b"<html>\n<title> - SMALL BUSINESS AND THE FEDERAL GOVERNMENT: HOW CYBER ATTACKS THREATEN BOTH</title>\n<body><pre>[House Hearing, 114 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n\n\n\n\n\n\n SMALL BUSINESS AND THE FEDERAL GOVERNMENT: HOW CYBER ATTACKS THREATEN \n                                  BOTH\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                      COMMITTEE ON SMALL BUSINESS\n                             UNITED STATES\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED FOURTEENTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                              HEARING HELD\n                             APRIL 20, 2016\n                               __________\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n     \n     \n     \n     \n\n            Small Business Committee Document Number 114-057\n              Available via the GPO Website: www.fdsys.gov\n\n\n\n\n\n\n\n\n                                   ______\n\n                         U.S. GOVERNMENT PUBLISHING OFFICE \n\n20-072                         WASHINGTON : 2016 \n-----------------------------------------------------------------------\n  For sale by the Superintendent of Documents, U.S. Government Publishing \n  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; \n         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, \n                          Washington, DC 20402-0001\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n                   HOUSE COMMITTEE ON SMALL BUSINESS\n\n                      STEVE CHABOT, Ohio, Chairman\n                            STEVE KING, Iowa\n                      BLAINE LUETKEMEYER, Missouri\n                        RICHARD HANNA, New York\n                         TIM HUELSKAMP, Kansas\n                         CHRIS GIBSON, New York\n                          DAVE BRAT, Virginia\n             AUMUA AMATA COLEMAN RADEWAGEN, American Samoa\n                        STEVE KNIGHT, California\n                        CARLOS CURBELO, Florida\n                         CRESENT HARDY, Nevada\n               NYDIA VELAZQUEZ, New York, Ranking Member\n                         YVETTE CLARK, New York\n                          JUDY CHU, California\n                        JANICE HAHN, California\n                     DONALD PAYNE, JR., New Jersey\n                          GRACE MENG, New York\n                       BRENDA LAWRENCE, Michigan\n                       ALMA ADAMS, North Carolina\n                      SETH MOULTON, Massachusetts\n                           MARK TAKAI, Hawaii\n\n                   Kevin Fitzpatrick, Staff Director\n             Emily Murphy, Deputy Staff Director for Policy\n                       Jan Oliver, Chief Counsel\n                  Michael Day, Minority Staff Director\n                  \n                  \n                  \n                  \n                  \n                  \n                  \n                  \n                  \n                  \n                  \n                  \n                  \n                  \n                  \n                  \n                  \n                  \n                  \n                  \n                  \n                  \n                  \n                            C O N T E N T S\n\n                           OPENING STATEMENTS\n\n                                                                   Page\nHon. Steve Chabot................................................     1\nHon. Nydia Velazquez.............................................     2\n\n                               WITNESSES\n\nMr. Richard Snow, Owner, Maine Indoor Karting, Scarborough, ME...     4\nMr. Kevin Dunn, Technical Vice President, NCC Group, Austin, TX..     6\nMr. Nicholas A. Oldham, Counsel, King & Spalding, LLP, \n  Washington, DC.................................................     7\nMr. Stephen F. Mankowski, CPA, National Tax Chair, National \n  Conference of CPA Practitioners (NCCPAP), National Secretary, \n  NCCPAP, Partner at EP Caine & Associates CPA, LLC, Bryn Mawr, \n  PA.............................................................     9\n\n                                APPENDIX\n\nPrepared Statements:\n    Mr. Richard Snow, Owner, Maine Indoor Karting, Scarborough, \n      ME.........................................................    25\n    Mr. Kevin Dunn, Technical Vice President, NCC Group, Austin, \n      TX.........................................................    36\n    Mr. Nicholas A. Oldham, Counsel, King & Spalding LLP, \n      Washington, DC.............................................    42\n    Mr. Stephen F. Mankowski, CPA, National Tax Chair, National \n      Conference of CPA Practitioners (NCCPAP), National \n      Secretary, NCCPAP, Partner at EP Caine & Associates CPA, \n      LLC, Bryn Mawr, PA.........................................    47\nQuestions for the Record:\n    None.\nAnswers for the Record:\n    None.\nAdditional Material for the Record:\n    NAFCU - National Association of Federal Credit Unions........    54\n \n SMALL BUSINESS AND THE FEDERAL GOVERNMENT: HOW CYBER ATTACKS THREATEN\n                                  BOTH\n\n                              ----------                              \n\n\n                       WEDNESDAY, APRIL 20, 2016\n\n                  House of Representatives,\n               Committee on Small Business,\n                                                    Washington, DC.\n    The Committee met, pursuant to call, at 11:00 a.m., in Room \n2360, Rayburn House Office Building. Hon. Steve Chabot \n[chairman of the Committee] presiding.\n    Present: Representatives Chabot, Luetkemeyer, Hanna, \nGibson, Brat, Hardy, Kelly, Velazquez, Clarke, Payne, Meng, and \nAdams.\n    Chairman CHABOT. Good morning. The Committee will come to \norder. I want to thank you, everyone, for being here today, and \nwe want to especially thank all of our witnesses for coming \nhere to share your insights and expertise with this Committee \non a very timely and important subject. In April of last year, \nthis Committee heard from a panel of industry experts about how \nsmall businesses across the country are being threatened by a \ngrowing number and variety of cyber attacks. Since then, the \nthreat to small businesses has only grown. Unfortunately, in \nmany ways, the Federal Government's efforts to guard against \nthis threat have not kept pace.\n    This morning, the Committee will look at the effects of \ncyberterrorism and cyber attacks on both small businesses and \non the Federal Government. Small businesses face an increased \nrisk because they lack the resources to protect themselves \nagainst sophisticated cyber attacks. We must make sure that the \nFederal Government is part of the solution and not adding to \nthe problem. It is vital to both the economic and national \nsecurity of this nation that the sensitive data held by Federal \nGovernment be safeguarded. The owners, employees, and customers \nof America's 28 million small businesses need to have \nconfidence that their data is secure.\n    I think it is fair to say that confidence has been shaken \nin recent years with the cyber attacks on the IRS, the State \nDepartment, OPM, and even the White House. Between foreign \nhackers from countries like China and Russia and domestic \nidentity thieves, the Federal Government has a target on its \nback that seems to get larger by the day.\n    This is why recent findings by the Government \nAccountability Office (GAO) on cybersecurity problems at \nagencies like the IRS and the SBA, are so troubling to me and \nmany other members of this Committee. Just this month, the GAO \nreported that the IRS paid $3.1 billion in fraudulent identity \ntheft, or IDT, tax returns. Three billion dollars for people \nfiling tax forms, for example, that were not the person who \nactually should be getting the credit back.\n    When the GAO testified before this Committee earlier this \nyear, they told us that ``the SBA has not conducted regular \nreviews of its IT investments.'' In these scenarios, American \nsmall businesses and consumers were put at risk due to a lack \nof diligence by Federal agencies. Just last week, I asked IRS \nCommissioner Koskinen about the data breach at his agency last \nMay, which compromised the data of approximately 700,000 \naccounts. The commissioner informed our Committee that there \nare 1 million cyber attacks at the IRS every day. Think about \nthat. One million cyber attacks every day at the IRS, people \ntrying to get into files for illicit, illegal purposes.\n    With over 3 billion different mobile applications and $340 \nbillion in online commercial sales last year, business \ntransactions are moving away from the cash register and toward \nthe smartphone. It is great to be able to order your coffee or \npay your electric bill or reserve a car ride using your phone, \nbut with this convenience comes increased exposure for both the \ncustomer and for businesses. In 2015, the average amount stolen \nfrom small business bank accounts after a cyber attack was over \n$32,000.\n    The fast pace of changes in technology means that hackers \nare coming up with more sophisticated methods to go after \nintellectual property, accounts, Social Security numbers, and \nanything else that can be used for financial gain or a \ncompetitive edge. With all of the uncertainty facing small \nbusinesses in today's world of e-commerce, it will take \nvigilance by all Federal agencies, and the watchful eye of this \nCommittee, to ensure the data of small businesses and \nindividual Americans remain secure. We must also look for new \nand innovative ways to help small businesses protect their data \nfor this great and growing threat.\n    I look forward to hearing from our witnesses here this \nmorning, and I will now yield to the Ranking Member for her \nopening statement.\n    Ms. VELAZQUEZ. Thank you, Mr. Chairman.\n    Technological innovations are vital to our modern economy, \nand even more essential to the nation's small firms. In fact, \nsmall businesses are some of the savviest users of technology \nby using the internet to access new markets to grow and \ndiversify. Yet, for all the benefits technology brings to the \nequation, it also creates additional challenges for business \nowners, consumers, developers, and vendors. As more consumers \nand businesses participate in E-commerce, protecting our \nfinancial information from cyber attacks is critical.\n    Unfortunately, recent data breaches at federal agencies, \nlike the IRS and OPM, compromised financial data and personal \ninformation of millions of people. Attacks like this have made \nclear the weaknesses of the current cybersecurity landscape. \nLast year's attack on the IRS exposed over 700,000 taxpayers' \naccounts, and just last week we found out a former FDIC \nemployee breached the information of 44,000 FDIC customers.\n    These attacks strike close to home for many of us, \nincluding small business owners. Keeping software and networks \nup-to-date with the latest security is no longer enough. Cyber \nthreats come in many forms, but they are devastating to both \nbusiness owners and their customers. A single attack can wipe \nout a small business, which is why cybercrime poses severe \nproblems for small businesses that are unprepared.\n    Sadly, some small companies fail to recognize the value of \ncybersecurity as an investment until it is too late. On the \nother hand, small firms that do recognize the importance of \nsuch an investment often lack the resources to implement an \neffective security system. Just as we must strengthen private \nsector cybersecurity, we need to ensure Federal agencies take \nprecautions.\n    The testimony we will hear today will help us better \nprotect the nation's small businesses from growing cyber \nthreats. We will discuss the strengths and weaknesses of our \nfederal initiatives and what more must be done for private and \ngovernment data protection. In advance of the testimony, I want \nto thank all the witnesses for both your participation and \ninsights to this very important topic.\n    With that, Mr. Chairman, I yield back.\n    Chairman CHABOT. Thank you very much. The gentlelady yields \nback.\n    If Committee members have opening statements prepared, we \nask that they be submitted for the record.\n    I would like to take just a moment to explain our timing \nand lighting system here. It is pretty simple. You get 5 \nminutes. The green light will come on there and you can talk \nfor 4 minutes. The yellow light will come on. That will let you \nknow you have a minute to wrap up. Then the red light will come \non after a total of 5 minutes, and if you could try and stay \nwithin that, we would greatly appreciate it. The members hold \nourselves to the 5-minute rule, also, and we will ask you \nquestions then.\n    I would now like to introduce the panel. Our first witness \nis Richard Snow, owner of Maine Indoor Karting in Scarborough, \nMaine. Mr. Snow is here to provide his experience as a small \nbusiness owner whose company was the victim of a cyber attack.\n    Our second witness is Kevin Dunn, technical vice president \nof NCC Group in Austin, Texas. He has over 14 years of \nexperience as a professional security consultant.\n    And our third witness today is Nicholas Oldham, counsel at \nKing and Spalding in Washington, D.C. In his current role, Mr. \nOldham assists clients with cybersecurity and risk management, \ndata privacy, incident response, and internal government \ninvestigations. We welcome you all here today.\n    I would now like to yield to the Ranking Member to \nintroduce the final witness.\n    Ms. VELAZQUEZ. Thank you, Mr. Chairman. It is my pleasure \nto introduce Mr. Stephen Mankowski, the national tax chair and \nnational secretary for the National Conference of CPA \nPractitioners. He is also a partner at EP Caine and Associates \nCPA, LLC, where he advises individuals and small businesses on \nissues related to accounting, taxation, business consulting, \nand litigation support services. Welcome.\n    Chairman CHABOT. Thank you very much. I would now like to \nrecognize Mr. Snow. You are recognized for 5 minutes, sir. \nThank you.