaints from our local law enforcement 
agencies, the private sector, as well as the public. Financial 
crimes can refer to any number of nonviolent criminal offenses 
that involve obtaining financial gain through fraud, deceit, 
misrepresentation, or other forms of deception.
    Financial crime is constantly evolving with the times, and 
is hitting new frontiers with the age of the internet. Identity 
theft can be committed against a single individual, 
corporation, or multiple victims. It may even be more complex 
because there can be more than one victim. Frequently the crime 
may not be discovered until long after it was committed. 
Perpetrators may not live in the same jurisdiction as the 
victim, and may commit the crime in several jurisdictions 
simultaneously, making it difficult for law enforcement to 
detect patterns, and the actual extent of the crime. For 
example, identity theft could be committed against a Delaware 
County resident by a perpetrator in Florida who has committed 
the same crime against several other victims across the State. 
Given all of the above, it is clear that identity theft is a 
crime that presents unique challenges to law enforcement to 
investigate and to prosecute.
    The complexities of identity theft cases can slow down, or 
even hinder investigation because of the lack of resources 
available to conduct a cross-jurisdictional investigation. 
Evidence needed by police to solve a cyber crime is often held 
by the private industry, outside of the police's jurisdiction. 
For this reason, strong partnerships are essential to making 
cross-jurisdictional cooperation work. Investigation and 
prosecution can be very time-consuming, due to the volumes of 
records required to be examined, and the time required to 
obtain documents from banks and other financial institutions. 
The unit collaborates with and assists Federal, State, and 
local law enforcement in enforcing State, Federal, and local 
criminal laws relating to computer-related crime through 
forensic collection, recovery, processing, preservation, 
analysis, storage, maintenance, and the presentation of digital 
evidence.
    As more and more people engage in on-line financial 
activities, such as shopping, banking, investing, bill-paying, 
our residents are becoming more vulnerable to sophisticated on-
line identity thieves who target personal identification 
information. Identity theft can happen off-line too. In 
Delaware County we have seen low-tech, inexperienced criminals 
successfully open credit cards, and other financial accounts in 
another's name by stealing mail, personal items from a wallet, 
or even rummaging through trash for personal identification 
information.
    In closing, no one, no individual, and no institution is 
immune from these type of crimes, and so increasing our 
awareness of the issue is one important function of our 
Economics Crime Unit. We alert the public to steps that must be 
taken to ensure their computers are secure, and their personal 
information is safe by sharing information through public 
service announcement videos, brochures, along with public 
presentations and seminars held in partnership with our 
financial institution, local businesses, and community 
partnerships. Thank you.
    [The prepared statement of Mr. Whelan follows:]
             Prepared Statement of John J. ``Jack'' Whelan
                             April 16, 2014
    Good morning Chairman Meehan and Members of the House committee. I 
would like to thank you for the opportunity to discuss cybersecurity 
and how we can work together to better protect the identities of 
Delaware County residents.
    As the committee is well aware, identity theft is the Nation's 
fastest-growing crime. In law enforcement, we define cyber crime as any 
crime where a computer or the internet is used to commit or conceal a 
crime.
    In Delaware County, our detectives see cyber crime first-hand in 
cases when identity thieves steal personal information and use it to 
gain access to a victim's financial resources. These thieves may steal 
mail, hack into computers, or enlist employees at companies that have 
legitimate access to personal information. They also use e-mail or 
telephone scams to commit a crime, which is most often seen in crimes 
committed against Delaware County's most vulnerable population, our 
senior citizens. With relatively little information, even low-tech, 
inexperienced criminals can begin opening accounts in another person's 
name and run up substantial charges.
    In one case, we arrested Dorothy J. Miller of Havertown for 
stealing more than $150,000 from her employer, Summers Hardwood Floors, 
Inc. located in Sharon Hill, PA. After assuming the identity of the 
company owner John Summers, who had passed away, Miller opened a credit 
card in his name and forged numerous checks using his and his wife's 
signature. Through handwriting analysis, our detectives were able to 
charge Miller with multiple felony counts of theft, forgery, identity 
theft, and conspiracy.
    In Delaware County, we also see criminals using the internet to 
trick people into giving them money or merchandise. These scams run 
from the small-time bait-and-switch schemes as you might see on 
Craigslist, to sophisticated false websites that are set up to look 
like genuine websites, such as major banks. Computers can also be used 
as instruments of stalking or harassment via e-mail or social 
networking sites. Targeting another vulnerable population, computers 
are also used in crimes against children where the internet is used to 
traffic child pornography and by predators to entice our children to 
meet them for sexual purposes. Dramatic increases in technology and its 
availability on the consumer level, coupled with a decline in cost, 
have given those who would exploit children a remarkably effective and 
far-reaching ability with which to do so.
    To combat these crimes, detectives with the Delaware County 
District Attorney's Criminal Investigation Division (CID) Economic 
Crime Unit and the office's forensic crime lab investigate financial 
crimes. The Unit receives complaints from our local law enforcement 
agencies, the private sector as well as the public. Financial crimes 
can refer to any number of nonviolent criminal offenses that involve 
obtaining financial gain through fraud, deceit, misrepresentation, or 
other forms of deception. Financial crime is constantly evolving with 
the times, and is hitting new frontiers with the age of the internet.
    Identity theft can be committed against a single individual, 
corporation, or multiple victims. It may be even more complex because 
there can be more than one victim. Frequently, the crime may not be 
discovered until long after it was committed. Perpetrators may not live 
in the same jurisdiction as the victim and may commit the crime in 
several jurisdictions simultaneously, making it difficult for law 
enforcement to detect patterns and the actual extent of the crime. For 
example, identity theft could be committed against a Delaware County 
resident by a perpetrator in Florida who has committed the same crime 
against several other victims across the State. Given all of the above, 
it is clear that identity theft is a crime that presents unique 
challenges to law enforcement to investigate and prosecute.
    The complexities of identity theft cases can slow down or hinder 
investigations because of the lack of resources available to conduct 
the cross-jurisdictional investigation.
    Evidence needed by police to solve a cyber crime is often held by 
private industry outside of police's jurisdiction. For this reason, 
strong partnerships are essential to making cross-jurisdiction 
cooperation work. Investigation and prosecution can be time-consuming 
due to the volume of records required to be examined and the time 
required to obtain documents from banks and other financial 
institutions. The unit collaborates with and assists Federal, State, 
and local law enforcement in enforcing Federal, State, and local 
criminal laws relating to computer-related crime through forensic 
collection, recovery, processing, preservation, analysis, storage, 
maintenance, and presentation of digital evidence.
    As more and more people engage in on-line financial activities such 
as shopping, banking, investing, and bill paying, our residents become 
more vulnerable to sophisticated on-line identity thieves who target 
personal identification information. Identity theft can happen off-line 
too. In Delaware County, we have seen low-tech, inexperienced criminals 
successfully open credit cards and other financial accounts in 
another's name by stealing mail, personal items such as a wallet, or 
even rummaging through trash for personal identification information.
    In closing, no one, no individual, and no institution, is immune 
from these kinds of crimes. And so, increasing awareness of the issue 
is one important function of our Economic Crimes Unit. We alert the 
public to the steps they must take to ensure that their computers are 
secure and their personal information is safe by sharing information 
through PSA videos, brochures, along with public presentations and 
seminars held in partnership with financial institutions, local 
businesses, and our community partnerships.
    Thank you.

    Mr. Meehan. I want to thank the District Attorney. I thank 
each of the witnesses for their testimony. So I now recognize 
myself for 5 minutes of questions.
    I am grateful for your oversight, and we are here talking 
today about how law enforcement can work together at the 
Federal and local level as well. I started by saying that we 
have issues with terrorism, nation-states who are using the 
internet as a method for, you know, global reach, but our focus 
here today is on the criminal side of this activity, because 
that is what most directly affects our communities, especially 
communities here, the individual who has had their identities 
taken, the small banker who has to deal with the implications 
of a fraud, like Target.
    So that is where people are beginning, for the first time, 
to see how they are actually affected by the kinds of 
sophisticated schemes that we see. We have looked at four 
different kinds of examples that have just come to mind, most 
significantly the Target breach, about 110 million identities, 
40 million actual identities stolen through the point of 
service that was--well, the service mechanisms. The key thing 
being there that they were able to access this entire system by 
going through a heating and air conditioning contract that had 
access to the major system. Nieman Marcus, some 350,000 
victims, the University of Maryland, 300,000 alumni, and 
students, having significant identification taken. It is not 
just the, you know, the private sector, or large universities, 
or others. The Government itself, the South Carolina Department 
of Revenue, 40 million identities that have been taken.
    Now, I am struck by two things, and I would like to ask you 
guys to talk about this. As I look back, I see, first, 
particularly with respect to the Nieman Marcus, some of these 
viruses, or other kinds of malware, had been in the systems for 
months before detected--before activity takes place. In fact, 
they suggested at Nieman Marcus for 8 months it had been in 
there. In addition, we have seen this with Target, that there 
were numerous times in which there were signs, or other kinds 
of things, in which there could have been opportunities to 
catch some of this activity before it either manifested itself, 
or at least manifested itself to the degree that it did. There 
is a suggestion that as many as 300,000 pings, so to speak, in 
the Nieman Marcus should have tipped somebody off to look 
better.
    In light of that, what do we need to be doing better to be 
able to identify those kinds of malware and other things that 
are living within systems for long periods of time before they 
are identified, and what do we need to be doing better, along 
the kill chain or otherwise, to be taking advantage of the 
signals that do arise to be able to impact these kinds of 
threats before they reach the scope that they are? I conclude 
by saying I do appreciate that many times what we don't hear 
about is when you have successfully prevented some kind of 
remarkable thing, but I am asking you to give me your insights 
on that particular question. What do we need to be doing 
better, both with the time in there, as well as taking better 
advantage of the signals that are given? Mr. Baranoff.
    Mr. Baranoff. I will get it started. First I will say that 
we are dealing with a very----
    Mr. Meehan. Once again, would you make sure that your 
microphone is on?
    Mr. Baranoff. Is that better?
    Mr. Meehan. Yeah.
    Mr. Baranoff. Okay. We are dealing with a very 
sophisticated actor, organized actor. We are able to defeat 
very sophisticated, organized systems. That is why we encourage 
business to really reverse the model, in terms of where 
investment is. First and foremost, to response and recovery, as 
well as a relationship with a law enforcement agency with 
jurisdiction. It is extremely important that we are getting a 
full breadth of the landscape of what is taking place. If 
companies aren't reporting to us, that limits us as to the 
picture, threat picture.
    Second, the one thing that we have found in almost every 
breach--actually, in every single major breach that we have 
investigated, there has been pre-attack behavior that has taken 
place. If you are able to identify those pre-attack anomalies, 
that will also help in the success of containing the issue. 
Then, obviously, continued investment and prevention, such as 
traditional prevention, like firewalls, proper segmentation, 
those help as well. But, again, the--probably the most critical 
element is the first piece, because it is not a matter of if, 
it is a matter of when you will suffer some type of breach.
    Mr. Meehan. Yeah, I think you identified that--when we are 
talking about entrance into the systems, it requires, as you 
said, to reverse the process, to go almost down to the front 
end, to see the signals that are coming in, and to have some 
sort of shared responsibility in here. I noted at the outset 
this came in through a contractor, a subcontractor, that had 
access to a system.
    But are we doing enough to make available to the small 
businessperson, to the local District Attorney's office, you 
know, to the small financial services organization who holds 
these, are we doing enough to both get them the kind of 
information that allows them to see the signal that is being 
shared so that they can react in time? I mean, one of the 
criticisms that we are hearing is this most recent act, 
Heartbleed. I am informed that there may have been knowledge of 
that for months before anybody shared that with a broader 
spectrum of people.
    Mr. Baranoff. There are many more--there are many 
vulnerabilities that exist beyond the Heartbleed Secure Socket 
Layer vulnerability. I think that, really, there are two parts 
here. First, the consumer has to take it upon themselves--the 
end result of a lot of these breaches is identity theft, and, 
unfortunately, the consumer needs to take it upon themselves to 
be viewing their credit reports, and to use cyber hygiene, as 
you mentioned in your opening statement. So I think that is of 
utmost importance.
    Mr. Meehan. Now, Mr. Quinn, you see these from the global 
perspective. Again, as I said, oftentimes these are going back 
to Eastern European organizations. Certainly that is the 
suspicion with regard to the, you know, the--Target. What is 
your perspective on those questions about how we can----
    Mr. Quinn. Well, Chairman, first and foremost, I concur 
with ASAC Baranoff on some of his suggestions. You had alluded 
to terrorism before, and I approach things mostly from a 
terrorism background. One of the things--the analogous things 
that we need to do is institute trip wires within the company. 
There are a couple of things that I see from a local level that 
happened. First and foremost, the consumer, or the potential 
victims, aren't necessarily educated about what the 
consequences are for some of these things. September 11 is 
often attributed to a failure of imagination. If I look at the 
cyber threat, and we haven't had a cyber equivalent of 9/11, 
and I hope we don't, but if I were to look at our 
vulnerabilities, it is a failure of imagination, but it is also 
a failure of appreciation, and perhaps recognition of the 
consequences.
    I think some of the larger institutions do recognize the 
dangers and the consequences, but what you are talking about is 
what we anecdotally refer to as mom-and-pop operations. So it 
really breaks down at the local level to making sure that you 
have instituted trip wires, which is nothing more than 
effective outreach to them to educate them not only on the 
consequences and the threat itself, but prophylactic measures 
that they can take to guard against this. So for them, it won't 
become a catastrophic event.
    Mr. Meehan. I see. When you use trip wires, now, I mean--
but clearly we saw a contractor, and by all analysis this 
contractor was--even though there were standards within the 
industry, they may have not been as up-to-date in terms of 
practicing those standards. So that becomes sort of the Trojan 
horse way into the kingdom. But once in there, there were 
signals that were sent, both with respect to trip wires that 
were set off----
    Mr. Quinn. Yes.
    Mr. Meehan [continuing]. At Target that were not followed 
up on appropriately as they set the malware that went through 
all the point-of-service, you know, transactions. Then also, 
with knowledge that they were inside the system, to some 
extent, the exfiltration was a second time in which there were 
a number of opportunities to prevent the scope of information 
escaping. So where is the responsibility, not just on the local 
level, but are we getting too many circumstances in which, you 
know, people--well, there is another, you know, that is just 
another alarm going off. It almost sounds like false alarms, 
and people are not following up on them.
    Mr. Quinn. It is a fair point. I can't necessarily speak to 
the Target investigation intimately because I am not involved 
in that at the National level, but what I can tell you is one 
of the challenges, when it comes to dealing with companies, is 
getting them to take--when the trip wires are tripped, to take 
that seriously. There has to be a shared responsibility. We in 
the Government do have a responsibility not only to 
investigate, but to the extent--try to mitigate ahead of time 
any of the consequences.
    That said, once we do that, the potential victims share a 
responsibility in making sure that their security protocols are 
not only up-to-date, but adhered to. Because, quite frankly, 
from a risk management perspective, if you don't adhere to your 
own security protocols, or if you don't even have them in place 
to begin with, that is a liability. You create your own 
vulnerability. So I don't want to minimize what we in the 
Government have to do. We definitely have to educate the 
private sector, but we also have to convey the message to them 
to take this seriously, because if you don't, the consequences 
are catastrophic. The old saying about a stitch in time saves 
nine, it applies 100 percent to cybersecurity.
    Mr. Meehan. My time has expired, and I will have some 
follow-up questions in what will be a second round, but at this 
point in time I want to turn to the Ranking Member for 
questions that she may have.
    Ms. Clarke. Thank you once again, Mr. Chairman, and to our 
expert panelists who have come today. Just wanted to sort-of 
backpedal just a little to break this thing down as 
fundamentally as we can. Because, again, we are here at the 
local level, and when you look at the case scenario that the 
Target incident provides for us, it is a layered process that 
got us to that massive breach, and it didn't take all week to 
accomplish that.
    I think that part of the challenge for a modern-day society 
is, how do we address it categorically? How does everyone see 
their responsibility, their obligations? How do we kind of 
connect the dots for each individual and/or entity in their 
particular space to be able to recognize what needs to be done 
to either mitigate a situation once it has occurred, or prevent 
it, ideally, from occurring?
    I think that is part of the challenge for our society right 
now. You know, I--you talked about imagination, Mr. Quinn. The 
thing about technology is you don't have to have a whole lot of 
imagination. It will help you to facilitate whatever it is that 
you want to do, and people don't see imagination necessarily 
juxtaposed with intuition, right? So you intuitively--we use 
technology to a certain degree. You know you want to--you start 
here, and you know you want to go there, and you just figure 
out the tools for doing that. But most people don't go beyond, 
to use the imagination to say, well, what if? Except the bad 
actors, right?
    So the question becomes, for the innocent one, how do we 
sound the alarm for them? That is part of the challenge in the 
physical world, as well as in the world of technology, and the 
use of the internet. Then we talked about there were trip 
wires, and there were indicators, but, you know, I have been in 
buildings where you will hear the emergency alarm go off, and 
no one budges. Particularly people who are used to being in an 
environment where perhaps the emergency alarm goes off, and 
everyone knows it just goes off. However, the practice of 
actually responding is where the failure comes in.
    So the question becomes, from your point of view, how do we 
develop, and this is for the entire panel, a clearer 
understanding of exactly what constitutes cyber crime? You 
know, is there a categorical difference in what we are dealing 
with? It is prevalence, the levels of harm to consumers and 
companies, I mean, we have kind of got to get into the weeds. 
Because--think about just the layers in the Target scenario 
alone. That small contractor, who--how many people worked for 
that contractor, and who was the person, ultimately, you know, 
that slipped up, in terms of the cyber hygiene?
    You know, and what are the implications for that? What are 
the implications for the consumer that didn't respond, though 
they know they shopped at Target, you know, and now, you know, 
they are in financial distress. How do we break this down 
categorically, and how can we better equip policymakers to 
debate this, the adequacy of Federal law? I joke about this a 
lot. I don't do it to demean it, but I still have colleagues 
with flip phones, you know, so just dealing with the ideas 
involved in cyber becomes almost a foreign concept. How do we 
break it down for people? How do we make it real, and how do we 
strip away these layers and make it categorical? That is my 
question.
    Mr. Baranoff. Should I get it started?
    Ms. Clarke. Yes.
    Mr. Baranoff. Okay. Let me just say this, just in the first 
quarter of this year, the Secret Service has responded Nation-
wide to over 100 data breaches. Most of those companies are 
small and medium-sized businesses. They are not the large 
retailers that you hear about in the news. I read a recent 
statistic that stated that the average small to medium-sized 
business, when they suffer a data breach, will lose about 
$200,000. Eighty percent of those companies, within 6 months, 
will go out of business. Well, mitigating that statistic is 
extremely important to the Secret Service, which is why, as we 
collect cybersecurity information, we push it through our 
Department's NCCIC to get it out to the greater industry.
    Ms. Clarke. So, I mean, it is one thing being informed, it 
is one thing to find a way to get people to put this--put your 
recommendations into practice. Because, you know, that is a 
$200,000 hit, and you are not aware of what to do, or how to 
prevent it from happening in the future, becomes the challenge 
in the environment that we are talking about.
    Mr. Baranoff. Well, I think a lot of that work is done at 
the State and local level, quite frankly, which is why we train 
State and local police officers, prosecutors, and judges at our 
National Cyber Forensic Institute in Hoover, Alabama. A lot of 
those front-line officers, and judges, and prosecutors are 
handling the multitude and the lion's share of this work. That 
is what I would say on that.
    Mr. Quinn. Well, in addition to what Mr. Baranoff had said, 
I think the key is making the consequences viscerally 
compelling. With other crimes, such as terrorism, you know 
immediately what the impact is. Had a Target store been blown 
up, and it was an act of terrorism, immediately people would 
have acted. It is making the abstract, the terabytes, and 
things of that sort, tangible.
    So the way we approach it, and, again, I am speaking from a 
local level, at the Philadelphia level, is we have two 
mechanisms by which we do this. We have our cyber task forces, 
which are comprised of agents, analysts, and computer 
scientists, as well as other members of the Federal, State, and 
local law enforcement community. That in and of itself is an 
educational process. We take that expertise, and we try to 
leverage it through our Infraguard program. For instance, in 
Philadelphia we have roughly 1,500 members of Infraguard. In 
Harrisburg it is about 650. They are the gateways to both the 
significant and the more mom-and-pop operations, because the 
way we are evolving that is we are trying to break it down by 
sector. If we can communicate within the Infraguard program to 
all of the entities that potentially could be impacted, we take 
care of the educational component.
    Now, how you--now, we are always going to be seeking to 
prevent, first and foremost. Mitigation is a different story, 
and that is something that we share across the board as a 
Government, and with the private sector. So that is--my answer 
to your question is making the abstract tangible, letting 
people know where it hurts them, potentially.
    Mr. Whelan. From a prosecutor's standpoint, in the local 
level, unfortunately, we get into situations, and I agree with 
Mr. Quinn, where economic crime, cyber crime, is dealt with on 
the court level more leniently, and I agree that we need to 
educate our judges as to the devastating impact of cyber crime. 
We typically are dealing with some serious violent cases, and 
judges treat those violent cases accordingly. However, in 
economic crime cases, they may not be as aggressively 
prosecuted or treated only because of the ramifications, 
compared to the violent crime aspect. So we are encouraging our 
judges--I have instructed our prosecutors in cases of this 
nature, to make sure that they are aggressively prosecuting, 
but we also deal with sentencing guidelines, which sets a 
standard range, a mitigated range, and an aggravated range, as 
to where the court should sentence in these type of cases.
    We also--in addition to aggressively prosecuting the crime, 
we deal proactively with many of these situations by engaging 
in prevention, by going out to our senior citizen communities, 
going out to our parents, our PTAs, our Rotary clubs, and 
explaining to them how to be proactive in preventing themselves 
from being victims of identity theft, which is very important.
    We periodically go to our business community and have 
forums in the business community. We invite guest speakers, 
such as our FBI--our local FBI office to come in and talk about 
cyber crime, and how they can better protect their business as 
a result of what we are seeing occurring on a National level, 
as well as a local level. So I think we need to continue with 
both the aggressive prosecution, as well as the prevention 
efforts.
    Mr. Meehan. I thank the--and the Chairman now recognizes 
the gentleman from Bucks County, Mr. Fitzpatrick.
    Mr. Fitzpatrick. I thank the Chairman again, and we really 
appreciate the testimony of the law enforcement, and the law 
enforcement perspective of the witnesses here today.
    I wanted to follow up on, Agent Baranoff, something you 
stated, that, you know, a great majority of the security 
breaches, the victims are small and medium-sized businesses. We 
hear in the news about the significant security breaches, the 
retailer--Target organization, we have all heard about that. We 
have come to understand from news reports that many times 
when--could be an educational institution, or a retailer, or a 
merchant, is a victim of a security breach, of a cyber attack, 
that there is a lag time, that there is a lapse, if you will, 
between when that organization becomes the victim, when the 
incident occurs, and when they understood that it occurred.
    Many times they are informed of the attack, of the 
victimization, by a third party. You know, could be their bank, 
credit institution, a financial services institution. Many 
times it is law enforcement informing the victim that they are, 
in fact, a victim. I was wondering if each of you, from your 
different perspectives, could comment on why you think there is 
that lapse. Is it that we are not identifying the security 
breach? What is it that Congress can do to help law 
enforcement, or help, perhaps, these institutions or merchants 
to understand quicker? Because it is one thing to become, you 
know, as a small business, to become a victim of a $200,000 
hit, and the victims, you know, Chairman Meehan wanted to bring 
this down to a local perspective, is that small business in our 
community, the customers that rely on that business, the 
families, you know, of the employees who rely on that paycheck, 
they all become victims of that particular attack.
    It is one thing that--to have that attack occur, but then 
to not recognize it, and have it occur perhaps many times, 
until somebody actually informs them. So I was wondering if you 
could just comment on why is it the lapse occurs, and what can 
we do better to speed up that realization?
    Mr. Baranoff. Well, some of the lapse may be resulting from 
investment by the companies. The small or medium-sized 
companies, it is very expensive to have the proper cyber 
mitigation in place. I agree with what you stated earlier, that 
both the Trustwave and Verizon reports that we participate in, 
the most--they are two of the most widely-read data breach 
reports that exist today, they both have found in their 
studies, along with us, that a majority of the notification is 
made by an outside party, so the victim isn't knowing that they 
are being victimized as the event is taking place.
    I think, again, the notification to law enforcement is 
paramount. We don't hear from a lot of folks, and I think that, 
you know, aside from the larger retailers, and the larger 
companies, the smaller ones are just as important. Again, it 
will give us a breadth of what is taking place. It also will 
help us empower the NCCIC, in pushing out its information to 
the broader industry, to include the financial services 
information sharing and analysis centers, as well as the multi-
State ISACS. So I think that notification to law enforcement is 
extremely important.
    In terms of deterrent, if we were to go down to the road of 
deterrent, we would certainly support legislation that 
strengthens 18 U.S. Code 1030, which is the Computer Data 
Breach statute, perhaps having it as a predicate to a RICO 
charge, which is a much stronger charge. So that type of 
legislation would be helpful as well.
    Mr. Quinn. Thank you, Congressman. I echo my colleague's 
statements, but I also would point out that the delay sometimes 
could be a result of the companies themselves not being state-
of-the-art when it comes to training, or even identify 
vulnerabilities or malware that is in their system. But I also 
think it would be, you know, disingenuous of me to say that--or 
to not acknowledge that some companies may be reluctant to 
notify law enforcement. It is that--that is where we kind of 
have--it is incumbent upon us, and the Federal, State, and 
local systems, to disabuse them of the notion that, when we 
come in, we are going to throw their operations into chaos, and 
that it is going to be a chaotic atmosphere, or something that 
is overly intrusive to them.
    It is cliche to say that the Federal Government is here, we 
are here to help you, but we really do have to market ourselves 
in that respect, is that we are here to help you prevent, we 
are here to help you mitigate. We will maintain as small of a 
footprint as possible, and try to minimize the impact on your 
operations, and that is the investment that will keep you from 
losing out long-term.
    Mr. Whelan. Certainly, from our perspective, it is 
devastating to our local businesses when this occurs. We do see 
individuals that affects. Recently, over the last year-and-a-
half, two of the three detectives that we have hired were hired 
as experts in computer forensics, and we are now looking at 
hiring more analysts, lay individuals, not sworn officers, that 
can assist us in dealing with the issue of cyber crime, so that 
when a business reacts, and when an individual is affected, we 
have the necessary tools to go out and address it. So it is 
becoming very expensive, from our level, to continue to fight, 
but the good news is that we have a great relationship with the 
FBI, and--in cases that are cross-jurisdictional, and in cases 
where we just need the assistance of the FBI, where--we reach 
out to our local Newtown Square office, and they have been very 
helpful for us.
    Mr. Fitzpatrick. So what is your experience in Delaware 
County? Is it that, in most cases, law enforcement is notifying 
the victim, or the victim is contacting the District Attorney's 
office? Now, you mentioned in your testimony that many of these 
cases of identity theft and cyber terrorism, it is occurring in 
not just two jurisdictions, but across several jurisdictions, 
so you are dealing with many, many different law enforcement 
agencies. Does that add to the lag time and notification?
    Mr. Whelan. Absolutely, and that poses problems from an 
investigation, as well as a prosecutorial standpoint, so that 
does become a factor. For the most part, we are being notified, 
and hopefully as early as possible. Then we send our team of 
forensic experts in to look at the situation, make a 
determination as to where it originates, how it is affecting 
the company or the individual, and then act accordingly whether 
we are going to ask for additional help either on the State or 
Federal level, or can we locally handle it, prosecute it, 
investigate it to our fullest extent?