\n\nSTATEMENTS OF RICHARD SNOW, OWNER, MAINE INDOOR KARTING; KEVIN \n  DUNN, TECHNICAL VICE PRESIDENT, NCC GROUP; NICHOLAS OLDHAM, \n  COUNSEL, KING AND SPALDING LLP; STEPHEN F. MANKOWSKI, CPA, \n NATIONAL TAX CHAIR, NATIONAL CONFERENCE OF CPA PRACTITIONERS, \nNATIONAL SECRETARY, NCCPAP, PARTNER AT EP CAINE AND ASSOCIATES \n                            CPA, LLC\n\n                   STATEMENT OF RICHARD SNOW\n\n    Mr. SNOW. Good morning. Thank you, Chairman Chabot, Ranking \nMember Velazquez, and members of the House Small Business \nCommittee for inviting me to testify today on the current state \nof cybersecurity for small companies and how phishing scams \nhave impacted my own small business.\n    My name is Rick Snow, and I am the owner of Maine Indoor \nKarting, located in Scarborough, Maine. We are an indoor \nentertainment venue with a go-kart track, mini golf course, \narcade, and cafe. We have about 20 employees.\n    I am pleased to be here representing the National Small \nBusiness Association, where I currently serve as a Board of \nTrustee member and Chair of the Environmental and Regulatory \nAffairs Committee.\n    NSBA is the Nation's oldest small business advocacy \norganization with over 65,000 members representing every sector \nand industry of the U.S. economy. NSBA is a staunchly \nnonpartisan organization devoted solely to representing the \ninterests of small businesses which provide almost half of all \nprivate sector jobs to the economy.\n    Several data breaches within the Federal Government, \nincluding OPM, IRS, and DOD make it clear the government \nstruggles to combat cyber attacks. If the government cannot \nprotect its networks and data from cyber attacks with almost \nunlimited resources at its disposal, how can we expect \nAmerica's small businesses to do so? Forty-two percent of NSBA \nmembers surveyed indicated that they have been the victim of \ncyber attack. In almost half of those attacks there was an \ninterruption in service.\n    I was the victim of a phishing attack, and I have also had \nmy credit card stolen three times. When I was phished, I \nreceived an email from my bank that there had been a suspicious \nattempt to gain access to my account. The email urged me to \nimmediately log in to my account and confirm that it was, in \nfact, an unauthorized attempt. The link provided in the email \nlooked identical to the log-in page of my bank. Frantic that \nthere had been a breach, I logged in, and as soon as I typed my \npassword, I realized what had happened. I raced to the local \nbranch of my bank to set up a new account which took several \nhours. It took about a week to get the new checks and debit \ncards for the new account to us. Since we used the cards and \nchecks for all our bills and local purchases for our business, \nI had to either use our company line of credit or my own credit \ncards. This is not unusual as many small business owners often \nneed to use their personal credit cards to support their \nbusiness, especially during difficult times.\n    The financial cost to my business paled in comparison to \nthe delays and disruptions. My wife, who runs the day-to-day \noperations of our business, and her work were limited because \nshe spent the week trying to update all of the vendors with the \nnew account information.\n    According to the NSBA 2015 Year-End Economic Report, in 10 \npercent of cyber attacks, a bank account was improperly \nassessed. I was one of those. Two weeks after the initial \nphishing attack, I logged into our new account late Friday \nevening, and to my horror, found that my balance was zero. It \nwas payday and I was terrified that the paychecks that were \nissued that day would not clear. We are supporting a number of \nfamilies, many of which live paycheck to paycheck and could not \nhave made it without that particular payday. I quickly \ndiscovered that three wire transfers were made that night to \nthree different bank accounts around the country totaling \n$15,000.\n    This is an ongoing threat of internet age, and it will \nevolve as long as the internet continues to facilitate commerce \nin the global economy. It is unlikely that there will be one \nsolution.\n    I am sorry. I missed a page. So, excuse me. Sorry.\n    After a night of no sleep, I had to be at the bank first \nthing Saturday morning. I was lucky and was able to stop the \nwire transfers. I had to then spend another day away from work \nopening another account and going through the process of \ngetting all my new cards and ordering new checks. My poor wife \nhad to spend another week updating vendors. She spent the \nbetter part of 2 weeks away from her normal duties because of \nthis phishing incident.\n    My bank told me that this was a standard phishing loss and \nthat I was lucky that I discovered it before the 48 hours had \nlapsed so no money was actually stolen. My business accounts \nwere not protected against theft the way that my personal \naccounts would be, so the losses would have been on my \nbusiness. This attack could have ended my business if I had not \nbeen able to recover the money. Most small businesses do not \nhave a significant cushion to absorb these type of losses, and \nwe are no different. Losing thousands of dollars during a tough \ntime in the economy can make a significant different for me, my \nbusiness, and my employees.\n    As small businesses become increasingly dependent on the \ninternet, they become a larger target for cybercriminals. These \nthreats are very real and immediate. In fact, 94 percent of \nsmall business owners indicate they are concerned about being \ntargeted by cyber attacks. For many small businesses, a \ncybersecurity incident could lead to an entire network being \ndown for many days until the full extent of the problem is \nknown and then fixed.\n    This is an ongoing threat of the internet age and it will \nevolve as long as the internet continues to facilitate commerce \nat the global economy. It is unlikely that there will be one \nsolution to stop the attacks. In fact, slowing and preventing \nthese attacks will most likely require an ongoing process to \nidentify new threats, vulnerabilities, and ultimately, \nsolutions. I urge Congress and this Committee to always bear in \nmind the unique challenges that small businesses face and \ncontinue to include the small business community in that \nprocess.\n    Thank you for allowing me to testify before the Committee \ntoday, and I would be happy to answer any questions that you \nmight have for me.\n    Chairman CHABOT. Thank you, Mr. Snow, for your testimony \ntoday. What a scary situation. Thank you.\n    Mr. Dunn, you are recognized for 5 minutes.\n\n                    STATEMENT OF KEVIN DUNN\n\n    Mr. DUNN. Good morning, Mr. Chairman, Ranking Member \nVelazquez, and other esteemed members of the Committee. Thank \nyou for the opportunity to testify today.\n    My name is Kevin Dunn, Technical Vice President for NCC \nGroup. For the last 15 years, I have dedicated my career to \ncarrying out cybersecurity attacks against private companies \nand government organizations. I am not a criminal; I am a \npenetration tester. For our actions in this highly specialized \nfield, my colleagues and I determine ways to break into \norganizations via cyber and physical means. Specifically, we \nare hired to identify vulnerabilities that allow a company's \nsecurity to be compromised. This exercise subsequently allows \nus to provide customized advice to our clients, detailing the \nshort- and long-term actions they should take to reduce their \nsusceptibility to attack.\n    My testimony today will focus on four areas: the strengths \nand weaknesses of cybersecurity training, increasing security \nwhen using cloud service providers, the potential impact of \nsmall business security on the government, and the benefits of \na data-driven risk model.\n    To evaluate the state of high level cybersecurity training \ndesigned for small businesses, I would like to explore two \nexamples: training provided by the U.S. Small Business \nAdministration and training provided by the Federal \nCommunications Commission. Through these trainings, small \nbusinesses are able to gain awareness of important \ncybersecurity threats such as the dangers associated with \nphishing emails, malicious websites, malware, ransomware, and \nthe typical motivations of attackers. This information provides \nan ample start for educating small businesses in a general \nawareness capacity and extends to providing cybersecurity tips \nfor the major areas of concern. However, the training and \nguidelines are high level in nature and lack the depth of \ninformation needed to convert directly into hands-on actions. \nIn the world of small business IT support where efforts are \ntypically coordinated by owner-operators, this information may \nnot be comprehensive enough to make a worthwhile difference \nbeyond providing general education.\n    Many small businesses use cloud service providers to \nimplement important services like email, file storage, and data \nbackup. This often unburdens the IT administration overhead \nfrom small business owner-operators or small businesses with a \none- or two-person IT team. The use of third-party cloud \nservice providers is typically a positive security move for \nsmall businesses. The attention to security from the major \nproviders in this space affords a number of features that \ngreatly increase the security of data for a small business.\n    However, it should be noted that there are additional \nfeatures that should be enabled to make attacks harder for \nadversaries. These features are often not enabled by default. \nChief among these is the use of multifactor authentication. The \nmajority of major online services now support the use of \nmultifactor authentication using at least SMS messages to a \ncell phone as a means of out-of-band authentication. But \ndespite this inexpensive option, it is often overlooked by \norganizations that use cloud services or internet services, \nrelying instead on single factor authentication in the form of \nuser names and passwords.\n    The impact of a small business on the government should be \nconsidered in at least two key ways. The first concerns the \ndirect and indirect connectivity between a small business and a \ngovernment network. The second concerns small businesses in the \ngovernment supply chain. A small business with a direct \nconnection to a government network is likely a rare occurrence, \nbut in such a scenario, if the small business is compromised \nsufficiently, an attacker's ability to traverse to a government \nnetwork could be a simple task. However, examples of indirect \nconnectivity are more common and are typically databased in \nnature. When government users consume the services of a small \nbusiness, their user names, passwords, personal information, \nand other data could be used in a subsequent attack against \ngovernment systems if extracted from a compromised small \nbusiness system. Of course, the reverse is true as well.\n    The second area to consider is when a small business is in \nsome way part of the supply chain to a government department or \nagency. The most typical examples of this are where a small \nbusiness develops software or hardware that is subsequently \ninstalled on government networks.\n    Finally, a good way to think about security and a means to \nensure that the approaches chosen to secure your organization \nare fit for purpose is to think first about the data you care \nabout. Considering the data first is an excellent approach and \none that is advised in the FCC's small business cyber plan at \nall. However, too few organizations actually consider their \ndata or subsequently plan security around the value of \ndifferent data types. Even fewer organizations consider what \nwill happen when, not if, an attacker gains access to their \ndata. Using a data-centric risk management model would allow \nsmall businesses to focus their security attention where they \nneed it most.\n    Thank you again for this opportunity to address this \nCommittee. I will be happy to answer any questions.\n    Chairman CHABOT. Thank you very much.\n    Mr. Oldham, you are recognized for 5 minutes.\n\n                  STATEMENT OF NICHOLAS OLDHAM\n\n    Mr. OLDHAM. Mr. Chairman, Ranking Member, and members of \nthis Committee, thank you for allowing me the opportunity to \nappear before you today.\n    I have been involved in cyber issues for many years as a \nformer Federal prosecutor at the U.S. Department of Justice, \nand now as an attorney at King and Spalding. In my practice, I \ncounsel clients, both large and small, on cybersecurity risk \nmanagement. Our interconnectivity is growing at an astonishing \nrate. This interconnectivity, especially the internet of \nthings, holds tremendous promise for consumers and companies. \nIt also creates new challenges in terms of cybersecurity \nbecause anything connected to the internet can be hacked.\n    Cyber attacks cost businesses billions of dollars every \nyear as a result. Where do small businesses fit into this \nlandscape? The interconnected world lets small businesses \ndevelop new products and services and compete across the globe, \nbut with cybersecurity, small businesses often get burned at \nboth ends. They are less likely to have the resources to \nprevent breaches, and also may have fewer resources to respond \nto those breaches. It can be difficult for small businesses to \nfind the right information and training, and the cost of \nmitigation measures in response can significantly impact a \nsmall business' bottom line.\n    As a lawyer, I do not manage corporate networks. I do not \nconduct vulnerability testing. Rather, I believe that \ncybersecurity is as much a people and a process issue as it is \na technical issue. I focus on the people and process side of \nthe equation, addressing the legal and business cybersecurity \nrisks faced by companies. I also help manage companies comply \nwith their legal obligations, interact with various regulators, \nand respond to regulatory enforcement actions and litigation. \nThese legal and business costs, including compliance costs, \ndrain on employee morale, and time and reputational damage can \nbe significant.