    Mr. Fitzpatrick. I appreciate what you are doing. Thank 
you.
    Mr. Meehan. I thank the gentleman from Bucks County. I have 
some follow-up--a follow-up question related to the discussion 
that we just had. That is a staggering statistic there that was 
just mentioned, that there is--$200,000 is a loss, and that 
oftentimes we see within months that company goes out of 
business. To me, that really recognizes the impact of this on a 
local level. We are talking about the social costs of cyber 
crime. We often discuss on the macro level, you never know when 
you didn't get the project because somebody stole your bid 
information before it was placed. The cyber espionage can be 
real, but this statistic where, you know, we have a local 
company, and the margins are so thin. So in addition to the 
financial crime, we are losing jobs associated with this. This 
is having a real impact.
    I met yesterday with a local 501(c)(3) organization, you 
know, a non-profit entity, with a staggering $650,000 hit that 
came through a network in which their network was compromised 
without their knowledge. Now, insurance is going to carry about 
a third of that, and they may be able to litigate, but it is 
going to take them years to get a resolution. Meanwhile, they 
are on the hook for $400,000, and this is a non-profit entity. 
So how do we deal with financial institutions, small 
businesses? Where is this sweet spot? Because we are asking 
them to engage more in their home cyber protection, but how do 
they know what is the right amount? Because you could--it could 
be an endless process of trying to protect the fortress, so to 
speak.
    So in line with this dynamic process, in which we pick up 
information at different points in time, how are we getting to 
the people that we know are impacted, because we know there is 
information from their systems, and giving them real-time 
information that allows them to catch up with everybody else in 
a timely fashion before they find themselves victimized?
    Mr. Baranoff. Well, the sharing of that cybersecurity 
information is probably one of the most paramount preventative 
methods that you can have. That is why we encourage folks to 
join our electronic crimes task forces, to attend our meetings. 
We push out cybersecurity information through our electronic 
crimes task forces just as quickly as we do through the FSISAC, 
through the Departments, NCCIC, and so on.
    Mr. Meehan. So is the key, I mean, to work through--again, 
because, while you may have a local--I keep going back to 
banks. You know, you may have a local bank that is sizeable 
that, on a monthly basis, attends your meetings there, or 
Infraguard, but, you know, you have small community-based 
organizations that may have four or five branches, and how do 
they find the time to take somebody out once a month to, you 
know, spend the better part of a day getting that? Where--how 
do we get down--through what mechanisms do we get down to the 
local level to get to the people who need the information?
    Mr. Baranoff. Well, in terms of our task forces, they are 
regionally-based, so the issues that are affecting the 
Southwest are different than the issues affecting the 
Northeast. Those particular issues, related to the region that 
they are in, are addressed by that particular task force. So 
whether it is cybersecurity information related to the banking 
industry, or cybersecurity information related to the oil and 
gas industry, that information is shared in real time with 
those particular partnerships.
    Mr. Meehan. Do we reach out to people, or do we compile 
lists so that we know somebody has likely had their system 
impacted, and do we go out, even if they are not part of an 
association, or part of an ISAC, or part of even a Chamber of 
Commerce or something? Do we go--get down to trying to let 
victims know that they have been victimized?
    Mr. Baranoff. We absolutely do, and one thing that we take 
pride in at the Secret Service is that when we call you, we 
have information that is actionable. We have information, you 
know, we know where the needle is, and what haystack to look 
under. That is based on the proactive nature of our 
investigations. We are willing to burn a source, for example, 
to maintain the resiliency of an organization. Prosecution for 
us, quite frankly, is secondary. So we do get out to the 
industry, and we do provide that information in real time to 
save that company. I can tell you last year alone we saved 
several small or medium-sized banks from going under because of 
the information that we provided.
    Mr. Meehan. Special Agent Quinn, do you have some thoughts 
on that?
    Mr. Quinn. I concur wholeheartedly. I mean, our mechanism 
is a little bit different, but it is the same principle. We 
utilize the Cyber Task Force and the Infraguard chapters that 
are within, and, quite frankly, we outsource messaging to them. 
We identify sector chiefs--we're in the process of identifying 
sector chiefs because what can happen is, and it is alluded to 
already, a lot of these small to medium-sized businesses may 
not ever know. If we get a tip, it is incumbent upon us to get 
out there to notify them to--important to mitigate, but also 
prepare them, to prevent something like that from happening 
again. Also share it among--across sectors in the event that it 
might be a continuing threat against other sectors.
    Mr. Meehan. DA, do you--how do you perceive information 
being taken down to your level, with your colleagues in law 
enforcement, or the entities that come to you with concerns or 
complaints?
    Mr. Whelan. Well, certainly we have come across situations 
where individuals will approach us and ask us as to how they 
can be better protected, and what issues can they take? We 
certainly refer them to the resources that are available for 
that particular information, whether it be through the State 
level, or through the Bureau level, with the FBI and the Secret 
Service.
    However, many times what we are dealing with is going out 
into the community through our white collar crime unit. In 
addition to investigating the crime, we will go out there and 
meet with various business entities. We will also meet with 
various individuals that may be vulnerable to crime, and 
address some of the concerns that they have, and they will 
relate information to them. So, from that perspective, we are 
proactive, but, for the most part, unfortunately, from our 
perspective in the prosecutor's office, we are reacting when a 
person already becomes a victim to a crime. But we have 
developed over the years many proactive programs.
    Mr. Meehan. Thank you. I turn to the gentlelady from New 
York.
    Ms. Clarke. I thank you, Mr. Chairman, and, you know, we 
know that private-sector companies, individuals, and law 
enforcement efforts are complicated by the borderless nature of 
cyber crime. It is like--it is insidious when there is the 
ability to be able to tamper with the systems that exist, that 
are all connected to the internet. It is almost like 
quicksilver, because we all know that cyber criminals are not 
hampered by physical proximity. There can be regional, 
national, international borders involved. We know that they can 
be physically located in one nation or state, and direct their 
crime through computers in multiple nations or states, and 
store evidence of crime on computers in yet another nation or 
state.
    So my question to you is a couple of things. No. 1: Does 
this beg for us to develop a new level of law enforcement and 
jurisprudence to address just the nature of how this operates? 
Is there a particular stratification that needs to develop to--
so that, you know, it doesn't take the DA, you know, 2 weeks 
before he is able to begin an investigation, trying to capture 
forensic evidence that may be in his jurisdiction, but could 
easily be shifted? I want us to think about that picture, 
because I have a hard time viewing what we are dealing with 
right now as a society under the current boundaries of the laws 
that exist.
    I mean, crime is crime, yes, but the nature of this one, 
the ability to do things so quickly, is not something that we 
are all accustomed to. I want to raise that with you and get 
your----
    Mr. Baranoff. I would agree. The international component is 
essential. The vast majority of our greatest threat actors in 
cyber are located overseas. The most sophisticated actors are 
overseas, attacking our infrastructure. Fortunately, the Secret 
Service has an outstanding relationship with some of the best 
cyber units located abroad, to include the Dutch National High 
Tech Crime Unit, the German BK, and the like. We rely on them 
to work with us to both capture these individuals, as well as 
collect evidence. A lot of the evidence ends up in overseas 
countries. So that international component is essential, and we 
need to continue to grow and expand that international presence 
to bring these cases to a good conclusion.
    Mr. Quinn. Ranking Member, law will always lag behind 
technology. We see it across all programs, all investigative 
programs. I see it most significantly on the National security 
side, when it comes to new techniques, and how to accommodate--
things of that sort. But like Mr. Baranoff had said, what we 
do--and because of that, it is--it is paramount that the 
relationships that you have overseas, both through--within the 
FBI, our FBI legal attache network--we have roughly 64 legal 
attaches across the world, with 200 sub-offices.
    They are crucial, because it is their relationships with 
their foreign government counterparts that enable us to dual--
accomplish the dual objectives of attribution, which is 
important, but when you think about it, what is the value of 
attribution if you can't do anything against them? We rely 
heavily upon our foreign service partners to execute some type 
of law enforcement action against them. So until the law 
captures or catches up to that, we have to rely upon the 
personal relationships.
    Mr. Whelan. Once our cyber detectives make a determination 
that a crime is committed, what they will do first is try to 
preserve that evidence, collect it, investigate it, preserve 
it. Once we recognize that it has crossed jurisdictional lines, 
we will contact the FBI, give them the information that we 
have, and cooperate with the FBI with everything we can do from 
the local level, and work with them as a--on the National 
issues, based on the evidence we have already presented to 
them.
    Ms. Clarke. So I guess I am hearing from everyone that our 
current laws are sufficient for us to be able to do what we 
need to do in order to protect our citizenry, and address 
actors that may be seeking to do us harm, that we are in a 
place where we are not yet ready to approach these concerns in 
a way in which--the one thing about laws is they serve a lot of 
purposes. One, it is to help redress the harm that may have 
been done to someone, but oftentimes people see them as a 
deterrent to types of behaviors that, if you know what the 
consequences are, you know, because it is in statute or law, 
you are going to think twice, or you are going to understand 
what the implications are.
    My concern is that I don't know that people actually 
understand the implications of a lot of what is taking place on 
the internet, in terms of law, and I don't know where we are 
going to catch up with it. In the interim, there are just some 
legal breaches that are happening along the way to individuals 
that are just using this technology, some meaning to do harm, 
others sort of stuck in the gray area, some kids, you know, 
that get on the internet and act stupid. How do we approach 
this now, if what we are saying is, ``Well, the laws are always 
going to lag behind the technology''? Any ideas?
    Mr. Quinn. Well, I can venture just--you--because that is--
I am the one that said that the laws will always lag behind 
technology. Keep in mind that the value of a law is only as 
good as your ability to enforce it. So I think that it is going 
to be a whole Government approach. Our ability to enforce 
either our own laws, or perhaps leverage the laws of, for 
instance, a foreign country, where an actor is committing these 
type of cyber crimes, there may be a political and a--there may 
need to be political and diplomatic leveraging mechanisms, and 
so I don't want to create the impression that reliance upon the 
law is going to be an end-all, be-all to that.
    Mr. Meehan. I thank the gentlelady. Before I let you go, 
let me just ask one other question as we are going through 
this, because we are talking about systems that are, you know, 
the systems aren't static, and how are we dealing with the 
changing technology? I mean now, rather than--protecting 
something used to be the computer system within a business. You 
know, we are seeing cell phones, we are seeing GPS, we are 
seeing skimmers that can be used, or iPads. I mean, people now 
have in their hand the full computing power they used to have 
in the heart of a business. It seems like it is getting 
tougher.
    Mr. Baranoff. I would say that, you know, when I first 
started in cyber about 7 years ago, the technology changed 
probably every 18 months. Today I would say it is a third of 
that, probably every 6 months. It is challenging for us, in 
that environment, to stay up with technology, certainly with 
the training that is needed to investigate a lot of these 
crimes.
    Mr. Quinn. For us, you are absolutely right, it is probably 
one of the bigger challenges that we face. What we have to do 
in order to stay on the cutting edge is recruit computer 
scientists to come in, and that in and of itself can be a 
challenge, because they have opportunities that are unique, 
and, quite frankly, more lucrative out in the private sector. 
But in addition to training our own workforce, and taking 
responsibility for it within, we have to bring others in who 
have the expertise, and at the same time leverage partners in 
the private sector who can help us do the same things.
    Mr. Whelan. We are constantly updating, and having our 
detectives, our computer forensic detectives, in new trainings, 
new courses, new certifications. It seems like every couple 
months the detectives are away from the investigation, or at 
schools, to update themselves on the new technology. Now we are 
looking at hiring new analysts, and looking at new technology 
to bring them in so that they are coming in at a level with the 
current technology, as opposed to someone that has been out 
there that may not have been updated. So it is a constant 
battle, and it is a constant expense for us.
    Mr. Meehan. Well, I thank the entire panel for your 
presence here today, but not just your testimony, but for your 
good work in these areas. As I said at the outset, we don't 
hear about the crimes that aren't committed, and so there are 
some remarkable things that are being done. I--the takeaway I 
get from this is the responsibility that we have to encourage 
businesses that aren't coming forward, those who are part of 
your Infraguard, to report in, those that are part of your 
Electronic Crimes Task Force. The--people that are coming in to 
your, you know, they may be dealing with you in the form of 
reporting something that is a local crime, but not taking the 
time to make sure that they share that with a--with the 
National matrix, because you never know where the weakest link 
is, and where something is coming in.
    So thank you for the good work that you are doing, and I am 
particularly appreciative of your being here today. We will 
take a moment for the second panel to organize itself.
    Let me thank our second panel for your patience in being 
with us today, and again for your testimony, or your prepared 
testimony. I am very grateful. You tell, and are an important 
voice in this dynamic. While we have spoken to law enforcement 
about the procedures, you are the ones on the front lines, in 
terms of dealing with the implications of this, or looking at 
the issues with respect to the totality, but particularly as it 
affects the victims that ultimately work through some of the 
entities in commerce.
    So we have--we are pleased to be joined by three more 
panelists to conclude our hearing. The first is Mr. Ted Peters. 
He is the chairman and CEO of Bryn Mawr Trust. That is a 
company that provides personal and business banking throughout 
the State of Pennsylvania. Mr. Peters has more than 30 years' 
experience in the banking industry, including many successful 
entrepreneurial endeavors. He has been at the helm of Bryn Mawr 
Trust since 2001, and certainly has seen the growth in this 
area. In addition, Mr. Peters was elected to serve a 3-year 
term on the Federal Reserve Board, Bank of Philadelphia Board 
of Directors.
    Joining Mr. Peters is Mr. Tom Litchford. He is the vice 
president of retail technologies at the National Retail 
Federation, and the National Retail Federation is the world's 
largest retail trade association, representing all varieties of 
retail stores across more than 45 countries, and including the 
Targets of the world. As vice president, he leads and manages 
the NRF's IT leadership community, including its Chief 
Information Officer Council. He also oversees the Federation's 
Association for Retail Technology Standards as its executive 
director, where he develops and enhances domestic and 
international relationships between retail and technology 
companies. Mr. Litchford, thank you for being with us.