\n    There are at least three ways the government can play a \nrole in lowering these costs. First, by addressing the \ncybersecurity education gap. When weighing the costs and \nbenefits of enhancing their cybersecurity, companies may find \nthat it is far more expensive to not implement basic security \nmeasures. The problem here is that there is a cybersecurity \neducation gap. Small businesses may not find the information \nthey need to properly assess and mitigate these costs.\n    Bridging this education gap can be difficult for small \nbusinesses, especially those that lack the resources to hire \nspecialized employees or cybersecurity experts. Even when \ninformation is available online, it is often difficult to find, \nrarely updated, and often inadequate.\n    In many ways, cyber threats have analogs to traditional \ncrime. In the traditional crime scenarios, small businesses \nwould likely call the local police department for best \npractices in preventing or responding to crime. In the digital \ncrime scenarios, there is no one logical place to call. The \ngovernment may have a role in bridging the cybersecurity \neducation gap by encouraging the development of cybersecurity \neducation resources and connecting them to those who need them \nin the private sector.\n    Second, many of the cybersecurity initiatives receiving the \nmost attention are not necessarily tailored to small \nbusinesses. For example, the NIST cybersecurity framework is \nemerging as a leader, which is a promising development. This \ncould simplify the landscape for small and large businesses \nalike. The current iteration of the NIST framework, however, is \nnot particularly geared towards small businesses. It can be \ndifficult and expensive to understand and implement regardless \nof business size, and until it is better tailored to small \nbusinesses, for some of them it may just be one more program \nthat they cannot afford to keep up with.\n    Perhaps more importantly, a small business might become \nsubject to a cybersecurity framework by virtue of its \ncontractual relationships. In this case, the small business \nmight inadvertently expose itself to significant liabilities \nand cyber risks. While good cyber hygiene is important, to \nimprove the NIST framework and similar programs and policies, \nthe government should make a serious effort to increase the \ninvolvement of small business owners in all phases of the \nlegislative and rulemaking process.\n    Third, the current regulatory regime for cybersecurity \npresents additional difficulties for small businesses who will \ninevitably struggle to determine both what cybersecurity \nmeasures they are required to meet, and when a breach or attack \ndoes occur, what procedures the law requires them to follow. \nThere are currently 51 different State or territory data breach \nnotification laws and many of them are inconsistent with each \nother. I have seen a growing number of Federal agencies also \nstepping into this space.\n    In short, there is a need to clarify and simplify what \ncompanies must do. Because of the complicated and evolving \nlandscape, the on-the-ground expertise of the private sector \nmust necessarily play an important role in these efforts.\n    Thank you for the opportunity to testify today, and I look \nforward to your questions.\n    Chairman CHABOT. Thank you very much.\n    Mr. Mankowski, you are recognized for 5 minutes.\n\n               STATEMENT OF STEPHEN F. MANKOWSKI\n\n    Mr. MANKOWSKI. Thank you. Mr. Chairman, Ranking Member \nVelazquez, and members of the Committee, thank you for inviting \nme to testify today.\n    My name is Stephen Mankowski, a partner with EP Caine and \nAssociates, the Executive Vice President of NCCPAP, the \nNational Conference of CPA Practitioners, and a member of the \nAICPA.\n    NCCPAP has been at the forefront of identity theft issues \nthrough our advocacy and testimony at prior hearings dealing \nwith ID theft. NCCPAP members have helped guide numerous \nclients who have been victims of identity theft.\n    ID theft has been growing exponentially for years. It seems \nthat no matter what controls are put in place, criminals have \nbetter and more focused resources to circumvent these \nsafeguards.\n    The IRS reminds practitioners that they must be vigilant \nwith their system integrity. Criminals are aware that the prize \nfor breaching tax practitioner systems could yield not only \nnames and Social Security numbers, but also several years of \nearnings, as well as bank information and dates of birth. Two \nMidwestern firms were compromised this tax season and had \nfraudulent returns submitted by utilizing their Electronic \nFiling Identification Number or EFIN.\n    While firms are required to obtain an EFIN from the IRS to \nelectronically file tax returns, paid preparers are required to \nuse a Practitioner Tax Identification Number or PTIN. Firm \ninformation, including their Employer Identification Number, \nhowever, still appears on their tax return. Given the risk of \nfirm ID theft, why has the IRS not adopted a firm PTIN, \nsomething that NCCPAP strongly recommends.\n    Over the past year, as noted by the other panelists, the \nIRS has had multiple system breaches. First, the IRS online \ntranscript program, Get Transcript, was compromised in May \n2015. The number of accounts affected now exceeds 700,000. The \nsecond breach was related to the IP PIN retrieval tool that was \ncontained on the IRS website and is more troubling. The \ntaxpayers who have IP PINs have already been victims of tax \nrefund fraud and obtained the six-digit IP PIN to prevent \nfurther unauthorized account access or tax filings. This tool \nhad been used using the same interface as Get Transcript but \nhad remained available to the public, and unfortunately, those \nless scrupulous.\n    Social Security uses a banking prenote to verify the \naccuracy of the recipient's banking information prior to the \ninitial payment. Unfortunately, the IRS refund system does not \ninclude prenote account verification. The implementation of a \nprenote system could result in a significant reduction of the \nannual $3.1 billion misappropriation of government funds.\n    While it is easy to understand that taxpayers want to \nreceive their refunds as quickly as possible, one must ask a \nsimple question: Is paying a tax refund in 7 to 10 days \nprudent? A recent survey by Princeton Research Group noted that \n22 percent of taxpayers surveyed would be willing to wait up to \n6 to 8 weeks to receive their refund if they knew it would \ncombat identity theft.\n    Taxpayers are urged to protect their personal data, but \nwith widespread internet usage, online shopping, and criminals \njust waiting to pounce on unsuspecting victims, ID theft \ncontinues to grow. Individuals and businesses remain the target \nof cyber attacks and must remain cautious when opening emails \nwith attachments, visiting web pages, or simply paying for the \nfamily groceries. Taxpayers often do not realize they have been \na victim of tax-related ID theft until their electronically \nfiled tax return gets rejected. Once a taxpayer has been \nvictimized, they expect to obtain an IP PIN from the IRS, and \nstarting in January 2017, they automatically will.\n    In conclusion, NCCPAP feels that using the prenote \ntechnology that already exists and is used throughout the \nfinancial industry would allow taxpayers to continue receiving \ntheir refunds promptly while reducing refund fraud.\n    Further, NCCPAP urges Congress to pass legislation to \nprovide the IRS the necessary authority to regulate all tax \npreparers and require paid preparers to meet minimum standards. \nCurrently, only CPAs, EAs, and attorneys are subject to the \nrequirements of IRC Circular 230.\n    Finally, NCCPAP calls on Congress to provide the necessary \nfunding for the IRS to continually modernize and upgrade their \nsystems to minimize and eliminate data security breaches. The \nfirst step would be Congress reauthorizing streamline critical \npay authority to allow the IRS to secure top IT talent without \na 3- to 6-month waiting period.\n    Thank you for the opportunity to present this testimony, \nand I welcome your questions.\n    Chairman CHABOT. Thank you very much, and we appreciate the \ntestimony of all the witnesses here this morning. It was \nexcellent.\n    Mr. Snow, first, let me apologize to you for having to \nreturn a call there before your testimony. I apologize for \nthat, but I had your written statement ahead of time, so I am \nprepared.\n    You experienced a worst-case scenario for a small business \ncyber theft. What advice would you give to others who are put \nin the same or a similar situation?\n    Mr. SNOW. The first thing I would do is to ensure that when \nyou look at the website at the top, web ID, that there is a \nhttps ID, and that would have prevented that from happening. I \njust learned that in that process. But it would be very \ndifficult to stop someone from just accessing the way it was \nwith me because it was an identical website to the bank \nwebsite. The login looked identical. In fact, there was no \ndifference.\n    What was more disconcerting to me was the fact that they \nstole the new account number, and to this day, no one \nunderstands how that happened; how they were able to access a \nbrand new account opened with all that information and move \nmoney out of the new account, not the old account.\n    Chairman CHABOT. How long did it take you to straighten all \nthis out?\n    Mr. SNOW. The whole process was about a month because, the \nfirst time we had to rush everything because they have to print \nnew checks and new credit cards and everything, so it was about \na week and a half. Then when we discovered the loss, it was 2 \nweeks later. Then we had another week and a half or so of \nadditional time to go through that whole process again.\n    Chairman CHABOT. Mr. Dunn, in your testimony, you provided \nthe example of using text message authentication as an \ninexpensive use of multifactor authentication. Are there other \ninexpensive steps the Federal Government or small businesses \ncould make in order to verify accounts?\n    Mr. DUNN. Yes. I think that you can use email. There are a \nnumber of channels that you can use. The situation really is \nthat when you rely on just one thing, in perhaps this case as \nwell, just a username and password, that that is a single point \nof failure. The point is to have more than one authenticating \nfactor. A number of things could do that so long as it is out \nof band from the process.\n    Chairman CHABOT. Thank you very much.\n    Mr. Oldham, protecting the privacy and civil liberties of \nAmericans is obviously an important component of cybersecurity \ndiscussions. What effort is the private sector making to \nprotect consumers in this area?\n    Mr. OLDHAM. One of the key goals is transparency, \ncommunicating to consumers what information is being collected \nand how is it being used. That has become even more important \nas the ecosystem is growing so that everything is connected, \nmultiple third parties and the like, and the third party would \ninclude, for instance, sharing information with the government. \nI think the most critical step the private sector is taking is \nensuring that there is this transparency.\n    Chairman CHABOT. Thank you very much.\n    Mr. Mankowski, in your testimony, you gave a firsthand \naccount of how a tax preparer dealt with confusion and delays \nwith the IRS in response to a data breach. What would you \nrecommend to the IRS for future responses to a tax preparer \nonce a breach has been confirmed?\n    Mr. MANKOWSKI. That is a very good question, Mr. Chairman. \nWhat I would recommend, first of all, is that I have reached \nout to my contacts that I deal with through some of my \ncommittees at the IRS, and it is being addressed tomorrow at a \nmonthly meeting. But in addition, I would advise practitioners \nto know who their local stakeholder liaisons are so they have \nan area that they could reach out to so that they can start the \nprocess of communicating with the IRS when they suspect there \nmay be a breach, not once they actually confirm. Because during \nthat period of time, if their EFIN was being used improperly, \nthe IRS could have stepped in very quickly, disabled their \nEFIN, and could have potentially stopped fraudulent returns \nfrom being processed.\n    Chairman CHABOT. Thank you. Let me give you another \nquestion. You mentioned a recent audit where 6 of 13 e-filing \nsites failed to take steps to protect consumers from fraudulent \nand malicious emails. What recommendations would you offer \nthese sites in order to improve their cybersecurity?\n    Mr. MANKOWSKI. That is also a very interesting question. I \nbelieve that is one that Mr. Dunn could probably help with as \nfar as the cybersecurity aspect. But they would certainly need \nto ensure that as they are going through their systems that \nthey are making sure that any incoming emails are being \nchecked. There has been widespread spoofing of calls as well as \nemails coming in to companies that are purporting themselves to \nbe high-level individuals within a company asking for data that \nthey would normally be asking for, such as W-2s and such, that \neverything looks to be coming from that individual, everything \nlooks the same, just the email address may be slightly or just \nsomething a little bit off. Companies really need to be \nvigilant as to looking at who emails are coming in from, and if \nthey are not sure if it is legitimate or not, they should pick \nup the phone and call the person who they are actually getting \nthis request from. Simply responding to that email, you are \nresponding back to the criminal. Of course, they are going to \nsay, oh, yeah, I am so-and-so, and I need to get this \ninformation to finalize a report for the board. They are \nfurther spoofing. They just need to be careful when they are \nresponding, and as Mr. Snow had mentioned, making sure that any \nwebsites they go into do have the https that would mean that it \nis a secured website.