    Last, we are joined by Matthew Rhoades, who is the Director 
of Cyberspace and Security Programs with the Truman National 
Security Project, and the Center for National Policy. In this 
role, he leads the program's Steering Committee, and directs 
the organization's cybersecurity policy initiatives. Previously 
he served as the director of legislative affairs at the Truman 
National Security Project, and in that capacity he ran the 
Congressional Security Scholars Program, and was the principal 
author of the Truman Security Briefing Book. I know you enjoy 
an overall perspective on this, and we are looking forward to 
your thoughts.
    So I thank you all for being here. Your written statements 
will appear in the record, so I look forward to your verbal 
testimony. Mr. Peters, the Chairman now recognizes you for your 
opening statement.

 STATEMENT OF FREDERICK ``TED'' PETERS, CHAIRMAN AND CEO, BRYN 
                           MAWR TRUST

    Mr. Peters. Yes. Chairman Meehan, Chairperson, or 
Chairwoman Clarke, and--excuse me, Chair--Congress--
Congresswoman Clarke, and Congressman Fitzpatrick, thank you 
for having me as a witness in this area of critical importance 
to our country. As a banker for almost 40 years, I will try to 
focus my comments and testimony on issues relating to the 
financial services industry and its clients. Some quick 
background on Bryn Mawr Trust, where we recently celebrated our 
125th anniversary as a Philadelphia area institution, we are a 
$9.5 billion organization, with over $2 million of banking 
assets, and $7\1/2\ million--excuse me, $7\1/2\ billion of 
trust and investment assets, and we serve primarily individuals 
and closely-held businesses which operate in this region.
    All banks and financial institutions are extremely alarmed 
at the actual potential threats of cyber crime. At our bank we 
have devoted extraordinary amounts of time, man- and women-
power, and money to protect our bank, all of our clients, from 
this growing problem. In fact, it is approximately $1 million a 
year we spend on this.
    In the United States and world-wide, cyber crime and cyber 
threats are multiplying at an alarming rate. These threats come 
in the form of hacking, phishing, its more sophisticated 
derivative spear phishing, malware intrusion, and the well-
publicized DDOS, or Distributed Denial of Service, attacks, 
which have been perpetrated on many larger U.S. financial 
institutions.
    Who are the bad guys? They are no longer precocious 
teenagers operating at 3:00 in the morning in their parents' 
rec rooms. Today's perpetrators are high-level professionals 
who fall into a number of categories. Organized crime rings are 
responsible for over half of all attacks. These are well-
organized groups which occupy in a structured and efficient 
manner, with profit and loss statements much like legitimate 
businesses. Their sophistication is extremely high, and 
improving almost daily.
    Next are the State-supported enterprises, which comprise 
about a quarter of all attacks. These enterprises have 
different motives than organized crimes--crime, and are usually 
looking for intelligence information that would give a nation-
state some political or military advantage. Primary offenders 
here are China, and the former satellite countries of the 
Soviet Union.
    A third group would be the hacktivists, and you have 
probably heard of some of these groups, such as Anonymous, or 
the Tunisian Hackers Team, and these organizations are usually 
not seeking financial gain, but are more interested in making 
headlines. Although hacktivists only account for a small 
percentage of attacks, they have very--been very successful in 
creating a series of high-profile DDOS attacks against 
financial institutions in the United States.
    Last, current and former employees and vendors also provide 
a serious threat. I think we have all heard of a gentleman 
named Edward Snowden.
    One of the biggest threats to banks around the country are 
corporate and individual account takeovers, initiated by 
malware being secretly installed on a business or person's 
computer. Again, you will recognize some of the names of his 
malware, Citadel, Trojan, Zeus. Once inside, the perpetrator 
will then move money around, and eventually try to clean out 
the accounts.
    Point-of-sale payment systems are another favorite target 
of malware criminals. Once the malware is secretly installed on 
a merchant's computer, the malware allows cyber criminals to 
access all the unencrypted credit card and debit card 
information, and at times the encrypted data as well.
    What is the solution? Unfortunately, there is no 100 
percent solution. The cyber criminals who are out there always 
try to stay one head--one step ahead of the financial services 
industry. The following, however, are considered best practices 
to reduce the possibility of any attack being successful. 
First, businesses, and individuals, and financial institutions, 
need to use a multi-layered approach. This means a combination 
of many risk-based, predictive, and behavioral technologies 
which are out there. Companies, and consumers, and financial 
institutions who provide a hardened target will find the cyber 
criminal moving on to new and an easier victim. Next, financial 
institutions must build a strong feedback loop so that any 
intrusion can be identified, and defended accordingly. Last, we 
must continue to perform on-going assessments of risk, and 
improving our defenses.
    With that, Mr. Chairman, my testimony is concluded.
    [The prepared statement of Mr. Peters follows:]
              Prepared Statement of Frederick (Ted) Peters
                             April 16, 2014
    Thank you for having me as a witness in this area of critical 
importance to our country. As a banker for almost 40 years, I will try 
to focus my comments and testimony on issues relating to the financial 
services industry and its clients.
    Some quick background information on the Bryn Mawr Trust Company, 
where I currently serve as chairman and CEO. At Bryn Mawr Trust we 
recently celebrated our 125th anniversary as a Philadelphia area 
financial institution. We are a $9.5 billion organization, with over $2 
billion of banking assets and $7.5 billion of trust and investment 
assets under management or administration in the States of Pennsylvania 
and Delaware. We serve primarily individuals and closely-held 
businesses which operate in this region. Not only have we survived 
numerous wars, recessions, and depressions, but have thrived and are 
one of the highest-performing banks in the Nation.
    All banks and financial institutions are extremely alarmed at the 
actual and potential threats of cyber crime. At our bank we have 
devoted extraordinary amounts of time, man-, and woman-power, and money 
to protect our bank and all of our clients from this growing problem.
    In the United States and world-wide, cyber crime and cyber threats 
are multiplying at an alarming rate. These threats come in the form of 
hacking, phishing, its more sophisticated derivative spear-fishing, 
malware intrusion, and the well-publicized DDoS or ``Distributed Denial 
of Service'' attacks on larger U.S. financial institutions.
    Who are the ``bad guys''?
    They are no longer precocious teenagers operating at 3 in the 
morning in their parents' rec rooms. Today's perpetrators are high-
level professionals and fall into a number of categories.
    Organized crimes-rings are responsible for over half of all 
attacks. These are well-organized groups which operate in a structured 
and efficient manner with profit-and-loss statements much like a 
legitimate business. Their sophistication is extremely high and 
improving almost daily.
    Next are state-supported enterprises which comprise about a quarter 
of all attacks. These enterprises have different motives than organized 
crime and are usually looking for intelligence information that would 
give a nation-state some political or military advantage. Primary 
offenders here are China and former satellite countries of the Soviet 
Union such as Bulgaria, Romania, and the Ukraine.
    A third group would be the ``hacktivists'' and you have probably 
heard of some of these groups such as ``Anonymous'' or the ``Tunsian 
Hackers Team''. These organizations are usually not seeking financial 
gain, but are more interested in making headlines. Although 
``hacktivists'' only account for a small percent of attacks, they have 
been very successful in creating a series of high-profile DDoS against 
financial institutions in the United States.
    And lastly, current and former employees and vendors also provide a 
serious threat. I think we have all heard of a gentleman named Edward 
Snowden.
    One of the biggest threats to banks around the country are 
``corporate and individual account takeovers'' initiated by malware 
being secretly installed on a business or person's computer. Again you 
will recognize some of the names of this malware--Citadel, Trojan, and 
Zeus. Once inside, the perpetrator will then move money around and 
eventually try to clean out the accounts.
    ``Point of Sale'' payment systems are another target of malware 
criminals. Once the malware is secretly installed on a merchant's 
computer, the malware allows cyber criminals to access all of the 
unencrypted credit card and debit card information, and at times the 
encrypted data as well.
    What is the solution? Unfortunately there is no 100% solution. The 
cyber criminals are out there always trying to stay one step ahead of 
the ``good guys''. The following, however, are considered ``best 
practices;'' to reduce the possibility of any attack being successful.
    First, businesses and individuals need to use a multi-layered 
approach. This means a combination of many risk-based, predictive, and 
behavioral technologies which are out there. Companies and consumers 
who provide a ``hardened target'' will find the cyber criminal moving 
on to a new and easier possible victim.
    Next, build a strong ``feedback loop'' so that any intrusion can be 
identified and defended accordingly.
    And lastly, continue to perform on-going assessments of risk and 
improving one's defenses.
    With that, Mr Chairman, my testimony is concluded.

    Mr. Meehan. I thank you, Mr. Peters.
    The Chairman now recognizes Mr. Litchford.

    STATEMENT OF THOMAS LITCHFORD, VICE PRESIDENT OF RETAIL 
             TECHNOLOGY, NATIONAL RETAIL FEDERATION

    Mr. Litchford. Thank you, Chairman Meehan, Ranking Member 
Clarke, and Representative Fitzpatrick. Thank you for giving me 
this opportunity to provide you with my thoughts on 
safeguarding consumer information from cyber attacks. Again, my 
name is Tom Litchford, and I am vice president for retail 
technologies at the NRF. In that role, I manage the CIO 
Council, the IT Security Council, and the Association for 
Retail Technology Standards, and we serve over 12,000 members 
around the world in the retail industry.
    Regarding the recent cyber attacks, I would first like to 
comment on the often-forgotten fact that these breaches are 
perpetrated by criminals, and often they are very sophisticated 
criminals that are breaking the law. The targeted retailers are 
victims in these situations, and these victims care deeply 
about maintaining the confidentiality of their customer 
information, because if they lose that data, they lose their 
customers' trust, and ultimately they lose business.
    The retail industry makes significant investments every 
year in order to protect confidential customer information. 
Collectively, retailers spend billions of dollars annually to 
safeguard data and fight fraud. But the NRF also understands 
that preventing cyber crime is a complex endeavor, that no 
single solution or silver bullet exists. Breaches still occur, 
and not just in the retail industry. Indeed, in 2013 more 
breaches happened at financial institutions than at retails 
stores and websites, and no industry is immune from this.
    Regarding the problem here, in retail breaches, the 
criminal hackers want to steal consumers' payment card data, 
which they can easily then monetize by fencing the stolen 
numbers on black market websites. U.S. retailers are targeted 
because we not only see the greatest number of cardholders, but 
our merchants have to accept 50-year-old, fraud-prone payment 
card technology. In the United States, a signature, and a 
magnetic stripe with unencrypted card numbers are all that is 
needed to authenticate a customer and receive payment 
authorization. NRF supports an immediate move to replace the 
virtually worthless signature authentication with much more 
secure personal identification numbers, or PINs, as is used 
most everywhere else in the world. If marginally more security 
is needed, then a computer chip technology could be added to 
cards and card readers, but with significant to cost to our--
all participants in the payments systems.
    It is important to point out that our members', or our 
retailers', support for PIN and chip technology does not mean 
that we should be forced to adopt what is called EMV 
technology. EMV is a proprietary chip technology controlled by 
the major card brands. Indeed, EMV stands for Europay 
MasterCard and Visa. Worse, in the U.S. market, the EMV 
standard does not require a use of a PIN. The card companies 
require PINs in Canada, the United Kingdom, Europe, and other 
countries, but seek to do chips without PINs in the United 
States. While EMV chip without PIN certainly protects the 
banks, the card companies' current proposal to continue with 
signatures in the United States leaves the fraud door open.
    Before the retail industry is expected to spend an 
estimated $30 billion for stores to upgrade their readers to 
accept partially-protected EMV cards, the NRF has urged the 
card networks to incorporate PINs now that focus on addressing 
security now so that retailers are protected, and then focus on 
addressing security across the entire payment ecosystem, 
meaning not only stores, but on-line and mobile.
    In addition to addressing the problems with the current 
payment systems, a critical step forward is the need to foster 
greater collaboration. With that, the NRF believes that a 
heightened and well-coordinated information-sharing platform, 
such as a retail ISAC, is a vital component for helping 
retailers in their fight against cyber attacks. NRF is moving 
forward with the creation of such a program, that will provide 
retailers access to information on cybersecurity threats 
identified by retailers, Government, and law enforcement 
agencies, and partners in the financial services sector. The 
program, developed in consultation with the Financial Services 
Information Sharing and Analysis Center, the FSISAC, will 
launch with the establishment of an information-sharing 
platform for retail industry information security specialists, 
and plans call for a retail ISAC to be established this summer.
    Recently representatives from the NRF held in-depth 
discussions with the United States Secret Service, and with the 
NCCIC, the National Cybersecurity and Communications 
Integration Center, and the U.S. CERC, the Computer Emergency 
Readiness Center, with the idea to get insight and guidance on 
how to improve communication, identify available resources, and 
collaborate more effectively to help retailers combat criminal 
cyber activity. NRF and its membership recognize that full 
robust information sharing is sometimes hampered by 
restrictions--legal restrictions. Accordingly, we support 
passage of H.R. 624, the Cyber Intelligence Sharing and 
Protection Act.
    In conclusion, by creating a robust information-sharing 
platform through which retailers can better prepare themselves 
to defend against cyber crime, NRF is actively engaged in 
protecting consumer data. In supporting improved payment card 
technology, we seek to move the industry beyond the 50-year-old 
technology that makes the U.S. retail industry a prime target 
for these breaches. With efforts--with these efforts, as well 
as Congress's continued actions to encourage information 
sharing, we believe we can make the payment system more secure 
for everyone involved.
    With that, thank you, and I will be happy to answer any of 
your questions.
    [The prepared statement of Mr. Litchford follows:]
                 Prepared Statement of Thomas Litchford
                             April 16, 2014
    Chairman Meehan, Ranking Member Clarke, and Members of the 
subcommittee, thank you for giving me this opportunity to provide you 
with my thoughts on safeguarding consumer information from cyber 
attacks. My name is Tom Litchford, and I am vice president of Retail 
Technologies at the National Retail Federation (NRF). In my role at the 
NRF, I manage the CIO Council, the IT Security Council, and the 
Association for Retail Technology Standards.
    NRF is the world's largest retail trade association, representing 
discount and department stores, home goods and specialty stores, Main 
Street merchants, grocers, wholesalers, chain restaurants and internet 
retailers from the United States and more than 45 countries. Retail is 
the Nation's largest private-sector employer, supporting 1 in 4 U.S. 
jobs--42 million working Americans. Contributing $2.5 trillion to 
annual GDP, retail is a daily barometer for the Nation's economy.
    With respect to consumer data breaches I'd first like to comment on 
an often forgotten fact--that these incidents have been perpetrated by 
criminals--and often very sophisticated criminals--that are breaking 
the law. The targeted retailers are victims in these situations--
victims that care very deeply about maintaining the confidentiality of 
their customer information because if they lose that data, they lose 
their customers' trust, and they lose business.
    Accordingly, retailers make significant investments every year in 
order to protect this data. Collectively, retailers spend billions of 
dollars annually to safeguard data and fight fraud, as well as hundreds 
of millions annually on PCI compliance. And yet, breaches still occur. 
And not just in the retail industry. You may be surprised to learn that 
in 2013 more breaches happened at financial institutions than at retail 
stores and websites. Manufacturing, transportation, and utility 
companies, and even professional services firms were targeted. No 
industry is immune.
    In retail breaches, the bad actors are primarily after payment 
data--i.e., credit or debit card numbers--and they particularly like to 
target U.S. cards. Why? Because of the volume of credit and debit card 
numbers, and the fact that merchants must accept from customers 50-
year-old payment card technology--a magnetic stripe and a signature are 
all that is needed to ``authenticate'' the customer and receive payment 
authorization. The bottom line is that signature and mag-stripe based 
cards are inherently fraud-prone products. Unfortunately, retailers and 
our customers are largely at the mercy of the dominant credit card 
companies when it comes to reducing card fraud.
    So, how can we move forward? What types of solutions would reduce 
or eliminate the crimes of data theft and fraud?
             the way forward to protect the retail industry
    One solution would be to replace signature authentication with an 
encrypted Personal Identification Number (PIN). This would greatly 
reduce the utility of counterfeited cards and go a long way toward 
reducing fraud.
    Another solution that is currently receiving some attention would 
be to add a computer chip to the PIN and transition to the more secure 
``Chip and PIN'' payment card technology. This technology employs a 
small computer chip to validate the card to the bank (i.e., confirm 
that it is not a counterfeit) at the Point-of-Sale (POS) terminal, in 
addition to requiring the cardholder to enter a PIN to prove he is the 
person authorized to use the bank-issued card. Chip and PIN technology 
dramatically reduces the value of any stolen ``breached'' data for in-
store purchases because the payment card data is essentially rendered 
worthless to criminals. In addition, the PIN helps ensure that a 
customer and a merchant won't be defrauded even if someone steals the 
customer's card. This combination serves as a deterrent to breaches. 
The failure of U.S. card networks and banks to adopt such a system in 
the United States is one reason why cyber attacks on brick-and-mortar 
retailers have increased domestically even as they have dropped 
overseas where the majority of the countries have adopted Chip and PIN 
payment cards.
    Despite the technology's potential benefits, the Chip and PIN 
technology that is currently widely deployed in Europe and other 
developed countries, sometimes called ``EMV technology,'' would not 
provide the same level of protection in the United States because, as 
mandated by the card brands for the U.S. market, it does not require 
the use of a PIN. EMV--an acronym for Europay, Mastercard and Visa--is 
a proprietary technology controlled by the major card brands. Further, 
EMV, while not necessarily violating the Durbin Amendment, currently 
violates the spirit of that amendment by potentially stifling the 
competition in the debit routing market.
    No technology (and especially not EMV), is a panacea, and there is 
no ``silver bullet'' to preventing cyber crime. EMV, in particular, 
would take years to realize the benefit in fraud reduction. As a 
result, our members are exploring other means of securing data, such as 
encryption and tokenization. Equally important, in addition to 
technological changes, our members are developing measures, such as 
establishing information-sharing mechanisms, to address the advanced 
threats of the evolving cybercrime landscape.
                    the value of information sharing
    One critical aspect of next generation information security is the 
ability to share and receive actionable threat intelligence in a timely 
manner. Information sharing allows companies to better detect and 
defend against sophisticated cyber attacks and data security breaches. 
By working together and with Government to disseminate and receive 
cyber threat information, companies can learn where to look for signs 
of an attack and how to alter their security systems to ``plug holes'' 
and block attempted intrusions carried out using techniques that were 
effective in earlier attacks.
    Importantly, third parties often possess information that can help 
us mitigate the risks of an attack. As the United States Secret Service 
(USSS) recently acknowledged in testimony before the Senate, ``one of 
the most poorly understood facts regarding data breaches is that it is 
rarely the victim company that first discovers the criminal's 
unauthorized access to their network; rather it is law enforcement, 
financial institutions, or other third parties that identify and notify 
the likely victim company of the data breach by identifying the common 
point of origin of the sensitive data being trafficked in cybercrime 
marketplaces.''\1\ Victims of cyber crime can then begin to extricate 
fraudsters from their system and prevent further data loss when they 
know that an attack has taken place. Creating structures where 
information regarding critical threats--and certainly actual breaches--
is shared swiftly can be critical in preventing and minimizing losses 
from data breaches.
---------------------------------------------------------------------------
    \1\ Testimony of Criminal Investigative Division Deputy Special 
Agent in Charge William Noonan, available at: https://www.dhs.gov/news/
2014/02/04/written-testimony-us-secret-service-senate-
committeejudiciary-hearing-titled.
---------------------------------------------------------------------------
    The retail industry is in a particularly good position to both 
benefit from and bring value to information sharing with outside 
organizations and entities. Indeed, the history of data breaches 
affecting the retail industry indicates a pattern of increasingly 
sophisticated cyber attacks using similar tactics, techniques, and 
protocols (TTPs). During the recent spate of data breaches targeting 
the retail industry, the sector learned the value of such information 
sharing by receiving various reports and alerts from the USSS and FBI, 
as well as other Federal agencies (e.g., US-CERT and NCCIC) that 
highlighted cutting-edge TTPs. The retail industry also received 
valuable information from security research companies; for example, the 
iSightPartners report, which was disseminated through the National 
Cybersecurity and Communications Integration Center (NCCIC) in the wake 
of the Target breach, was of such particular value that NRF 
subsequently held a webinar for its membership where an iSightPartners' 
representative presented on the report's findings. In addition, in 
January 2014, the FBI shared a confidential report with the retail 
industry titled ``Recent Cyber Intrusion Events Directed Toward Retail 
Firms'' that was designed to warn the industry regarding ``memory-
parsing'' malware that can infect POS systems. While the warnings in 
the report--and the findings of the iSightReport--were useful to the 
retail sector, NRF realized that its members would have derived 
significant additional benefits had they been shared sooner. It would 
have been more helpful had an established, trusted entity representing 
the retail sector existed, at the time, to receive such information in 
real time and disseminate it to credentialed retail business security 
officers.
    One effective mechanism for sharing information, with a proven 
track record, is sector-specific Information Sharing and Analysis 
Centers (ISACs). In 2006, the Department of Homeland Security 
recommended that the Nation's critical infrastructure sectors develop 
ISACs to more effectively share threat intelligence. Today, the 
National Council of ISACs has 15 member ISACs, including 13 
representing or related to critical infrastructure sectors. While the 
retail industry is not critical infrastructure, NRF believes that the 
sector could benefit from taking a similar approach to information 
sharing. ISACs provide a trusted source and repository for critical 
threat information, whether provided by outside organizations or 
internal members.
    The Financial Services Information Sharing and Analysis Center (FS-
ISAC) has been a leading example of a model that has assisted one 
sector in preparing for and defending against cybercrime. The FS-ISAC 
established various forums and tools to encourage and support 
information sharing among its members. Those include e-mail alerts that 
provide timely and actionable cyber threat intelligence, bi-weekly 
threat information sharing calls with security or risk management 
experts, as well as emergency conference calls to share particularly 
urgent threat intelligence. The FS-ISAC also conducts on-line webinar 
presentations for its members so they can share threat information and 
best practices. Using those tools, the financial services industry as a 
whole can remain aware of the most up-to-date attack prevention 
measures. As outlined in the next sections, NRF has already taken steps 
to create, or is in the planning stages of developing, similar 
mechanisms to encourage information sharing within the retail industry. 
The ultimate goal of these endeavors is to establish a robust ISAC 
equivalent for the retail industry. (Retail ISAC)
  steps nrf has taken to create a trusted information-sharing platform
    NRF already brings together senior business, technology, and loss-
prevention leaders through its Chief Information Officer (CIO) Council. 
One subcommittee within this Council, the IT Security Council, connects 
information security professionals and focuses on, among other goals, 
promoting information sharing within the retail sector. NRF is 
currently using its authenticated IT Security Council email 
distribution list (and expanding it to also include business leaders 
from the CIO Council) to push out actionable threat intelligence to the 
retail industry. While this list currently includes only NRF members, 
the intention is to broaden the list, and forthcoming Retail ISAC 
membership, to non-NRF members as well (meaning all retailers).
    Another step NRF has taken on the road to creating a Retail ISAC is 
to collaborate with, and learn from, the FS-ISAC. NRF has held several 
meetings with the FS-ISAC regarding its structure, communication 
methods, and policies. These meetings have allowed NRF to gain insight 
into how to operate an effective ISAC and avoid some of the growing 
pains that come with the creation of any new entity. As a result of 
these initial discussions, the FS-ISAC and NRF have taken steps to 
establish a mechanism to push out relevant critical threat information 
from the FS-ISAC to NRF for further distribution to its authenticated 
IT Security Council members. The practical experience of receiving 
information through an ISAC will allow NRF to better understand how 
information is shared in an ISAC, and what filtering is necessary to 
ensure that useful information is reaching the right parties.
    NRF is also establishing relationships with key Government 
agencies. The Government collects valuable information regarding 
security incidents through its cyber crime investigations and broad 
information sharing activities. NRF has held meetings with the United 
States Secret Service to discuss the methods the agency currently uses 
to distribute critical threat information, and how the Retail ISAC 
could become a valued partner. Establishing a Retail ISAC will offer a 
quicker avenue for the USSS (and other law enforcement agencies) to 
share valuable information with the retail industry.
    NRF has also met recently with the National Cybersecurity and 
Communications Integration Center to discuss how the Retail ISAC could 
receive actionable intelligence for its members as quickly as possible. 
The NCCIC is a central communications point for critical infrastructure 
entities, various Government agencies and international investigators 
where cybersecurity information is sent, analyzed, and shared with 
relevant parties in real time. NCCIC consists of four branches, 
including the U.S. Computer Emergency Readiness Team (US-CERT). These 
connections with the USSS and NCCIC are helping to establish an 
information-sharing bridge to the retail industry even as the Retail 
ISAC is under development.
    Working with trusted advisors, NRF is currently in the planning 
stages with respect to a final step in the development of the Retail 
ISAC: The establishment of the technological and operational 
infrastructure to support a secure portal through which members can 
share information. NRF's goal is to allow credentialed members to share 
information of varying levels of sensitivity anonymously, thus allowing 
the Retail ISAC to act as a repository of critical threat, 
vulnerability, and incident information that is sourced from various 
members and outside organizations, and to facilitate peer-to-peer 
collaboration with the sharing of risk mitigation best practices and 
cybersecurity research papers. As this final step is resource-intensive 
and requires the active participation of its membership, NRF 
anticipates that it may take several months before the Retail ISAC is 
fully operational. In the mean time, NRF has, and will continue to, 
provide mechanisms and tools for information sharing among the retail 
industry, as outlined above.
    As a final note on information sharing, NRF and its membership 
recognize that full, robust information sharing is sometimes hampered 
by legal restrictions. Accordingly, NRF supports the passage by 
Congress of the bipartisan ``Cyber Intelligence Sharing and Protection 
Act'' (H.R. 624) so that the commercial sector can lawfully share 
information about cyber threats in real time, thereby enabling 
companies to defend their own networks as quickly as possible from 
cyber attacks that are detected by other businesses.
                               conclusion
    In closing, there are three important policies that NRF supports.
    First, the members of NRF support replacing today's fraud-prone 
mag-stripe and signature cards with cards using PINs or open-standard 
``Chip and PIN'' technology. NRF also supports efforts to develop and 
deploy end-to-end encryption or tokenization, but is opposed to the 
adoption of ``EMV'' technology as mandated for the U.S. market, as it 
presently would not require PIN-authentication of card-holders and rely 
instead on simply a signature to authenticate the consumer.
    Second, NRF supports information sharing within its membership and 
the retail industry about cyber threats and has already taken several 
steps to create a Retail ISAC, and continues to actively engage in 
making that goal a reality. A retail-focused ISAC will allow the 
industry as a whole to benefit from the information sharing that is so 
critical to effectively combat today's evolving cyber threat.
    Third, we support passage by Congress of the bipartisan ``Cyber 
Intelligence Sharing and Protection Act'' (H.R. 624) legislation that 
will facilitate the sharing of cyber threat information in real time, 
thereby enabling companies to better defend their own networks based on 
critical information about attacks on other businesses.
    Thank you for your time today. I'd welcome your questions.

    Mr. Meehan. Thank you, Mr. Litchford.
    The Chairman now recognizes Mr. Rhoades for his testimony.

STATEMENT OF MATTHEW RHOADES, DIRECTOR, CYBERSPACE AND SECURITY 
   PROGRAM, TRUMAN NATIONAL SECURITY PROJECT AND CENTER FOR 
                        NATIONAL POLICY

    Mr. Rhoades. Chairman Meehan, Ranking Member Clarke, 
Congressman Fitzpatrick, thank you for having me here today. 
Information networks provide hope to millions of people around 
the world by creating the conditions for innovation and human 
prosperity to flourish, while enabling America's mutually-
supportive ideals of human rights, freedom, and opportunity. 