\n    Chairman CHABOT. Thank you very much.\n    Mr. Dunn, I would follow Mr. Mankowski's advice, except \nthat I am out of time, and I like to hold myself to the same \nrules I do everybody else. So I will yield back my time, and \nthe gentlelady, the Ranking Member is recognized for 5 minutes.\n    Ms. VELAZQUEZ. Thank you, Mr. Chairman.\n    Mr. Mankowski, last week we had the Commissioner of the IRS \nhere testify before our committee, and he talked about the \nCybersecurity Summit between the IRS and tax practitioners. \nFrom the industry perspective, do you believe this partnership \nis effective at preventing tax fraud?\n    Mr. MANKOWSKI. I think it is a very good first step, and \nthey have already shown that it has been successful. They have \nmet with, and they have included initially people from State \nassociations, State government, as well as the banking and \nsoftware community, to work on trying to prevent tax returns at \nthe onset when they are being processed into the IRS system. \nThey have gone further and expanded their focus now to starting \nincluding practitioners into their groups, and they are \nestimating that last year, with the first year of their summit, \nthey prevented in excess of 3 million fraudulent returns from \ngetting into the system. Now they just need to understand that \nreturns are, unfortunately, getting through the filters, so now \nthey need to keep working on filters during the processing and \nprimarily protecting the refunds because that is taxpayer \ndollars, as well as government funds, that are being \nmisappropriated.\n    Ms. VELAZQUEZ. Thank you.\n    Mr. Snow, I am concerned that typically, small business \nowners view an investment as a way to increase revenues, yet, \nwith cybersecurity they are expected to make an investment in \norder to prevent revenue losses. So is it often hard to \npersuade small firms to spend money without seeing an immediate \nreturn? What needs to be done to bridge this gap?\n    Mr. SNOW. I think the number one issue that we have as a \nsmall business is that every single thing leads to the bottom \nline. Every decision you make adds a cost. In our case we have \nadded insurance, cybersecurity insurance, to our overall cost. \nThe unfortunate part of that is that the deductible is very \nhigh. It is a $5,000 deductible. For me, I am out that \nimmediately. That is the same as my burglary insurance as well. \nWhen we have someone break into our building, which happened a \nfew months ago and they destroyed our security system, it cost \nus $5,000, which is also our deductible. We are out that money. \nThat happened to be all the revenues that we had for that \nparticular month. So it really eats into our bottom line. It is \nvery expensive.\n    Ms. VELAZQUEZ. Mr. Dunn, in your estimation, how much would \nit cost a company, a small company, one with fewer than 250 \nemployees, to become cyber safe?\n    Mr. DUNN. I think it is very hard to provide that \nestimation because it really depends on the data that they \nhold, the types of inputs and communication channels they have. \nWe could be talking about a very simple setup or we could be \ntalking about a very complicated setup. It is true that the \ncybersecurity industry has a certain price point that currently \nis very difficult for small business owners to take part in. \nCertainly, we are probably talking thousands of dollars in \norder to get consultative help.\n    Ms. VELAZQUEZ. Thank you.\n    Mr. Oldham, who do you think is best situated to handle \ncybersecurity threats, the federal government or private \nindustry? Or do you think some sort of balanced public-private \npartnership is needed to properly address cybersecurity needs?\n    Mr. OLDHAM. I think the balanced public-private partnership \nis the key. This industry is evolving so rapidly, and when the \ngovernment gets involved, it becomes very static. I think it is \nimportant to make sure the private sector has a huge input, and \nthat is why I think something like in this framework is a great \nstart because it is voluntary. It attempts to coalesce the best \nstandards that are out there, but it is also something that has \na recognition that it needs to evolve over time. My worry is \ntipping the scale to one side or the other will cause the \ncurrent industry to stagnate more.\n    Ms. VELAZQUEZ. What type of recommendations would you offer \nfor encouraging that type of partnership?\n    Mr. OLDHAM. Number one, supporting NIST's efforts and what \nthey are doing. Right now, NIST has put out a framework. It has \nhad some widespread success but also quite a bit of criticism \nfrom industry. They held a workshop last month where they heard \nfrom several sectors of the industry, including small business, \nthat it is not really approachable and useful. Just as a big \npicture, the NIST framework was designed for critical \ninfrastructure, so it is not approachable for small businesses, \nensuring that the NIST is putting the appropriate emphasis on \nadapting itself to particular market sizes and industries.\n    Chairman CHABOT. The gentlelady's time has expired.\n    Ms. VELAZQUEZ. Thank you.\n    Chairman CHABOT. Thank you.\n    Ms. VELAZQUEZ. Thank you, Mr. Chairman.\n    Chairman CHABOT. The gentleman from New York, Mr. Gibson, \nis recognized for 5 minutes.\n    Mr. GIBSON. Thanks, Mr. Chairman. I appreciate the \nopportunity here today to hear from the panelists' illuminating \ntestimony provided.\n    Mr. Snow, I want to begin with you, just a point of \nclarification. You, in telling us about what had happened to \nyou, you had made the comment that, fortunately, within 48 \nhours you were able to take action. What was implied in your \nstatement is we have a differentiation between business and \npersonal liability or accounts. I am looking for clarification. \nIs there some dimension of FDIC that protects people? Why is it \ndifferent? If you could just help me understand that, number \none.\n    Mr. SNOW. Number one, I do not know the exact \nramifications. My understanding was because it was a wire \ntransfer there is a 48-hour time that it runs. If you can stop \nit within that timeframe, the money does not actually transfer \nor they can call it back, the bank, with the interbank \nprocesses.\n    Mr. GIBSON. Do any other panelists know the answer for \nthat? Why is it that business does not seem to have the same \nprotection as an individual? One of my constituents out there, \nif somebody was to do a phishing expedition on them and they \nwould be under similar circumstances, I am curious if anybody \nknows the answer to that.\n    Okay, for the Committee, I think that is something probably \nworth checking into. A concerning situation. I am glad it \nworked out okay for you there.\n    Then Mr. Oldham--even though I know that it was Mr. Snow--\nit was very burdensome and onerous on your bottom line based on \nyou had to divert resources. Mr. Oldham, in one of your \ncomments you talked about that the Federal Government might \nwant to look at clarification or clarity in terms of what \ncompanies must do when these circumstances happen, reporting \nrequirements and the like. What is your understanding of what \nthe SBA requires now with regard to--or the United States \nGovernment--in terms of a protocol when a company faces an \nattack?\n    Mr. OLDHAM. I am not aware of anything from the SBA, but \nthe notification requirement at large are a hodge-podge. If it \ninvolves financial information, the Gramm-Leach-Bliley Act \nwould require notification. If it is healthcare information, \nregulations under HIPAA would require notification. Each of the \nState data breach laws have different definitions, and I think \none of the key concerns, especially if you are a small business \nand you may have information involving people from multiple \njurisdictions or multiple types of information, there is an \nenormous cost of just figuring out what you have to do at the \nbeginning.\n    Mr. GIBSON. I appreciate that comment. In fact, it mirrors \nsome of my experiences in the U.S. military. I think that is \nalso worthwhile for the Committee to capture that. Maybe we \nshould consider a clearinghouse requirement that really \nsocializes, if you will, what companies must do under these \ncircumstances.\n    Finally, for the panel, I would love to hear your insights \non this question, that with regard to science and technology, \nresearch and development, sort of blue sky, if you will, what \ndo you think, based on your experiences, would be a worthwhile \nendeavor to address the issue of cyber attack at large--on \nbusinesses, on people, on government--on where you think we \nshould put emphasis on for science and technology, research and \ndevelopment, to protect?\n    Mr. DUNN. I think in most cases, every incident I have ever \nbeen involved with, the visibility of what is actually \nhappening from a data and packet level is never where it needs \nto be. I would definitely like to see strides in that \ndirection, some way of increasing the ability for us to \nunderstand from a network and data perspective what has \nhappened in a given scenario.\n    Mr. GIBSON. Thank you.\n    Mr. SNOW. I think the most frustrating thing for me was to \nrealize that someone at the receiving end of that money was \ngoing to show up and get that money, and that there was no \naction taken. On my private credit card thefts, purchases were \nactually made. The merchant was out of that merchandise. \nObviously, they got the money for that merchandise, but we \nabsorb it as all of the consumers in the overall doing \nbusiness. There is no authority trying to stop these people, \nthat I know of, trying not catch these people who are making \nthese purchases with fraudulent credit cards or other things. \nThat is the frustration that I have. I know that I can call my \nlocal police when they break into my building. If I walk into a \nbank and demand money, the FBI will be chasing me forever. But \nin this case, there is really no action that is done beyond \nwhat we had to do as individual business owners.\n    Mr. GIBSON. Thank you. Mr. Chairman, I see my time has \nexpired. I wonder if maybe science and technology, research and \ndevelopment into biometrics, is a possibility as a surety for \nany kind of transaction is worth our endeavors. But I thank the \nChairman for the opportunity.\n    Chairman CHABOT. Thank you very much. The gentleman's time \nis expired.\n    The gentlewoman from North Carolina, Ms. Adams, who is the \nRanking Member of the Investigations, Oversight, and \nRegulations Subcommittee is recognized for 5 minutes.\n    Ms. ADAMS. Thank you, Mr. Chair. Thank you, Ranking Member \nVelazquez, for hosting this hearing.\n    Some of you have mentioned the importance of education and \ntraining in cybersecurity. I am long-time educator and very \ninterested in what we can do there.\n    The Federal Government is involved in this in a number of \nways. For example, last year, the Obama Administration \nannounced the New Cybersecurity Consortium consisting of 13 \nHistorically Black Colleges and Universities, HBCUs, two \nnational labs, and a K-12 school district. The goal is to \ncreate a sustainable pipeline of students focused on \ncybersecurity. My question to any of you, is the Federal \nGovernment doing enough to provide the kinds of expertise that \nsmall businesses need to ensure their cybersecurity? If you \ncould speak to maybe some relationships between educating \nstudents beyond this point.\n    Mr. MANKOWSKI. Ms. Adams, I will start the discussion. I \nbelieve that from a tax standpoint, the amount of education \nreally starts from the government, from the IRS. As \npractitioners, we are continually discussing this with our \nclients that the IRS, with the different phishing phone calls \nand the email scams, that the IRS currently is not phone \ncalling or emailing people. If they get any of these calls, \nthey should hang up. If they get a email that says it is from \nthe IRS, that they have an extra refund, just delete it, \nbecause they are not going to be authentic. But every day \nduring tax season, it seemed my office was getting a phone call \nfrom someone who received a phone call that they were getting \nready to get arrested. My partner in my firm had gotten a \nsimilar phone call. We actually had a little bit of fun with \nthe people. We kind of strung them along for a little bit. But \nas times are changing, with the rules that were passed recently \nwith collections within the IRS, some of that, as the \ncollections get outsourced, the companies that are going to be \ntaking over will be calling and could potentially be emailing \nour clients. It is going to create an even greater disparity of \nthe education because what we have been telling our clients for \nyears, come whatever point that the IRS is able to implement \nthat process, everything we have worked on and gained with our \nclients over the last few years will pretty much be thrown out \nif they start getting phone calls from a collection for old tax \nbalances. Thank you.\n    Ms. ADAMS. Mr. Oldham?\n    Mr. OLDHAM. I think there are two separate issues; both are \nvery important. One is educating students as they come up about \ncybersecurity. That is critical. Just like educating people how \nto balance their checkbook to keep good financial sense, \nteaching people good cyber hygiene is going to be imperative \nfor minimizing the cyber threats in the future.\n    Today, educating small businesses can be more challenging \nbecause they have not had the years of education, such as a \nsecondary student. However, the biggest issue that I see is \nthat there is not a lot of helpful information out there that \nis practical and granular for small businesses. In fact, in \npreparation for my testimony today, I searched around the \ninternet looking for small business guides and was surprised \nthat in many locations, including on government websites, the \nlinks were broken, the guides were out of date, or the guides \nwere so high level that I do not know how an owner-operator \nwithout IT security background would be able to implement \nsecurity measures based on those guides.\n    Ms. ADAMS. Okay. Well, let me move on to another question. \nOnline marketplaces, such as eBay, have given small businesses \ngreater access to suppliers and customers abroad. A McKinsey \nGlobal Institute study found that 97 percent of U.S. small- to \nmedium-size businesses on eBay engage on export to other \ncountries. My question is, do these marketplaces and \ninternational transactions expose small businesses to greater \ncybersecurity risk?\n    Mr. Dunn, if you want to answer that?\n    Mr. DUNN. I think the websites themselves and the online \nmarketplaces do have to be vetted, do have to be verified to \nunderstand if they have any security flaws because, having a \nsecurity flaw in a marketplace like that will expose the vendor \nand the small business to potential attacks. Understanding if \nthere are any flaws in that marketplace is really critical.\n    Ms. ADAMS. Quickly, Mr. Dunn, you talked about the use of \ncloud computing. What is the best way that small businesses \ncould benefit from using cloud providers to improve their \nsecurity?\n    Mr. DUNN. I think not doing conventional IT in-house is a \ngood move. Using email and file storage from a cloud service \nprovider will be beneficial because it is not on premises, and \ntypically, the major providers of those services are doing a \nlot in security and more than a small business could do.\n    Ms. ADAMS. Thank you. I am out of time, Mr. Chair. I yield \nback.\n    Chairman CHABOT. Thank you very much. The gentlelady yields \nback.\n    The gentleman from Mississippi, Mr. Kelly, is recognized \nfor 5 minutes.\n    Mr. KELLY. Thank you, Mr. Chairman. I thank each of you \nwitnesses for your insight here today.\n    First of all, I would like to echo what the gentleman from \nNew York, Mr. Gibson said. I think it is important for us as a \nCommittee to find out if there are different rules for persons \nand small businesses and then large corporations to make sure \nthat we are protecting each of those in an appropriate manner.\n    Second, Mr. Snow, it is a travesty what happened to you, \nbut that story is repeated over and over again across this \nnation. As a former district attorney, I can tell you that \nthere is a lot of room that we can improve in this. Do you have \nany specific areas that you think the Small Business Committee \nor the Small Business Administration can help to either educate \nor inform the general public and small business users that we \ncan take forward?\n    Mr. SNOW. Thank you. I believe that education is probably \nthe key. Obviously, cost is another big concern for every small \nbusiness. When you start a business, capital is usually at a \npremium, and when you sit down, in my case, I have close to \n70,000 members who come in and race at my track throughout the \ntime that we have been open. I have their data, and it is in a \nserver that I have to protect. That is a concern. My software \nis provided by a Belgium-based software company, so I have to \nhave access to them. They come in at night to update and \nupgrade the system on a regular basis. In an international \nmarketplace that we are in, I think education is very important \nso that the small businesses understand. The other issue is the \nliability is significant, and a lot of small businesses do not \nunderstand that. When I sat down with my insurance agent to \nrenew our insurance, that was one of the questions I asked, and \nI was amazed, number one, at the cost to get the coverage, but \nnumber two, how few businesses actually apply and get that \ncoverage. It can be very expensive for a small business.\n    Mr. KELLY. Mr. Oldham, going back, as I said, first of all, \nthank you for your service as a prosecutor. I think they are \nsome of the most important people enforcing this law, and being \na former one, I am obviously biased in that. But I thank you \nfor your service. As a former district attorney, I was on the \nlocal level or I was on the State level, and you as a Federal \nprosecutor. Quite commonly what I saw is that, number one, when \nsmall businesses or individuals are victimized, they do not \nknow who, how, what they need to report.\n    The second thing that I saw is quite often the \njurisdictions are not clear. It is not clear where it is coming \nfrom, and they do not inform other jurisdictions, so they do \nnot know if it is Federal, they do not know if it is State, \nthey do not know if it is county, they do not know if it is the \nnext State over. It is outside the jurisdiction of this \nhearing, but I think it is important that we inform law \nenforcement on how to deal with this and small businesses on \nhow to inform law enforcement so there is a database that we \ncan use to stop this. Do you have any ideas in that area?\n    Mr. OLDHAM. I would say generally the jurisdiction issue is \na major issue in prosecuting cyber crime cases. The resources \nare not there at the local level and it is hard to chase \ncriminal information that is as wide as the web and tracks lead \neverywhere in the world.\n    I think, going back to the education point from earlier, \ntraining local enforcement who are going to get the calls from \nbusinesses that have been breached on who to report to, who is \nthe right person in the Federal Government who can help, or \nwhere is this database, as you mentioned, would be incredibly \nhelpful to make sure the information is not just coming in for \nprosecution, but also going out to help the small businesses \naround the country.\n    Mr. KELLY. On that same line, quite often, these people who \ntake advantage of small businesses or individuals move from \njurisdiction to jurisdiction, and there is not any database \nthat gets us ahead of the curve. Quite commonly, they use the \nsame scheme. From Mississippi, they will move to Alabama, they \nwill move to Tennessee, they will move to New York City, but \nthey continue to do that. Are you aware of any Federal database \nwhich keeps up with ongoing scams, especially those that are \nquite frequently the same group or persons or organizations \nthat are doing the scams?\n    Mr. OLDHAM. I am not. In my role now in advising private \ncompanies, I know we call the local law enforcement, usually at \nthe Federal level, to report information, and we rely on them \nto come back to us with whatever information. But not with a \nlot of visibility of what is going on behind the scenes.\n    Mr. KELLY. Are you aware of any program, and this is for \nany of you, from the SBA or from anyone else that keeps people \ninformed of what the current scams are and the current phishing \nexpeditions and those things? Because quite frequently, people \nfall victim to something that has been used over and over. Is \nthere anything that keeps people informed where they can go to \none source and see that?\n    Mr. MANKOWSKI. I know that the IRS does release what they \nconsider to be their ``Dirty Dozen,'' which are the top tax \nfrauds that they are suspecting or they are seeing in any given \nyear. What I have seen, especially with a lot of the phishing \nand the phone calls, is that initially, some of the local news \nstations were not all that keen on picking up on it, I believe \nuntil they started to realize that even some of the people, the \ntop people within the IRS were getting the same phone calls as \nyou and I may be getting, saying that they are about ready to \nget arrested or your wife is getting arrested or the sheriff is \ncoming to take your car. Now the news stations are broadcasting \nthat the IRS does not make the phone calls. They are getting \nthe word out, which is good, because by getting it out on the \nnews on that end, they are not using any of the budget that is \nconstrained within the IRS at this time.\n    Chairman CHABOT. The gentleman's time is expired. Thank \nyou.\n    The gentleman from New Jersey, Mr. Payne, is recognized for \n5 minutes.\n    Mr. PAYNE. Thank you to the Chairman and to the Ranking \nMember. I appreciate the opportunity to be here, and to all the \nwitnesses, thank you.\n    I want to ask, would it make sense to coordinate \ncybersecurity efforts that are focused on small businesses \nthrough the SBA? My thought is that if business owners are more \ninformed of computer security techniques and products to secure \ntheir networks, we may be able to help curtail some of these \ncyber attacks. Does that make sense?\n    Mr. DUNN. Yes, I think so. I think having coordination and \na place where really, truly, detailed information about threats \nand what to do about them is put at and made available to small \nbusinesses, would be excellent.\n    Mr. MANKOWSKI. Just as a comment on that as well, one of \nthe areas as far as coming out with too much specifics as to \nwhat you need to do, you are then laying out the playing field \nfor what the criminals need to do to get around your system. \nThat was evident, 2 years ago when the IRS released that no \nmore than three refunds in a calendar year can go into a \nspecific bank account. Through a lot of reverse engineering, \nthey found out that if you start putting a zero before the \naccount number and a second number and a third zero, it was \ntricking the IRS systems and the banks were disregarding it. It \nis nice to have the education, but they need to be aware that \ntoo much specifics as to what you are doing or what you need to \ndo, you are laying out a simple playing field for the bad guys \nto just circumvent.\n    Mr. OLDHAM. I think consolidating information in a place \nlike the SBA would be very helpful. Mr. Dunn had mentioned the \nFCC planning tool earlier, which is a good start, but that is \nan agency that has jurisdiction over telecommunication \ncompanies. I do not think a small retailer or other companies \nof that nature would be going to the FCC's website. I think you \nwant to be able to have those resources in a place that folks \nare willing to call or to search for.\n    Mr. PAYNE. Sure. I think it would be a natural depository \nof information. They are already dealing with the agency, so \nthat is something that might make sense.\n    Unfortunately, even when consumers receive notification of \na security breach, many of them do nothing about it or just do \nnot know what to do and the next steps to remedy the breach. \nWhat should they do to protect themselves from increased risk \nof identity theft?\n    Mr. SNOW. I have got a number of levels of security systems \nthat I have put in place. Number one, I have an external server \nprovider that has a junk mail box. So anything that does not \nlook accurate or looks not quite right, it goes directly into \nthe junk mail. I have an internal system within my network in \nthe building that also looks at that, and that has a separate \njunk mail file. So if it gets through the first level of \nprotection, it then goes to the second level, at which point \nthe user would have to override that junk mail from both \nlevels. That is one.\n    Going back to your other question, I think for me as a \nsmall business owner, consistency is very important. As the \nother members mentioned, every state has a different \njurisdiction, and for me as a small business owner, I have \ncustomers all over the world. If I were ever to be breached and \nthat data was accessed, I would have a number of different \njurisdictions to go after and figure out what I need to do. \nThere is a tremendous cost in that.\n    Mr. DUNN. I think to the point of defense in depth and not \nrelying on any single point of failure, that is pretty key. The \nconcept of having several things that ultimately would have to \nbe bypassed is typically the best approach instead of just \nhaving one particular thing.\n    Mr. OLDHAM. One thing that your question raises is the fact \nthat many Americans are receiving these breach notification \nletters and they all give the same advice: monitor your \naccounts, sign up for credit monitoring. It seems like maybe a \nbetter way of getting at that is general consumer education as \nopposed to forcing companies to send out these notifications \nthat many of us receive every week, every month, and doing it \nmaybe a slightly different way that is more impactful for the \nconsumers.\n    Mr. MANKOWSKI. Finally, from a tax perspective, people, \ntaxpayers, if they do receive one of these breach notifications \nand find out that they have been a victim of identity theft, \nthey need to not only report it to the three credit agencies, \nthey should also file a specific form with the IRS, which would \nput them on notice that they were a victim and that to be \ncareful for a fraudulent tax return coming in from them.\n    Mr. PAYNE. Thank you, Mr. Chair, I yield back.\n    Chairman CHABOT. Thank you very much. The gentleman's time \nis expired.\n    The gentleman from Missouri, Mr. Luetkemeyer, who is the \nVice Chairman of this Committee, is recognized for 5 minutes.\n    Mr. LUETKEMEYER. Thank you, Mr. Chairman.\n    Mr. Oldham, quick question for you. We have seen that cyber \nattacks come in all shapes and sizes and go after businesses of \nall shapes and sizes, including government agencies, such as \nthe NSA and Office of Personnel Management. While no one thinks \nthat one size can fit all, should not every business and \ngovernment agency that handles highly sensitive data have some \nreasonable, but also mandatory, policy and procedure in place \nfor security data against loss and theft?\n    Mr. OLDHAM. Absolutely there should be policies in place \nthat is standard and mandatory at any government agency that \nhandles sensitive data.\n    Mr. LUETKEMEYER. It is interesting. Mr. Snow talked about \nan insurance policy in place. Can you elaborate just a bit, Mr. \nSnow, with regards to availability and cost and coverages of \ninsurance policies that are out there for cyber attacks? Does \nit count for your monetary loss or losses to your customers? \nDoes it also cover the liability exposure that you may have to \nother customers that do business with you?