Unfortunately, they are also exploited by a variety of actors 
to further nefarious national, criminal, and ideological 
objectives.
    Frequently these groups, hacktivists, terrorists, 
criminals, and nation-states also overlap, working together 
towards complimentary interests, while utilizing the inherent 
anonymity of cyberspace. In short, today's technologies provide 
an unprecedented opportunity for humans to reach their full 
potential, while simultaneously increasing individual and 
collective security risks. These are facts that the Members of 
this committee know well, but they are worth mentioning here 
today because in cyber space, the difference between espionage, 
crime, and attacks can be as simple as intent, or just a few 
keystrokes.
    Gaining and maintaining access to a network are the most 
difficult phases of a cyber incident, but once you are in a 
network, whether you spy, steal, or destroy is often a matter 
of choice. Criminals are developing new tools that are more 
sophisticated and more intuitive than previous generations, and 
then selling them in on-line marketplaces. This is lowering the 
barrier to entry, and giving more actors the capability to 
threaten critical systems. Cyber crime, in this way, is 
connected to both National security, and the protection of 
private information, and no single entity, whether Government 
or business, can secure a domain that extends beyond 
traditional geographic boundaries. Cybersecurity is a shared 
responsibility.
    To ensure our Nation is safe, the Government must 
coordinate the protection of our country's most critical 
assets, while law enforcement agencies impose the criminal laws 
of the United States. Governments must also find ways to 
cooperate with one another on investigations. Cyber crimes are 
often intentionally routed through multiple countries, 
particularly those who provide sanctuaries against 
international investigations. More must be done in the 
international arena to build the capacity of sanctuary states, 
and to discourage others that are complicit in criminal 
activities.
    Private companies must do their part as well. But in 
sectors where there is no choice in the consumer market, the 
Government should play a larger role in ensuring the security 
of critical networks. Many companies are collecting, storing, 
and analyzing information on U.S. citizens. Securing those 
networks, protecting our information, both require the private 
sector to take better responsibility for their own security.
    While information-sharing programs do not offer a 
cybersecurity panacea, they can contribute to collective 
security by creating a fuller picture of the threat 
environment. That said, there is a right way to share 
information, and a wrong way to share information. All 
irrelevant personally identifiable information should be 
removed before the information is given to the Federal 
Government, or to other private actors. Information coming into 
the Federal Government should have previously-defined 
acceptable uses, and be given to a civilian agency, and those 
who participate in information-sharing programs and exhibit 
negligent behavior should be held responsible. Getting this 
right matters. The way we build our domestic programs will have 
privacy and civil liberties implications for Americans here at 
home, but also for human rights activists and dissidents 
abroad.
    The unfortunate reality of cyber is that, given enough 
time, resources, sophistication, and motivation, an attacker 
will gain access to a network. As people become more dependent 
upon technology, the opportunities for crime, espionage, and 
physical disruption will increase. But by implementing 
commonly-held best practices, we can protect the great majority 
of our networks, secure our personal information, and allow our 
security agencies to focus on preventing attacks to critical 
systems.
    Thank you for the opportunity to join you today, and I look 
forward to your questions.
    [The prepared statement of Mr. Rhoades follows:]
                 Prepared Statement of Matthew Rhoades
                             April 16, 2014
    Chairman Meehan, Ranking Member Clarke, Members of the committee: 
Thank you for inviting me to appear today to discuss how the public and 
private sectors can work together to increase cybersecurity.
    Currently, I serve as the director of the Cyberspace and Security 
Program at the Truman National Security Project and Center for National 
Policy. Together, these two organizations represent more than 1,300 
members with an expertise in numerous security issues--including 
cybersecurity--and a dedication to forging strong, smart, and 
principled National security policy for America.
    The rapid development of information networks over the past 30 
years has allowed individuals and nations to grow and prosper. Today, 
our small businesses are global enterprises--reaching markets and 
customers on the other side of the world with the click of a mouse. The 
internet invigorates economic progress and helps people rise out of a 
cycle of poverty in the developing world.
    These tools also enable the expansion of America's mutually 
supportive ideals: Human rights, freedom, and opportunity. Using the 
internet, democracy activists in nations ruled by oppressive regimes 
can organize to petition for their fundamental rights; vulnerable 
populations in conflict-ravaged areas can show the world the brutality 
of their own governments; and individuals can seek out new ideas to 
challenge their own beliefs.
    New technologies are providing hope to millions by creating the 
conditions for innovation and human prosperity to flourish. 
Unfortunately, they are also being exploited by a variety of actors to 
further nefarious national, criminal, and ideological objectives.
    Hacktivists--or on-line demonstrators--use information networks to 
target opponents and draw attention to a political cause. Terrorists 
use information networks to spread their propaganda and recruit others 
to help commit acts of violence. Criminal organizations use the 
internet to steal from individuals and organizations all over the world 
and turn another's loss into their financial gain. Finally, nation-
states leverage these capabilities to spy on, steal from, and 
potentially attack their adversaries.
    Frequently, these groups--hacktivists, terrorists, criminal 
organizations, and nation-states--also overlap, working together 
towards complimentary interests while utilizing the inherent anonymity 
of cyber space to make attribution even more difficult.
    With each new day, the number of actors with access to these tools 
increases and, as a result, so does the number of potential victims. 
Roughly 90% of the world's data has been generated in the last 2 
years.\1\ As more information is generated, confidentiality and privacy 
grow more vulnerable. Governments are losing once closely-held state 
secrets; companies are finding their intellectual property suddenly in 
the hands of competitors on the other side of the world; and 
individuals are losing control over their private information.
---------------------------------------------------------------------------
    \1\ Science Daily, ``Big Data, for better or worse: 90% of world's 
data generated over last two years,'' 22 May 2013, http://
www.sciencedaily.com/releases/2013/05/130522085217.htm.
---------------------------------------------------------------------------
    According to Symantec's ``Internet Security Threat Report 2014,'' 
the number of breaches increased by 62% in 2013 with a total of over 
552 million identities compromised.\2\ Additionally, targeted attacks 
grew by 91% and are increasingly aimed at small businesses.\3\
---------------------------------------------------------------------------
    \2\ Symantec Corporation, Internet Security Threat Report 2014; 
Volume 19, p. 5.
    \3\ Ibid, p. 5 & p. 18.
---------------------------------------------------------------------------
    And as we are all aware, the recent, highly-publicized breach at 
Target--the second-largest retailer in the United States--compromised 
personal information on 70 million customers by using software that may 
have cost less than $2,500 at an on-line marketplace.\4\ Today, cyber 
criminals can use relatively easy-to-find software to make outsized 
gains.
---------------------------------------------------------------------------
    \4\ Chris Smith, ``Expert who first revealed massive Target breach 
tells us how it happened,'' 16 January 2004, http://bgr.com/2014/01/16/
how-was-target-hacked/.
---------------------------------------------------------------------------
    The Target example shows that even the largest companies with vast 
resources are vulnerable. Frequently, they are unaware that a breach 
has even occurred. One security provider recently announced that in 
2013 the median number of days attackers were present in a network 
prior to discovery was 229 days. That is actually 14 days less than the 
2012 median.\5\
---------------------------------------------------------------------------
    \5\ Mandiant, MTrends: Beyond the Breach, p.1.
---------------------------------------------------------------------------
    In short, today's technologies provide an unprecedented opportunity 
for humans to reach their full potential while simultaneously 
increasing individual and collective security risks.
    These are facts that the Members of this committee know well, and 
they are broader than the scope of this hearing. But they are worth 
mentioning in this context because in cyber space, the difference 
between espionage, crime, and attack can be as simple as intent, or 
just a few keystrokes.
    Gaining and maintaining access to a network are the most difficult 
phases of a cyber incident. Adversaries spend a great amount of time, 
energy, and resources to seek out and secure vulnerabilities that 
provide access. But once they are in the network, whether they spy, 
steal, or destroy is a matter of choice.
    Furthermore, criminals are developing new tools that are more 
sophisticated and more intuitive than previous generations, and then 
selling them in on-line marketplaces. This reality is lowering the 
barriers to network entry and giving more malicious actors the 
capability to threaten critical systems, in both the private and public 
sectors.
    Cyber crime, therefore, is linked to National security and the 
protection of private information. All of the actors using cyber space 
for illegitimate means need vulnerabilities to exploit, and no single 
entity--whether Government or business--can secure a domain that 
extends beyond traditional geographic boundaries. In cyber space, one 
weak link can compromise the security of the entire system. 
Cybersecurity is a shared responsibility.
    To ensure our Nation is safe, the Government must coordinate the 
protection of our country's most critical assets against sophisticated, 
destructive attacks while law enforcement agencies impose the criminal 
laws of the United States in the cyber domain. Through the development 
of new tools and the continued maturation of the National Cybersecurity 
and Communications Integration Center (NCCIC), the Department of 
Homeland Security (DHS) is addressing this responsibility.
    But more can be done. For example, the effectiveness of the NCCIC 
is directly tied to the level of participation by other Federal 
agencies. Yet, those agencies are not currently required to share 
information with DHS. If we are going to task DHS with the 
responsibility for leading the protection of Federal civilian agencies, 
then we must give them the authorities required to be successful.
    Governments must also find ways to cooperate with one another on 
investigations. Cyber crimes are often intentionally routed through 
multiple countries, particularly those who provide sanctuaries against 
international investigations. When an investigation leads to a new 
jurisdiction, the investigators are suddenly at the mercy of another 
government. More must be done in the international arena to build the 
capacity of nations that do not want to be criminal sanctuaries and to 
discourage others that are complicit in criminal activities originating 
in their territory.\6\
---------------------------------------------------------------------------
    \6\ Richard A. Clarke, Securing Cyberspace Through International 
Norms: Recommendations for Policymakers and the Private Sector, Good 
Harbor Risk Management, LLC, p. 23.
---------------------------------------------------------------------------
    Private companies must do their part as well. Most of this 
country's critical infrastructure is privately-owned and operated, but 
market forces alone have yet to incentivize broad-scale use of cyber 
risk management strategies. Many companies are working to protect their 
networks, but too many are not doing enough. And in sectors where there 
is no choice in the consumer market--where a public good is being 
provided by a private actor--the Government should play a larger role 
in ensuring the security of critical networks.
    Additionally, many companies are collecting, storing, and analyzing 
information on U.S. citizens. This information deciphers everything 
from our travel habits to our personal interests. Securing our most 
important networks and protecting our personal information requires the 
private sector to take better responsibility for their own security.
    Finally, individuals have to take responsibility for our on-line 
behavior as well. Although there are sophisticated hackers at work, 
most compromises take advantage of existing vulnerabilities that have 
not been patched but could have been. The more hardened a target 
becomes, the more likely a hacker will look for a less secure, 
peripheral target as a means to get in. This is likely the reason that 
targeted attacks are increasingly focused on small businesses. We must 
contribute to a culture of security that is respectful of the rights of 
others, while contributing to the security of the whole system.
    Universities across the country, including Drexel University here 
in Philadelphia, are developing educational programs to ensure the next 
generation is prepared to combat cybersecurity threats. These are 
important initiatives that warrant support. However, it will take a 
generation for them to fully bear fruit. More also needs to be done to 
make today's users aware of the risks associated with their on-line 
behavior.
    Getting this model of collaborative security correct is dependent 
upon trust. Governments and private entities must work together to 
mitigate threats. Both, however, are collecting vast quantities of 
information on individuals. The more information they store in their 
databases, the more attractive those databases become to criminals. 
What they share and how they share has serious privacy and civil 
liberties consequences for individual consumers.
    While information-sharing programs do not offer a cybersecurity 
panacea, they can contribute to collective security by creating a 
fuller picture of the threat landscape. That said, there is a right way 
to share information and a wrong way to share information. All 
irrelevant personally identifiable information should be removed before 
the information is given to the Federal Government or another private 
actor. Information coming into the Federal Government should have 
previously-defined acceptable uses and be given to a civilian agency. 
And those who participate in the program and exhibit negligent behavior 
should be held responsible. Getting this right matters: The way we 
build our domestic programs will have privacy and civil liberties 
consequences for Americans and for human rights activists and 
dissidents overseas.
    The reality is that given enough time, resources, sophistication, 
and motivation, an attacker will gain access to a network. And as 
people become more dependent upon technology, the opportunities for 
crime, espionage, and physical disruption will only increase. But with 
collaboration built upon trust, I believe we can reduce our 
vulnerabilities. By implementing commonly-held best practices, we can 
protect the great majority of our networks, secure our personal 
information, and allow our security agencies to focus on preventing 
sophisticated attacks against our most critical networks. And, in the 
end, we can more fully realize the potential of new technologies to 
expand freedom and opportunity at home and abroad.
    Thank you for the opportunity to join you today, I look forward to 
answering any of your questions.

    Mr. Meehan. I thank each of the panelists for your 
testimony, and your full written statements will become part of 
the record, so I now recognize myself for 5 minutes of 
questioning.
    Mr. Peters, thank you for taking the time to be here with 
us today, representing not only your bank, but many smaller to 
mid-sized institutions as well. I was struck by the figure that 
you gave me, a million dollars that you are spending at a 
relatively sophisticated bank in and of itself, but relatively, 
you know, smaller, compared to the big New Yorks, or--that is a 
million dollars off the bottom line. That is a lot of 
investment. Can you tell me how you are using that kind of an 
investment, and how you make the choices about where to, you 
know, put those kinds of decisions about what you use, and what 
you rely on to come from other places?
    Mr. Peters. Well, a lot of it, Mr. Meehan, is a risk-reward 
type thing. We spend a million dollars. We could probably spend 
two or three if we wanted to. It goes really basically for 
software. I mentioned multi-level protection. That is the most 
important thing, is you have three or four different layers, 
and they all look at things differently, and that will kind-of 
catch things. We use a lot of outside vendors who come in and 
do intrusion tests on us. We have 19 people in our IT 
department, whatever--and it sort of points up a point which 
Mr. Fitzpatrick brought up a second ago, about--how about small 
banks, or how about small businesses? That is really, you know, 
we are fortunate we are large enough--we spend a million 
dollars, and we can afford to spend it. But you get a bank that 
is a $3- or $400 million bank, or you get a small business with 
25 or 50 employees, they have a lot of trouble spending that 
type of money for this, and I think that is really one of the 
real challenges which we have going forward.
    We do not see, by the way, that decreasing going forward. 
If we are--we spent a million dollars last year. We probably 
spent $800,000 the year before, and I think this year the 
budget is a $1.2 million or $1.3 million. So we are going to 
see this continue to escalate.
    Mr. Meehan. Now, do you issue credit cards and other things 
out of your institution?
    Mr. Peters. We do not issue a credit card. Banks our size 
usually don't. There are usually five or six large banks in the 
country that issue them. However, we do issue debit cards, and, 
of course, they get compromised. On the Target situation that 
happened, we had to replace over 1,000 cards, and to, once 
again, Mr. Fitzpatrick--accommodation cost us $5 or $6 to 
replace that card. Everybody has to be personally called. They 
have to come into the bank personally to replace it, and there 
is a lot of inconvenience and time. We get no--absolutely no 
compensation for that at all, and this happens many, many times 
during the year.
    But we see--very frequently we see compromised debit cards. 
It could--Target is obviously the most visible one, but there 
have been lots of other little ones around that we get reports 
on once a month. You know, your--at least 50 cards have been 
compromised.
    Mr. Meehan. I think that is one of the points that is made, 
is, notwithstanding that sometimes a lot of identities are 
taken, that the--turning that into some sort of a compromised 
situation still takes a few more steps. So a lot of names are 
sold, but then we see phishing, and other kinds of things that 
take place to try to get that identity to themselves do 
something that allows them to be further compromised. Isn't 
that right, Mr. Litchford?
    Mr. Litchford. Right. Well, I--and I think the previous 
panel addressed the fact that consumers need to be educated 
too, and to protect their sensitive data. But, at the same 
time, in terms of the retail breaches, the data that they are 
getting alone is not enough for identity theft. It is primarily 
the card numbers that they are after. What the bad actors do is 
then, in turn, sell those numbers in bulk. As you know, with 
the current technology of those cards, it is very easy to then 
go make a counterfeit card. Because we are using signature as 
the second form of authentication, it is very easy for them 
then to go commit fraud with those numbers.
    So the costs here are on the banks and the retailer side. 
At most, the consumers are probably inconvenienced. I mean, I, 
for one, was part of the Target breach, and Chase replaced my 
card, and I had to go through and update my auto payments, and 
things like that. So it was more of an inconvenience at the 
consumer level, but the cost of that fraud is being borne by 
the commercial businesses, such as banks and retailers.
    Mr. Meehan. Now, you have also mentioned the idea of the 
technology, 50-year-old technology. What is the solution with 
respect to the cards? You mentioned what is happening in 
Europe, but that isn't a preferred solution for you. What is 
the----
    Mr. Litchford. Right.
    Mr. Meehan [continuing]. Solution?
    Mr. Litchford. I think there are a couple things. I mean, 
first, you know, just back to EMV, to understand, EMV was 
created over 20 years ago to address a problem outside of the 
United States that was not a particular issue in the United 
States. When that technology was developed, it had no inkling 
of this thing called the internet, or e-commerce, or now what 
is called emerging mobile commerce, with mobile payments. So 
that technology is designed to only stop counterfeit cards 
predominantly. Or if I were to lose the card, and you were to 
pick that card up and try to use it, it would stop that, 
because it has a PIN on it, right?
    So with that, if the cost to implement that type of 
technology in the United States, which we anticipate on the 
retailer side alone is over $30 billion----
    Mr. Meehan. Why so much?
    Mr. Litchford. Because of the cost of replacing the 
equipment and software, and training at the stores. There is--
again, the cost is anticipated to be anywhere from, I think, 
$500 to $1,500 per lane. So when you are in a retailer, they 
are having to replace not just the hardware, but train their 
people how to use it, replace the software that handle the 
systems, and things like that.
    So, again, we just believe that that money could be better 
spent addressing the entire ecosystem, not just part--present 
situations, such as in stores, but also to start looking at----
    Mr. Meehan. Well, what is the entire situation? Because as 
you are speaking, I am considering the idea. I am thinking----
    Mr. Litchford. Yeah.
    Mr. Meehan [continuing]. In the one sense, why wouldn't we 
be moving forward into newer technology? But, at the same time, 
if you are spending $30 billion to do this, the dynamic nature 
of--are they going to find some other way to get into the 
middle of that transaction, so it is not done at the counter, 
but it is done some other----
    Mr. Litchford. Right.
    Mr. Meehan [continuing]. Part----
    Mr. Litchford. So EMV, as a technology, the card number is 
still in the clear, just so you know. The encrypted portion of 
EMV is just to validate that the card is the real deal, this is 
not a counterfeit card. So we could still potentially see 
those--they are called PANs, or personal account numbers, 
exposed, and then used to do transactions in other 
environments, such as on-line or mobile. Which is where, 
frankly, the industry or--and consumers are going.
    So, you know, even where EMV has been deployed, you know, 
we are quick to tout, yes, we have stopped all this fraud in 
our stores, but we have moved the equal percentage to on-line 
environments, so the fraudsters will go to where they can 
easily monetize the data. So, from a retailer's perspective, 
what we want to do is--we know this cyber war we are in is a 
war that is going to be a continual war. The goal is not 
necessarily to stop breaches, but to stop their ability to 
monetize any data that they would get from that breach.
    So retailers are already taking steps now to try to 
eliminate any of that sensitive data within their systems. As 
an example, I am already seeing many retailers start to invest 
in significant cost into something called encryption and 
tokenization. So once I swipe my card at the retailer's 
terminals, it is immediately encrypted, so that that number is 
no longer in the clear. Of course, we have to work with 
financial institutions to handle things like that, as well as 
tokenization.
    So, again, you know, I think the money--another thing you 
can do, by the way, is, on your current mag stripe card, is you 
could simply put a PIN on that today, and that would have 
probably stopped most of the fraud that is occurring in the 
United States. So, again, our position is we would like to see 
the entire payment ecosystem addressed, not just focus on a 
particular piece of that. Even then the focus is on--at least 
what the cards are pushing down on retailers is not even to 
have PINs. They want to just put a chipped card out there, and 
still allow you to use your signature for that. So we think 
that is not a full solution.
    Mr. Meehan. Well, I thank you. My time is expired, and I 
will turn to the gentlelady from New York.
    Ms. Clarke. I thank you, Mr. Chairman. I want to also thank 
our expert panelists, and say--and respond to Mr. Peters, and 
your earliest salutation to me, that hope springs eternal.
    Mr. Peters. Right.
    Ms. Clarke. The private sector's focus is on the 
development and implementation of technology systems to protect 
computer intrusions and malicious code, internet fraud, spam, 
and if a crime does occur, to detect it, and gather admissible 
evidence for an investigation. The private entities that focus 
on these technological efforts include internet service 
providers, security vendors, software developers, and computer 
forensic vendors.
    Internet service providers offer businesses and home users 
various levels of access to the internet, and other internet-
related services, such as customer support, and spam and virus 
protection. Providers also assist law enforcement by monitoring 
and providing information on selected internet activities, and 
provide technical expertise.
    How does a company who employs the services of security 
vendors decide when to report a cyber crime, and when to allow 
or encourage its security vendors to cooperate with law 
enforcement in the investigation and prosecution of a cyber 
crime? Can you give a sense of, you know, how does it all come 
together, and, you know, what is that moment where it sort of 
says, eureka, let us move in this immediately, because it is me 
now, it could be someone else in the next----
    Mr. Peters. If I could start? Yeah, first of all, we report 
everything. We are required, as a financial institution, to 
file something called suspicious activity reports, SARs, with 
the Federal Government anytime anything happens. It could be 
somebody who is trying to launder cash through a teller, but in 
many cases now, actually, it is computer fraud. There is 
identity theft. I think last year we stopped 14 cases of 
identity theft at our bank. Unfortunately, one did get through. 
On the other hand, we get 30 attacks a night, 30 attacks in our 
computer system a night. Most of them are from China.
    So we actually report everything to the Federal Government. 
We are required to do that, and we do that, and to local law 
enforcement. If something has identity theft, we will go to the 
local authorities, usually our township folks, and report that 
to the police department.
    Mr. Litchford. Yes. So, again, in retail, the predominant 
data that these bad actors are going after is credit card 
information, and many times it is not the retailer that knows 
that the--that a crime is occurring. It is typically, for 
example, our financial institution friends that have pretty 
decent algorithms for what is going on with fraud, that they 
are able to then, for example, call a retailer and say, we 
suspect something is going on. Then at that time--I am--can't 
speak for all retailers, but I assume that the law enforcement 
is then engaged.
    One of the problems that we have in retail is the myriad of 
laws that they have to abide by, not only in the United States. 
I believe it, and I hope I get the numbers right, I think it is 
47 States, plus the District of Columbia, have different 
uniform breach notification laws. So one of the--so you can 
imagine now what a retailer is trying to go through to figure 
out, you know, how do I respond to this State versus that 
State. Then--so part of the thing--things our members, and NRF, 
is for is a uniform breach notification law.
    Ms. Clarke. That is interesting. I had no idea that it was 
based on the States how you go about reporting. Very well.
    Mr. Litchford. Right.
    Ms. Clarke. Then, when you think about the fact that many 
retailers are also international now, it adds another layer 
of----
    Mr. Litchford. Yes.
    Ms. Clarke. Challenge.
    Mr. Litchford. Yes.
    Ms. Clarke. I wanted to just revisit with you a moment the 
whole idea of chip and PIN.
    Mr. Litchford. Um-hum.
    Ms. Clarke. It is a global standard, and we seem to be the 
outlier, as the United States. As you have spoken about your 
thinking around it, you talked about the idea of the mobile and 
the on-line----
    Mr. Litchford. Um-hum.
    Ms. Clarke [continuing]. Purchasing, particularly when it 
comes to retail items. How does that impact on our industry, 
the fact that we are outliers with the swipe and signature, 
versus the chip and PIN?
    Mr. Litchford. Right.
    Ms. Clarke [continuing]. You give us a better sense of 
that?
    Mr. Litchford. Well, I think the obvious impact is the bad 
actors have come to the United States to get that data now, 
because it is a place that is green pastures for them, and then 
they can breach systems, get the data, and then easily monetize 
it. So, again, the challenge here is what can we do with the 
current mag stripe technology to try to reduce some of the 
fraud that does occur when the data is breached? So I could 
simply put a PIN on a mag stripe today, and pretty much stop a 
lot of the fraud that is going on, because even if they made a 
counterfeit card, they would not necessarily have the PIN that 
goes with that card.
    The other issues, you know, with EMV, again, is they are 
proposing in the United States not to--they are calling it chip 
and signature, or chip and choice, which everywhere else in the 
world is chip and PIN. So we are wondering what--why do you not 
want a PIN? What is the problem here? We know PINs are the way 
to safeguard things, whether it is on a mag stripe or a chip 
card.
    Then a further potential issue we have with EMV is it is a 
proprietary standard, meaning it was developed by the cards 
themselves. With that, today, retailers, there are two rails, 
so to speak, that you go over for your authentication, or your 
authorization. One would be--what--you might think is the 
credit rail, and the other is the debit rail. What is really 
going on behind the scenes is you have a signature 
authorization, or a PIN authorization. When that transaction is 
a PIN authorization, retailers today have choice of about 18 
different providers that they can go to, based on the fees that 
are going to be charged to them for that authorization. EMV 
does away with that. The debit routing is determined by the 
card itself, therefore, by the issuer, not the retailers.
    Ms. Clarke. That is interesting. Is there an advantage to 
being in a separate system all to ourselves, in terms of these 
retail transactions? In other words, that is driven by the 
card, versus, I don't know, the public, or the----
    Mr. Litchford. Right.
    Ms. Clarke [continuing]. Retailers, or--I mean, when you 
think about the fact that everywhere else, you know, for the 
most part, we are dealing with chip and PIN. Is there an 
advantage to us maintaining our own uniqueness, if you----
    Mr. Litchford. Right. Well, and keep in mind, at the time 
of EMV, the United States was far along, and well ahead, in the 
sophistication of our payment networks, versus the rest of the 
world. Today, keep in mind, if you see an EMV card from 
somewhere else in the world, or even many U.S. cardholders have 
EMV cards because they travel internationally, if you look on 
the back, it still has a mag stripe on it, right?
    Going forward, even if we were to pursue that technology in 
the United States for at least 5 years or so, those cards are 
still going to have mag stripes on the back of them for 
transitional purposes. So I am not going to see benefit from 
Day 1 of deploying EMV technology. That is why I made the 
comment that you could put PINs on credit--on mag stripe cards 
today and pretty much immediately see an impact, not having to 
wait for this transitional period, and then use those 
investment dollars to address the entire payment ecosystem, not 
just what we call a card present, or in-store transaction.
    Ms. Clarke. Thank you. Mr. Chairman, I thank you for your 
indulgence, and yield back.
    Mr. Meehan. I thank the gentlelady. Turn to Mr. 
Fitzpatrick, from Bucks County.
    Mr. Fitzpatrick. Mr. Litchford, isn't one of the issues 
with this chip and PIN, or chip and choice, the--in terms of 
economies and scale, and smaller merchants, the cost of new 
technology requirements and terminals?
    Mr. Litchford. Um-hum.
    Mr. Fitzpatrick. Can you elaborate on that?
    Mr. Litchford. Well, again, we have estimated the cost to 
be, you know, somewhere in the lines of $600 to $1,500 per 
terminal on the retailer side to deploy the ability to accept 
EMV cards. Is that the question? Again, that is just in 
retailers, right? So keep in mind, if we deploy EMV technology, 
there are many, many other types of businesses that take credit 
cards that will also have to upgrade their infrastructures, as 
well as the financial institutions themselves. They have all 
the ATMs out there that they need to replace. So there are just 
huge and significant costs involved.