\n    Mr. SNOW. My understanding is it covers the notification \nmandates that are required around the country. What would \nhappen, from my perspective, is that I would notify the \ninsurance company, and they would immediately come to my aid in \nterms of notifying all the customers that their data may have \nbeen breached, and also to provide that security to the \nindividual that had the breach in terms of credit reporting and \nother things. That was my understanding. That was the least \nexpensive of the policies that are out there. There is a whole \ngamut of different insurance policies that you can get, I am \nsure covering all the way up to the large liabilities. We have \nalso, on top of that, an umbrella policy that we hope will \ncover what we feel--in our case we have a $2 million liability \npolicy--we hope that we will not exceed that in any particular \nbreach, but it is an uncertain area.\n    Mr. LUETKEMEYER. Mr. Oldham, you advise people on the risks \nthat they incur. I would assume you have a pretty good \nknowledge or extensive knowledge of the availability of these \nthings and how far they go and the costs?\n    Mr. OLDHAM. Insurance policies. I am not an insurance \nlawyer, but certainly that comes up in cases. There is a wide \nrange. To the cost in general, it depends on the number of \npieces of data, such as affected individuals. If I am advising \na client who has to give notifications in 30 different States, \nthat is 30 different statutes that have to be reviewed to do \nthat.\n    Mr. LUETKEMEYER. So it is basically a policy that is \ntailored to the individual risk?\n    Mr. OLDHAM. Yes, again, I am not an insurance lawyer, but \nwhen these insurance policies do come up and we have to look at \nthem, there is a great variation. I am not aware of a standard \ninsurance policy, and I think Mr. Snow, that is probably what \nyour experience was that you were talking about, the \nmarketplace is so new at this point.\n    Mr. LUETKEMEYER. It seems to me that that is a burgeoning \narea of need, obviously, and so we will see how it develops.\n    Along that line, Mr. Dunn, you mentioned a while ago that \nfor small businesses that do business with the government, is \nthere a possibility of compromising government information with \nthose businesses and, therefore, they are exposed for a \nliability situation? Is there something in the contract that \nprotects them, or do they need to be covering a risk there? How \ndoes that work?\n    Mr. DUNN. I do not know necessarily about a contractual \nobligation. I think from the perspective of interconnecting \nsystems or share of data there is a liability in either \ndirection. If an attacker was to gain access to a small \nbusiness that services a government client, the assumption is \neither the value of the data or some direct connectivity to the \ngovernment agency may exist.\n    Mr. LUETKEMEYER. We have an exposure there you need to be \ncareful of, right? As a business, you are going to have to have \nsome sort of, I would think, an insurance policy or some bond \nof some kind that would protect you in case something went \nwrong.\n    Mr. DUNN. I think the whole area of cybersecurity insurance \nis quite new and fairly immature. I do not know an awful lot \nabout it, but I often wonder what do you have to do in order to \nbe insurable and how do you stay insurable. That may have some \nkind of compliance or regulatory check.\n    Mr. LUETKEMEYER. I have always thought that the insurance \ncompanies are going to drive this issue because at some point \nthey are the ones that are going to have to insure the issue, \nand therefore, they are going to demand certain standards. When \nthose standards are out there, they are going to be the ones \ndriving how this is all done.\n    Mr. Chairman, I yield back the balance of my time.\n    Chairman CHABOT. Thank you. The gentleman yields back.\n    The gentleman from New York, Mr. Hanna, who is the Chairman \nof the Subcommittee on Contracting and Workforce is recognized \nfor 5 minutes.\n    Mr. HANNA. Thank you. Thank you, Chairman. Thank you all \nfor being here.\n    I want to talk about a bill--Mr. Payne actually mentioned \nit inadvertently--I coauthored with Derek Kilmer from \nWashington. It is the Improving Small Business Cybersecurity \nAct of 2016. We have 900 small business development agencies \naround the country. This bill, which would cost, we estimate \nalmost nothing, would authorize and change the Small Business \nAct and direct these SBDCs to offer cyber support services to \nsmall businesses, again, at no additional cost. We would simply \nbe leveraging the SBDCs cyber support services, DHS, and \nDepartment of Homeland Security, and the Small Business \nAdministration would simply be required to review current \nFederal programs and develop, along with the SBDC, a \ncybersecurity strategy to help in all communities throughout \nthe country. I want to ask you a question, Mr. Dunn, and anyone \nwho wants to weigh in, it sounds like this problem is, at the \nvery least, a moving target, and it is not just a moving \ntarget; it is an intellectually moving target. It is a one-\nupmanship. It is a constant game, cat-and-mouse type of thing.\n    You mentioned in your statement, Mr. Dunn, and I apologize \nfor being late to this hearing, training needs to be offered \nbut it tends to be too general. Is it a practical thing to talk \nto a small business person who may have one or two people and \nstill have enormous impact potential against them. Is it \npractical in today's world to ask a person to be up to speed in \nthe way they need to be, not just today but going forward. How \ndo you manage that Mr. Oldham, anybody interested in answering \nthat?\n    Mr. DUNN. The concept is giving them-specific advice on the \nthings that really matter to them. If the example is perhaps \nthey want to offset their email services to a cloud provider, \ntelling them specifically the settings that would be useful to \nturn on and the benefits is better than just telling them about \ngeneral awareness concepts about the dangers of email, for \nexample.\n    Striving for this education around data as being the factor \nconsidered the most, you do not have to be up on all the \nsecurity concepts that currently are happening, but you do have \nto understand what data you have, the value of it, and then \nwhat you should do based on the different value of the \ndifferent data that you have.\n    Mr. HANNA. In that sense, Mr. Oldham, anyone, so it is \npractical to do certain minimal things that help people broadly \nto limit the possibility of an attack? Mr. Oldham?\n    Mr. OLDHAM. I think when you step back to the risk \nmanagement aspect and not just to the zeros and ones, it is \nvery important, as Mr. Dunn said, to focus on what the issue \nis, and it is usually driven by the types of data. Certain data \nis more sensitive than other data. Providing high-level \nguidance that says cybersecurity is important, you should have \ngood cybersecurity, is not helpful to small businesses. It is \nhelpful to provide targeted advice that is practical and \ngranular to their specific situation.\n    Mr. HANNA. The Small Business Development Centers around \nthe country, the 900, would it be possible for them to \nestablish a basic format that would help the majority of small \nbusinesses out there without making it too complicated, \ndifficult, and would it be helpful?\n    Mr. OLDHAM. I think it would be helpful as long as they \nhave the right expertise going into that guidance. One of the \nissues that happens in this space is guidance gets put out but \nit does not evolve with the threat. That is one of the big top-\nlevel messages, this threat evolves rapidly, and so do the \nlegal requirements.\n    Mr. HANNA. If the Small Business Development Centers were \nable to do this updating, they could be a source in that \ncommunity, rather than so many randomly small businesses trying \nto do it on their own and maybe not being entirely effective in \nthat?\n    Mr. OLDHAM. It sounds very promising. Yes.\n    Mr. HANNA. Thank you. Chairman, I yield back.\n    Chairman CHABOT. Thank you. The gentleman yields back.\n    I want to thank our witnesses for being with us here today. \nThey have helped to clarify just how vulnerable many small \nbusinesses and individuals are to cyber attacks. It is a \ngrowing and evolving problem, and you have helped shed some \nlight on what should be done to combat it. For that we thank \nyou very much.\n    I ask unanimous consent that members have 5 legislative \ndays to submit statements and supporting materials for the \nrecord. Without objection, so ordered. If there is no further \nbusiness to come before the Committee, we are adjourned. Thank \nyou very much.\n    [Whereupon, at 12:15 p.m., the Committee was adjourned.]\n    \n    \n                            A P P E N D I X\n                            \n                            \n                            \n                            \n                            \n  [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]                          \n                            \n                            \n                            \n\n                              Statement of\n\n                           Nicholas A. Oldham\n\n                                Counsel\n\n                          King & Spalding LLP\n\n                               before the\n\n                     U.S. House of Representatives\n\n                        Small Business Committee\n\n\n                             April 20, 2016\n\n    Chairman Chabot, Ranking Member Velazquez, and members of \nthe Committee, thank you for the opportunity to appear before \nyou today.\\1\\\n---------------------------------------------------------------------------\n    \\1\\ The views and opinions expressed in this statement are mine and \ndo not necessarily reflect the views or opinions of King & Spalding or \nany of its clients.\n\n    I have been involved in cyber issues for many years--as a \nformer federal prosecutor at the U.S. Department of Justice and \nnow as an attorney with King & Spalding. In my practice, I \ncounsel clients, both large and small, on the legal aspects of \n---------------------------------------------------------------------------\ncybersecurity risk management.\n\n    Today, I focus my testimony on the cybersecurity landscape \nfor small businesses, and on three areas of particular \nconcern--the cybersecurity education gap, the need for \ncybersecurity initiatives to be calibrated for small \nbusinesses, and the need to clarify and simplify the current \nregulatory environment.\n\n    Background\n\n    We are living in exciting times. Digital assets and \nconnected systems have generated new products and services, \nredefining how business is conducted and services delivered. \nBut the truth is that we are only at the beginning of the \nbeginning when it comes to understanding the implications of \nour reliance on this interconnectivity and the dangers that \ncyber threats present.\n\n    Our interconnectivity is growing at an astonishing rate, \nwith some estimates that there will be as many as 50 billion \ndevices connected to the Internet by 2020. As a result, we are \nmarching toward an infinitely connected world: always online, \nour information moving from network to network and device to \ndevice.\n\n    Partly as a result of this interconnectivity, businesses \nare gathering and utilizing an ever-growing amount of \ninformation to improve their business practices and better \nserve their customers. Today, every online communication, \ntransaction, and anything else you can think of can be captured \nand stored, and then transmitted electronically anywhere and at \nanytime. This interconnectivity, especially including the \nInternet of Things, holds tremendous promise for consumers and \ncompanies.\n\n    It also creates new challenges in terms of cybersecurity \nbecause anything connected to the Internet can be hacked. Cyber \nthreats vary from the technologically sophisticated to the \nsurprisingly low tech methods such as ``social engineering'' \nand spear phishing. A recent RAND Corporation study found that \nover a quarter of American consumers received a notice that \ntheir data was stolen within the past year alone. Forbes \nrecently reported that cyber-attacks cost businesses an \nestimated $400-500 billion per year, and because many cyber-\nattacks are not reported, it is believed that the real number \nis significantly higher. These reports underscore the \nsignificant costs of preparing for, responding to, and \nrecovering from cyber incidents.\n\n    Where do small businesses fit in this landscape? The \ninterconnected world enables small businesses to develop new \nproducts and services and compete across the globe. However, \ngrowing cyber threats presents greater challenges to the same \nsmall businesses, which can lack the tools needed to \neffectively cope with the growing danger.\n\n    Small businesses are appealing targets. Small businesses \noften have more digital assets than individual consumers, but \ntheir resources may not allow for the same level of focus on \ncybersecurity as large companies.\n\n    Businesses of all sizes need adequate cybersecurity \neducation, but it can be difficult for small businesses to find \nthe right information and training.\n\n    Small businesses also often feel the impact of cyber \nthreats differently than large companies. Establishing \neffective cybersecurity and incident response mechanisms is \ncomplicated and can be expensive. When any business implements \nmitigation measures or responds to a cyber incident, it can \nlost significant time and money. The costs can sink a small \nbusiness. Small businesses get burned at both ends--they are \nless likely to have the resources to prevent breaches and they \nalso may have fewer resources to respond to those breaches.\n\n    From Cyber Threat Awareness to Cyber Risk Management\n\n    In June 2011, various Committees in both the House and \nSenate held hearings regarding data breaches at Sony and \nEpsilon Data Management. In March 2012, then-FBI Director \nMueller gave a now famous speech at the RSA Conference in San \nFrancisco. His oft repeated quote is that ``there are only two \ntypes of companies: those that have been hacked and those that \nwill be.'' These events were key, early moments that helped \nraise awareness of cyber threats. We have much farther to go in \nterms of awareness and, perhaps more importantly, companies \nneed to move from awareness to expertise in managing the new \nnormal of cyber threats.\n\n    As a lawyer, I do not manage corporate networks or conduct \nvulnerability testing. Rather, I believe that cybersecurity is \nas much a people and process issue as it is a technical issue. \nI focus on the people and process side of the equation, \naddressing the legal and business cybersecurity risks faced by \ncompanies including cybersecurity risk governance, compliance, \nand incident response processes. I also help companies comply \nwith breach notification obligations, interact with various \nregulators, and manage their responses to regulatory actions or \nlitigation. The legal and business costs, including compliance \ncosts, drain on employee time and morale, and reputational \ndamage, can be significant.\n\n    The Cybersecurity Education Gap\n\n    Before spending precious resources on increasing \ncybersecurity measures, it is natural for small businesses to \ncarefully weigh the cost of putting new measures into place \nversus the cost to the company of the inevitable cyber incident \nif it does not take action. Because of the enormous potential \ncosts of a cyber incident, which is difficult to quantify, \ncompanies may find that it is far more expensive to not \nimplement basic security measures. The problem here is that \nthere is a cybersecurity education gap: small businesses may \nnot be able to get the information they need to properly assess \nand mitigate these costs.\n\n    Bridging this education gap can be difficult for small \nbusinesses, especially those that lack the resources to hire \nspecialized employees or cybersecurity experts. Basic resources \nare available online, but even where they provide crucial \ninformation, they can be difficult to find, are rarely updated, \nor are inadequate.\n\n    On the legal compliance front, the Federal Trade Commission \nrecently released a new web-based tool for developers who make \nhealth-related apps. The tool asks developers a series of 10 \nhigh-level, yes or no questions related to their apps covering \ntopics such as the apps' functions, data they collect, and the \nservices they provide. Then, based on the answers to the high-\nlevel questions, the tool identifies four potentially \napplicable federal laws. While useful as a starting point for \nintroducing and orienting developers and other healthcare \nindustry players to the legal thicket affecting health apps, \nthe tool provides high-level guidance on the basics of only a \nfew relevant laws.\n\n    The FTC's tool is one example of an approach geared toward \neducating the public on legal compliance. The tool is somewhat \npromising, but does not cover all relevant laws and does little \nmore than point the developers to summaries of the relevant \nlanguage. This approach, however, could go a long way toward \nhelping small businesses stay informed on cybersecurity legal \nbest practices, provided such tools are expanded to cover a \nbroader set of laws and give more specific, timely information.\n\n    In many ways, cyber threats have analogs to traditional \ncrime. Ransomware is cyber extortion, spear phishing is nothing \nmore than a con artist taking advantage of the ubiquity of e-\nmail. Hackers, moreover, are like burglars. They use their \n``gloves,'' ``dark clothes,'' and ``tools'' to get inside a \nnetwork, stealing digital loot along the way. In the \ntraditional crime scenarios, small businesses would likely call \nthe local police department for best practices in preventing \nthese crimes or responding to them. In the digital crime \nscenarios, there is no one logical place to call. The \ngovernment may have a role in bridging the cybersecurity \neducation gap by encouraging the development of cybersecurity \neducation resources and connecting them to those who need them \nin the private sector.\n\n    Existing Programs Are Not Geared Toward Small Businesses\n\n    Many of the cybersecurity initiatives receiving the most \nattention are not necessarily tailored to take into account the \nrealities of small business owners. Standards seem to be \ncoalescing around the NIST Cybersecurity Framework in some \nareas, for example, which is a promising development. This has \nthe potential for simplifying the landscape for small and large \nbusinesses alike.\n\n    The current iteration of the NIST Framework, however, is \nnot particularly geared toward the needs of small businesses. \nThe Framework itself can be difficult and expensive to \nunderstand and implement regardless of business size, and until \nit is better tailored to small businesses, for some of them it \nmay just be one more program that they cannot afford to keep up \nwith. Perhaps more importantly, a small business might become \nsubject to a cybersecurity framework by virtue of its \ncontractual relationship with a partner that passes its \ncybersecurity obligations through its supply chain. In this \ncase, the small business might agree to obligations under the \ncybersecurity framework without the same level of vetting it \nmight undertake if it were adopting the framework from scratch, \nand thereby inadvertently expose itself to significant \nliabilities and expose itself and its partners to significant \ncyber risks.\n\n    While good cyber hygiene is important, to improve the NIST \nFramework, and similar programs and policies, the government \nshould make a serious effort to increase the involvement of \nsmall business owners in all phases of the legislative and \nrule-making process. Until small business concerns are fully \nbaked into these standards, they could face serious challenges \nof adoption.\n\n    The Current Regulatory Regime Is Difficult to Navigate\n\n    The current regulatory regime for cybersecurity presents \nadditional difficulties for small businesses, who will \ninevitably struggle to determine both (1) what cybersecurity \nmeasures they are required to enact, and (2) when a breach or \nattack does occur, what procedure the law requires them to \nfollow.\n\n    There are currently 51 different state or territory laws \nthat pertain to the notifications a company that has been the \nvictim of a data breach provide to its customers. They are \ninconsistent with each other in a variety of ways. \nAdditionally, several states have enacted laws requiring \ncompanies to put ``reasonable security measures'' in place. \nWhat ``reasonable'' means in this context is evolving and can \ndiffer by jurisdiction and industry. I have seen a growing \nnumber of federal regulatory agencies stepping into the same \nspace.\n\n    The cost of ensuring compliance with laws for any company \nis enormous even before taking into account the cost of \nlitigation and reputation damage if a breach does occur. Small \nbusinesses in particular are vulnerable to these costs because \nthey can consume a much larger proportion of their available \nfunds. Small businesses would benefit from a public sector \napproach that lowers the cost of compliance and the cost of \nimplementing best practices.\n\n    In short, there is a need to clarify and simplify what \ncompanies must do. Because of the complicated and evolving \nlandscape, the on-the-ground expertise of the private sector \nmust necessarily play an important role in these efforts.\n\n    Thank you for the opportunity to testify before you today. \nI look forward to your questions.\n                NATIONAL CONFERENCE OF CPA PRACTITIONERS\n\n\n    22 Jericho Turnpike, Suite 110          T: 516-333-8282\n\n    Mineola, NY 11501                    F: 516-333-4099\n\n    Chairman Chabot, Ranking Member Velazquez and members of \nthe Committee, thank you for inviting me to testify today. My \nname is Stephen Mankowski. I am a Certified Public Accountant, \nExecutive Vice President of the National Conference of CPA \nPractitioners, (NCCPAP - the countries' second largest CPA \norganization) and a member of the American Institute of CPAs \n(AICPA). NCCPAP is a professional organization that advocates \non issues that affect Certified Public Accountants in public \npractice and their small business and individual clients \nlocated throughout the United States. NCCPAP members serve more \nthan one million business and individual clients and are in \ncontinual communication with regulatory bodies to keep them \napprised of the needs of the local CPA practitioner and its \nclients. Accompanying me is Mr. Sanford Zinman, National Tax \nPolicy Chair of NCCPAP.\n\n    My firm, E.P. Caine & Associates CPA, LLC, has been \npreparing tax returns for over 30 years. My firm annually \nprepares well over 2,000 small business and individual tax \nreturns as well as sales tax returns, payroll tax returns, \nhighway use tax returns and Forms W2 and Forms 1099 \ninformational returns. We are in the trenches with clients \ndiscussing their tax, financial and personal issues, and the \nimpact events and proposed tax law changes may have on them. \nAlthough our clients are mostly in the Pennsylvania, New York, \nNew Jersey and Delaware areas, we serve clients in over 30 \nstates and also provide services to clients in Canada and \nEurope. In this respect our practice is the same as many \nmembers of NCCPAP and other smaller CPA firms throughout the \nUnited States.\n\n    NCCPAP has been at the forefront of identity theft issues \nthrough our advocacy and testimony at prior hearings dealing \nwith ID theft in June 2012. The initial hearings focused on the \nrefund scams that were prevalent at the time, such as Mo Money. \nNCCPAP has remained vigilant on the topic and has been \ndiscussing these issues annually when our members meet with \nCongress and their staff and with IRS representatives. Our \nmembers have helped guide numerous taxpayers who have been \nvictims of ID theft to navigate through the IRS to minimize the \nrisk of further consequences.\n\n    ID theft has been growing exponentially for years. It seems \nthat no matter what controls are put in place, criminals have \nbetter and more focused resources to circumvent these \nsafeguards. All businesses are at risk, from the largest to the \nsmallest. Weekly, we are hearing about the latest business to \nbe a victim of some level of cybercrime or ID theft. Mr. \nRichard Snow, who is also on the panel of witnesses today, has \nbeen a victim.\n\n    All businesses are at risk, but CPA firms and tax \npractitioners are at a greater risk. The IRS reminds tax \npreparers that they must be vigilant with their system \nintegrity. The criminals are aware that the ``prize'' for \nbreaching tax practitioner systems could yield them not only \nnames and social security numbers, but also several years of \nearnings as well as bank information and dates of birth. Thus, \nthe IRS recommends that tax preparers create a security plan. \nIRS Publication 4557, Safeguarding Taxpayer Data, provides \nsuggestions and a checklist. My firm has reviewed the \nPublication, continually trains our staff and, along with our \nIT consultants, monitors our information and controls to ensure \nthat our offices not only meet but exceed these suggestions. \nOur network logs usage form all users and is monitored to \nensure no unauthorized access. This includes staff with remote \naccess to our server. We also require a user id and passwords \nto gain access to all of our software packages. Not all firms \nhave been as fortunate regarding cyber security. Two Midwestern \nfirms were compromised this tax season and had fraudulent \nreturns filed through their electronic filing identification \nnumber (EFIN).\n\n    I was able to speak with a partner at one of the affected \nfirms. They were under the impression that their systems were \nsecure. However, the breach occurred after installing a new \ncopier system that had not been properly secured within their \nnetwork. Once they determined that they did in fact have a \nbreach, they attempted to contact the IRS. Unfortunately, there \nis no easy means to identify the proper area within the IRS to \ncontact. Ultimately, it took nearly one month for a response \nfrom the IRS.\n\n    Ensuring the security of client data has been and remains \nthe goal of my firm and we take that task very seriously. \nAlthough our software has the ability to auto-generate the PINs \nfor electronic filing (EF PIN), we became aware that the EF PIN \nwas using a portion of the taxpayer SSN. We have opted to not \nuse this part of our software and have chosen to manually enter \nthe EF PIN. Some tax software packages use a random five-digit \nnumber and we have suggested our software provider offers the \nsame option. Taxpayers are also able to obtain their own \nspecific EF PIN through the IRS website through the entry of \nselect information. Currently, this system is too new to \nascertain the true effectiveness of the program; however, \nconcerns exist as to whether the return would reject if this \nnumber was not used or what would happen if the taxpayer lost \nthis number. It is not clear if there is a mechanism to \nretrieve the number from the IRS.\n\n    Practitioners are also reminded to protect their EFIN. The \nIRS suggests practitioners log into e-services on a regular \nbasis and verify the number of returns processed for their \nEFIN. While the number probably will not be exact due to the \ntiming of return processing and updating of this service, \nsignificant differences could be a cause for alarm. \nPractitioners should contact the IRS e-Help Desk immediately if \nthe difference is excessive. At the beginning of this filing \nseason, the tax software community requested that tax \npractitioners update their EFIN authorization letter before \nthey start using their EFIN. This is just another step in \npreventing potential unauthorized access to a practitioner \nEFIN. While in many cases the timing of this request might not \nhave occurred at the most opportune time, such as when the \nfirst returns were to be filed, it sent a signal to the \npractitioner community that the software vendors understood the \nissues and were working in conjunction with practitioners to \naddress ID theft.