    Mr. Fitzpatrick. So retailers just consider it cost of 
doing business, part of the security costs going forward? But 
should there be a recognition on the difference between a 
large-scale retailer, like Target, versus a smaller mom-and-pop 
operation?
    Mr. Litchford. I am not sure what you are asking there. I 
mean, the cost is the cost. I think when you look at the 
retailers, the larger ones, like Walmart, for example, are 
already ready for EMV, predominantly because they are a global 
retailer, and they use standardized deployment of POS systems. 
So whatever they deploy to the United Kingdom gets deployed to 
the United States, so therefore they are already ready for EMV.
    Mr. Fitzpatrick. Back to your previous testimony, I think 
what you said is that we need to recognize that, in the future, 
there will be cyber attacks, and some of those attacks will be 
successful, but the real key is trying to determine the best 
way to minimize the damage, and precluding any monetizing of 
that information in the future.
    Mr. Litchford. Right.
    Mr. Fitzpatrick. It has now been 5 months since the 
successful attacks on the Target operation. What have we 
learned, and what have we changed, as a Nation, in those 5 
months?
    Mr. Litchford. Um-hum. Well, again, I think one of the 
biggest things that, from the retail perspective, we are 
calling for is the lack of information, and the lack of 
critical information getting to us relatively speedy. As an 
example, from the Target breach itself, the first data that we 
had that we could disseminate to our members was January 16. In 
the mean time, we know, through these ISACs, that data was 
being exchanged. But my members were calling, you know, what 
can I do? How do I know that I have not got the same malware 
problem?
    As soon as we got that data, NRF did a webinar with 
Eyesight Partners, who was one of the publishers of the paper, 
to our members, and walked them through. This was a very 
technical call. These are the signatures you need to look for, 
these are the DLLs you need to look for. But, again, that was a 
month after Target was announced, right? So one of the things, 
based on that learning, that we are moving forward with is this 
establishment of a retail ISAC.
    So even though retail is not identified as a critical 
infrastructure, we are going to go ahead and develop this ISAC. 
We are working with financial services ISAC, the Secret 
Service, NCCICS, and U.S. CERC to make sure that we get this up 
and running. In the mean time, we are establishing a listserv 
to push data out one way. As soon as that is up, which we 
expect to be in the next week or so, that will then be 
immediately fed with TLP White and TLP Green alerts. Are you 
familiar with the traffic light protocol? So green is 
information that is shareable to the public--or white is to the 
public, green is to the community. But the amber and red alerts 
I am not able to push out yet. So as NCCICS is pushing out 
these alerts in real time, I cannot share those until I get to 
a full-blown ISAC.
    But this whole concept of sharing and collaboration is just 
huge, and getting as near-real-time as we can, because the goal 
is we don't want to be reactive. We want to get proactive, so 
we want to know everything we can coming from all the services 
that provide this type of information, so that we can then take 
a proactive stance to protect our systems.
    Mr. Fitzpatrick. Special Agent Quinn from the FBI indicated 
in his testimony that some institutions would be reluctant from 
reporting. Now, Mr. Peters, you talked about, in your industry, 
you are required to report.
    Mr. Peters. Yes.
    Mr. Fitzpatrick. The FBI--he indicated some might be 
reluctant to support, I suspect because competitors would take 
advantage of that lapse in security. Is that your 
understanding?
    Mr. Peters. I don't know that I can speak to the 
reluctance. I mean, one of the things, from working with the 
Secret Service, is these Electronic Crimes Task Force, and 
getting that information out to the retailers so that they 
establish a relationship with that organization, so that, when 
they do get the call, it is not necessarily, you know, hello, 
this is the Secret Service calling you. It is, hello, this is 
Ari calling you, yeah, what is up? We have that ability, and 
that relationship, so that we are comfortable now working with 
law enforcement and moving forward.
    Again, from the breach notification perspective, it is the 
problem of all the different laws in the States that we have, 
that we are trying to now figure out, what do I have to do?
    Mr. Fitzpatrick. Thank you.
    Mr. Meehan. I thank Mr. Fitzpatrick. Let me just ask a 
follow-up question. Mr. Rhoades, you--your testimony speaks to 
an issue which, as I alluded to in my first line of questioning 
with the earlier panel, but it is still--again, it is very, 
very disconcerting that the median time----
    Mr. Rhoades. Um-hum.
    Mr. Meehan [continuing]. That--days before someone 
appreciates businesses or otherwise that there is, you know, 
there is activity within--inside their networks is 229 days, 
median, before it is recognized. In addition, we are seeing, 
particularly from the Eastern European, that, once in the 
system, they are using that window to create software that 
mimics the actual operation of the entity----
    Mr. Rhoades. Um-hum.
    Mr. Meehan [continuing]. Which makes it even more 
difficult. So are we walking into a period here where detection 
is going to become increasingly more difficult, and longer, and 
therefore a greater opportunity for compromise?
    Mr. Rhoades. I don't know if detection will become longer. 
The report that I cited in my written testimony, the 229 days, 
while staggering and very long, was actually an improvement 
over what that security provider had found in the previous year 
by about 2 weeks. The adversaries are becoming more 
sophisticated, though, so it may be more difficult to notice 
them. This is especially true for--you mentioned earlier a non-
profit. There has been some conversation around small 
businesses. One of the things--the previous panel was 
enlightening. I thought one of the things that was missing was 
the human power that is required to do these things.
    So, technology is nice. Technology really, in this space, 
only enables policies and processes for an individual, 
business, or entity to protect itself. Cybersecurity, at its 
core, eventually comes down to people. So, to have trained 
people to understand when they receive information from others, 
how they can actually incorporate that and protect their 
networks, to have people that are trained to use the 
technologies that they have so that they can detect anomalies 
in their networks, I think that is the fundamental challenge, 
especially with small businesses and non-profits. That is the 
biggest challenge for these actors getting more sophisticated.
    I think the technologies will advance to be able to pick up 
some of these network anomalies, but do you have an individual 
on the other side watching that that can sort of understand 
what to do with that information?
    Mr. Meehan. Let me take it from the other side, which is 
the information that is collected. I mean, we are now dealing 
collectively in Washington with an issue regarding personal 
information, the recognition that the Government, in certain 
capacities, may be tracking if you made a phone call.
    Mr. Rhoades. Um-hum.
    Mr. Meehan. Yet what strikes me is, while that is an 
important privacy question that we have to deal with, the 
wealth of information that is being collected about our 
activities out there in the cyber world, consumer world, or 
wherever, is overwhelming----
    Mr. Rhoades. Um-hum.
    Mr. Meehan [continuing]. So much so that people are looking 
at tendencies, they are looking at the ability to know a great 
deal more about us than ever before. So where is the boundary 
with respect to what is appropriate to collect about 
individuals without a corresponding obligation----
    Mr. Rhoades. Right.
    Mr. Meehan [continuing]. For security? Looking at the 
University of Maryland situation, where, you know, they kept 
legacy information for some 300,000 people, where is there some 
cyber hygiene going where people are determining that, you 
know, a certain amount of information is all that is needed, 
and we are going to excise all the unnecessary information? 
Seems we are going in opposite directions.
    Mr. Rhoades. Yeah, I think certainly the individual is 
losing control over our private information going forward. I 
can remember the first time I was at a particular retailer, and 
I purchased a bottle of wine, and they scanned my driver's 
license. That was without asking. That was just part of their 
policy. I wasn't given the opportunity to necessarily agree or 
disagree with it, or to question what information was being 
collected. I still, to this day, am not quite sure what they 
store for how long, and how it is used. That is a--that is not 
to pick on a particular retailer. I think that is now a common 
case, that there are entities, some legitimate, some 
illegitimate, that are taking this information and using it to 
monetize.
    So I think this is--there is a new emphasis, particularly 
over the course of the past 12 months, in the American public 
dialogue on privacy and civil liberties. I think, as these 
technologies advance, we need a broader National conversation 
about what we feel is appropriate, and we feel is maybe too 
much, and to find a way for individuals to somehow gain a 
little bit, or feel they have gained a little bit more control 
over their private information.
    Mr. Meehan. Who controls that? Who becomes the arbiter of 
that, and how is that enforced?
    Mr. Rhoades. Well, the overall arbiter, ideally, would be 
the American people. Having this conversation, particularly 
through you all, our representatives, and deciding what is 
appropriate, and what is not. That often does not--is not the 
way things work, I understand that, but I think that this is 
where we, as average citizens, particularly look to you to 
represent our best interests.
    Mr. Meehan. Well, I thank you. Do any of my colleagues have 
any follow-up questions? Chairman recognizes Ms. Clarke.
    Ms. Clarke. Thank you, Mr. Chairman, and I want to agree 
with you on the need to have this conversation. I wonder how 
much of this debate is generational----
    Mr. Rhoades. Um-hum.
    Ms. Clarke [continuing]. Simply because younger people live 
their lives through this medium----
    Mr. Rhoades. Um-hum.
    Ms. Clarke [continuing]. In a way that perhaps my parents, 
and even me, to a certain degree, don't. You know, I am a 
hybrid. My mom is all-in now, she is texting. But, you know, 
there is a conversation that needs to be had, because things 
that we believe are private, young people don't necessarily 
believe the same thing. So when you transfer that into the 
final arbiter, which in--oftentimes are the courts now, the 
application of current day law to what they are actually doing, 
there is a disconnect. You know, because--there is almost a 
voluntary surrender of privacy through this medium in certain 
parts of the internet, social networking, for instance, and so 
that conversation needs to happen, because I am just concerned 
that we establish a standard so that people can then gauge 
themselves accordingly. I think at a certain point it is going 
to become almost moot, because everyone's information is going 
to be out there, so it is going to cancel out.
    But, having said that, data breaches involve personally 
identifiable information, as the Chairman has stated, and under 
many circumstances, and for many reasons, they can be 
inadvertent, such as from the loss of an electronic device, or 
deliberate, such as from a theft of a device, or a cyber-based 
attack by a malicious individual or group for a nation, a 
terrorist, or the adversary. Incidents have been reported at a 
wide range of public-private sector institutions, including 
Federal, State, local government agencies, educational 
institutions, hospitals, other medical facilities, financial 
institutions, retailers, et cetera.
    The loss or unauthorized disclosure or alteration of the 
information residing in private and public systems, which 
include this PII, can lead to serious consequences and 
substantial harm to individuals in the Nation. It is critical 
that not only Federal agencies, but privately-owned companies 
also protect their systems, and the information on them, and to 
respond to data breaches and cyber incidents when they occur. 
The President asked, in his cybersecurity Executive Order, 136-
36, that there be a separate section on privacy, civil liberty 
protections, and PII. It contains a new subsection, entitled, 
``Methodology To Protect Privacy and Civil Liberties'', and is 
Appendix B of the primary framework.
    Could you give us an update----
    Mr. Rhoades. Um-hum.
    Ms. Clarke. You know, I threw out sort-of my thinking, and, 
you know, I am left-handed. But, you know, what do you think 
the update on the discussion is, and the collaboration among 
public and private entities regarding privacy and civil liberty 
concerns?
    Mr. Rhoades. Sure. So, as you mentioned, in the Executive 
Order the President asked, through the programs that are 
implemented under that Order, for the senior privacy and civil 
liberties officers at each of the agencies involved to look at 
those programs and do a risk-based assessment, in terms of 
privacy and civil liberties, and to offer some strategies going 
forward to mitigate some of those risks.
    I believe earlier this week, or it may have been last week, 
the Department of Homeland Security released its first 
assessment of that, which, to me, it--I think that is an 
important point for two reasons. No. 1, it gives, for those of 
you who do oversight over the administration, the opportunity 
to sort of baseline these things, look at some of their 
recommendations that are in-house, and then follow those as we 
go forward to ensure they have been implemented.
    But I also think that is an important document strictly 
from an emphasis on privacy and civil liberties. The specific 
recommendations didn't necessarily stand out to me as game 
changers, but in terms of getting overall cybersecurity right, 
this is a real challenge, in that it requires trust at every 
level.
    I think, through both panels of this hearing, we have heard 
there are multiple levers of--level of users, from nation-
states, to big corporations, to small corporations, to non-
profits, to individual end-users. I agree with the Chairman 
when he said that this is a shared responsibility, so all of 
these levels must work together. Frankly, here we have seen 
less trust from the average American citizen to the Federal 
Government. So I think it is important domestically to start to 
rebuild some of that trust, particularly in light of the 
National conversation over the last year.
    I also think it is really important internationally, 
because, as I said, we are the first generation to sort of try 
to develop the doctrines and the concepts around these new 
technologies. The fact is the rest of the world is watching us 
as we struggle to come up with those ideas. How we do things 
here in the United States is going to greatly affect the next 
Green Movement in Iran, the next Tahrir Square, so we need to 
be very cognizant of those as well if we do still want to stand 
for some of those fundamental American rights of individual 
opportunity, of individual freedom, of free speech.
    So I think, for those reasons, that emphasis in the E.O., 
and then the most recent report is important. But then I would 
also encourage you all to look at some of the recommendations, 
and to ensure that the Executive follows up on their own 
assessments.
    Ms. Clarke. Thank you, Mr. Chairman. I yield back.
    Mr. Meehan. Well, I want to express my deep appreciation to 
each of you, not just for your preparation for your testimony 
today, and the work, and--you have put into those thoughtful 
comments, but for your on-going work in this area in each of 
your respective venues. It is a debate--not a debate, it is a 
dialogue that we are going to have to be continuing well into 
the future. I want to express my appreciation to our 
colleagues, and particularly my--the Ranking Member for taking 
the time to travel here from New York.
    I want to close by thanking our hosts here at Drexel, and 
for the tremendous work that they are doing in being on the 
vanguard in both--not just education, but research and 
development in this important area of cybersecurity. I am 
grateful for their efforts.
    So, on behalf of the committee, the subcommittee stands 
adjourned.
    [Whereupon, at 12:49 p.m., the subcommittee was adjourned.]

                                 