\n\n    While firms that electronically submit tax returns are \nrequired to obtain an EFIN from the IRS, paid preparers \ninitially included their social security number on tax returns \nand in 1999 were first offered the ability to use a Preparer \nTax Identification Number (PTIN). The requirement to include \nthe preparer's firm information, which includes their employer \nidentification number, began in 1978. Given the risks of firm \nID theft, why has the IRS not adopted a firm PTIN?\n\n    There are two primary reasons that criminals attempt to \nbreach systems--the challenge and/or for the information \ncontained in the systems, both reasons for IRS action. The IRS \nhas been transitioning to modern technology within its network \nprotocols to enhance safeguards. During this transition, the \nIRS has encountered many of the same compatibility concerns \nthat affect most businesses. As a CPA, I became aware of this \nwhen the IRS announced the planned retirement of the Disclosure \nAuthorization (DA) and Electronic Account Resolution (EAR) \noptions on IRS e-services in August 2013. When the tax \npractitioner community complained that the elimination of these \noptions would have a significant impact on their practices, we \nwere told that the platform on which these services were \ndesigned was not compatible with the new system architecture \nand the initial costs to rewrite the programming was excessive. \nThe IRS has looked at a relaunch of these services in the \nfuture, but the added authentications might make the systems \noverly burdensome.\n\n    In March 2015, one tax software vendor had its electronic \nprocessing systems compromised to the extent that the state of \nMinnesota and subsequently all states temporarily ceased \naccepting electronically filed returns from that vendor. One \npositive result of this situation was the formation of the IRS \nCommissioner's Security Summit, which initially included \nrepresentatives from state governments, banking and the \nsoftware community. This group approach was a positive signal \nfrom the IRS that the issues of identity theft and data \nsecurity required a multi-faceted approach to work at stemming \nthe increases in data security and ID theft. Their initial \nfocus was addressing and stopping suspected fraudulent returns \nthrough the implementation of protocols to address issues with \ntax returns before processing and during the initial \nprocessing. According to a recent General Accounting Office \n(GAO) report, it is estimated that during the 2014 filing \nseason the IRS paid approximately $3.1 billion in fraudulent \nrefunds while preventing $22.5 billion. This was before the \ncreation of the Security Summit.\n\n    In its initial year, the Summit estimates that it has \nprevented in excess of three million fraudulent returns from \nbeing processed and refunds issued during the 2015 filing \nseason, but many fraudulent returns are still getting through. \nThe Summit has not been expanded to include tax practitioners. \nThe next level of focus needs to be on securing the refund \nprocess. According to Senator Wyden, the IT budget within the \nIRS is now operating at a level lower than it was six years ago \ndue to budget cuts. The criminals, however, have ample cash and \nsophisticated systems. They continually attempt to reverse \nengineer the security measures implemented by the IRS. One \nrecent instance occurred when the IRS announced that only three \nIRS refunds would be able to be direct deposited into a bank \naccount in any calendar year. It was determined that adding \nzeros before the account number would trick the IRS systems to \nthink it was a different account number and allow the refunds \nto be deposited. It satisfied the IRS systems while being \ndisregarded by the financial institutions. This was a case that \nI believe the IRS learned a valuable lesson--while you can \npublicly address the solutions being implemented, you should \nnot provide the specifics. The limitation of refunds was \ndesigned as a deterrent, but ultimately only served as a means \nof preventing tax preparers from illegally collecting the fees \nfrom a taxpayer refund.\n\n    The timing of the receipt of data by the IRS often comes \ninto question. Often fraudulent returns are submitted with \nrefunds transmitted long before the data needed to verify the \nincome and the tax withholding is received by the IRS. \nBusinesses filing Forms W-2 on paper are required to submit the \ndata by the end of February, while electronic filers had an \nadditional 30 days. In addition, an automatic 30-day extension \nhad been available. Because of the delay in submission of these \ninformation returns, the criminals have begun filing fraudulent \nW-2s. In an effort to counter this practice, Congress has \nremoved the automatic extension for filing paper or electronic \ninformation returns. However, a time discrepancy still \nremained. The Protecting Americans from Tax Hikes Act of 2015 \n(PATH) clarified and simplified these dates. For tax years \nbeginning in 2016, Forms W-2s will be required to be submitted \nto Social Security and Forms 1099-MISC will be required to be \nsubmitted to the IRS with the same due date as to the \nrecipient. This accelerated timeframe should pose a significant \nhindrance for those who submit fraudulent returns. However, \nthere is still the issue that the IRS will start processing tax \nreturns during the month of January, usually on or about \nJanuary 20, leaving a window for fraudulent tax returns to be \nsubmitted and processed before the IRS has the opportunity to \nmatch data.\n\n    The IRS has estimated that it averages approximately one \nmillion breach attempts daily. However large that number might \nbe, as a taxpayer I would expect that every attempt would be \ndefeated. Unfortunately, over the past year, the IRS has had \nactual system breaches. First, the IRS online transcript \nprogram, ``Get Transcript'', was compromised in May 2015 and \nthe number of accounts that the IRS admitted were affected has \ndoubled several times. In February 2016 the IRS announced the \naffected accounts exceeded 700,000. The second breech that \noccurred recently related to the Identity Protection PIN (IP \nPIN) retrieval tool that is contained on the IRS website and is \nmore troubling than the prior breach. The taxpayers who have IP \nPINs have already been victims of tax refund fraud and obtained \nthe six digit IP PIN to prevent further unauthorized access or \nfilings. This tool had been using the same interface as Get \nTranscript but had remained available to the public and, \nunfortunately, those less scrupulous. Finally, the IRS took \nthis page offline in February 2016, nearly nine months after \nthe initial Get Transcript breach.\n\n    The March 2016 GAO report identified that the IRS has \nimproved access controls, but noted that weaknesses still \nremain. One of the primary concerns addressed by the GAO \nsurrounds the authentication of the user ID. The IRS has \nemployed a multifactor approach using two or more factors to \nachieve authentication. This provides the basis for \nestablishing accountability and for controlling access to the \nsystem. Their systems require that Homeland Security \nPresidential Directive 12-Compliant Authentication be \nimplemented for IRS local and network access accounts. This \ninvolves password-based authentication with passwords that are \nnot found in dictionaries and expire at a maximum of 90 days. \nThis same protocol should be implemented for all user accounts, \nincluding e-services.\n\n    The direct deposit of refunds is a fast, inexpensive and \nrelatively secure means of issuing refunds. The IRS utilizes \nbanking's ACH system, whereby a refund goes to a selected \nfinancial institution based upon their respective routing or \nABA number. If an account number exists within the institution, \nthe refund goes into the account. The IRS is mandated to \nprocess refunds within 21 days, unless additional processing \ntime is required. Prior to the current Modernized e-File (MeF) \nsystem, the IRS had been operating on a ``accept by Thursday, \nrefund following Friday'' schedule. Often under the MeF system, \nrefunds have been processed even quicker. Taxpayers have grown \naccustomed to getting the quick refund and now wonder if there \nis a problem when it is taking longer than a week for their \nrefund to appear in their account.\n\n    Social Security Administration uses a banking ``pre-note'' \nto verify the accuracy of the recipient's banking information \nprior to the initial payment. The financial institution has \nfive days to verify the information and notify SSA if there are \nerrors or discrepancies. Failure to notify SSA could result in \nthe institution being held liable for the funds if the funds \nare misdirected. Unfortunately, the IRS refund system does not \ninclude pre-note account verification. Funds are simply \ntransmitted through the ACH network to the respective \ninstitution. Once deposited, there is no control on the usage \nof funds and often where there is fraud those deposits are \nmoved immediately upon receipt. The implementation of a pre-\nnote system could result in a significant reduction of the \nannual $3.1 billion misappropriation of government funds.\n\n    As discussed, Congress has mandated 21 days for refunds to \nbe processed. While it is easy to understand that taxpayers \nwant their refunds processed as quickly as possible, one must \nask a simple question. Is paying a tax refund in seven to ten \ndays a prudent use of taxpayer dollars? A recent survey by \nPrinceton Research Associates noted that 22% of taxpayers \nsurveyed would wait up to six to eight weeks for their refunds \nif they knew it would combat identity theft. NCCPAP members \nfeel that simply using the pre-note technology that already \nexists and is used throughout the financial industry would \nallow taxpayers to receive their refunds promptly while \nreducing fraud.\n\n    Unfortunately, despite all of the efforts of the IRS and \nCongress to curb ID theft, often the cause is unscrupulous \npreparers that are often unregulated by any authority. NCCPAP \nurges Congress to pass legislation to provide the IRS the \nnecessary authority to regulate all tax preparers and required \npaid preparer to meet minimum standards. Currently, only CPAs, \nEAs and attorneys are subject to the requirements of IRS \nCircular 230.\n\n    In conclusion, ID theft is an issue that initially gained \ntraction with Congress in 2012. Much has occurred since the \ninitial hearings and, unfortunately, the criminals have taken \nmore steps to obtain information than the IRS has been able to \nblock. The IRS is not alone in this battle. It seems that not a \nweek goes by where there is not news of a major corporation \nannouncing that their systems had been hacked. Taxpayers have \nbecome victims of ID theft through these breaches and do not \nnecessarily understand the importance of contacting the IRS. \nWhile knowing that the IRS successfully thwarts approximately \none million breach attempts each day is comforting, we should \nkeep in mind that even one successful breach could be \ncatastrophic to not only the IRS but to the taxpayer. Often, \ntaxpayers do not realize they have been a victim of ID theft \nuntil their electronically filed tax return gets rejected. Once \na taxpayer has been victimized, they expect to obtain an IP PIN \nfrom the IRS and starting in January 2017 they will. In \nFlorida, Georgia and Washington, DC where ID theft has been \nrampant, the IRS implemented a voluntary IP PIN program. \nUnfortunately, this program failed to achieve the number of \nparticipants to make the program successful.\n\n    Taxpayers are urged to protect their personal data, but \nwith widespread Internet usage, online shopping and criminals \nwaiting to pounce on unsuspecting victims, ID theft continues \nto grow. Individual and businesses remain targets of \ncyberattacks and must remain cautious when opening emails and \nattachments, visiting web pages and simply paying for the \nfamily groceries.\n\n    There are several electronic filing options available to \ntaxpayers. Many taxpayers use Free File, thirteen IRS-approved \nfree e-filing tax service sites. In a recent audit performed by \nthe Online Trust Alliance (OTA), six of the thirteen websites \nfailed due to poor site security and not taking steps to help \nprotect consumers from fraudulent and malicious email.\n\n    IRS Commissioner Koskinen had the foresight to convene the \ninitial Security Summit in 2015, which has proven to be \nsuccessful. Unfortunately, the criminals always seem to be \npushing the envelope further and further. Their approach is \nmore focused and better funded. The Security Summit has now \nexpanded its focus to include additional user groups, including \ntax practitioners, to further address cyber security and \ndevelop a multi-tiered approach to combat it. The only way to \ntruly combat ID theft is to incorporate input from various \nsectors of the marketplace. This is a problem impacting \nbusinesses and taxpayers worldwide and will require global \nefforts to minimize and hopefully resolve. NCCPAP calls on \nCongress to provide the necessary funding to continually \nmonitor, modernize and upgrade IRS systems to minimize and \neliminate data security breaches. The first step would be \nCongress reauthorizing Streamlined Critical Pay Authority to \nallow the IRS secure top IT talent without a three to six month \nwaiting period.\n\n    Thank you for the opportunity to present this testimony and \nI welcome your questions.\n\n    Respectfully submitted,\n\n    Stephen F. Mankowski, CPA\n\n    Executive Vice President, NCCPAP\n    \n    \n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n    \n    \n    \n                                 [all]\n</pre></body></html>\n"