[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]


           FOREIGN CYBER THREATS: SMALL BUSINESS, BIG TARGET

=======================================================================

                                 HEARING

                               BEFORE THE

                      COMMITTEE ON SMALL BUSINESS
                             UNITED STATES
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED FOURTEENTH CONGRESS

                             SECOND SESSION

                               __________

                              HEARING HELD
                              JULY 6, 2016

                               __________

[GRAPHIC NOT AVAILABLE IN TIFF FORMAT] 
                               

            Small Business Committee Document Number 114-067
              Available via the GPO Website: www.fdsys.gov
              
              
                              ____________
                              
                      
                      
                    U.S. GOVERNMENT PUBLISHING OFFICE
20-701                      WASHINGTON : 2017                    
_________________________________________________________________________________________                                   
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). 
E-mail, [email protected].  
                   
                   
                   
                   HOUSE COMMITTEE ON SMALL BUSINESS

                      STEVE CHABOT, Ohio, Chairman
                            STEVE KING, Iowa
                      BLAINE LUETKEMEYER, Missouri
                        RICHARD HANNA, New York
                         TIM HUELSKAMP, Kansas
                         CHRIS GIBSON, New York
                          DAVE BRAT, Virginia
             AUMUA AMATA COLEMAN RADEWAGEN, American Samoa
                        STEVE KNIGHT, California
                        CARLOS CURBELO, Florida
                         CRESENT HARDY, Nevada
                         WARREN DAVIDSON, Ohio
               NYDIA VELAZQUEZ, New York, Ranking Member
                         YVETTE CLARK, New York
                          JUDY CHU, California
                        JANICE HAHN, California
                     DONALD PAYNE, JR., New Jersey
                          GRACE MENG, New York
                       BRENDA LAWRENCE, Michigan
                       ALMA ADAMS, North Carolina
                      SETH MOULTON, Massachusetts
                           MARK TAKAI, Hawaii

                   Kevin Fitzpatrick, Staff Director
                       Jan Oliver, Chief Counsel
                  Michael Day, Minority Staff Director
                            
                            
                            C O N T E N T S

                           OPENING STATEMENTS

                                                                   Page
Hon. Steve Chabot................................................     1
Hon. Nydia Velazquez.............................................     2

                               WITNESSES

Mr. Jamil N. Jaffer, Director, Homeland and National Law Program, 
  George Mason School of Law, Arlington, VA......................     5
Mr. Justin Zeefe, Co-founder & Chief Strategy Officer, Nisos 
  Group, Alexandria, VA..........................................     7
Mr. Nova J. Daly, Senior Public Policy Advisor, Wiley Rein LLP, 
  Washington, DC.................................................     9
Ms. Angela Dingle, Founder, President and CEO, Ex Nihilo, 
  Washington, DC.................................................    11

                                APPENDIX

Prepared Statements:
    Mr. Jamil N. Jaffer, Director, Homeland and National Law 
      Program, George Mason School of Law, Arlington, VA.........    31
    Mr. Justin Zeefe, Co-founder & Chief Strategy Officer, Nisos 
      Group, Alexandria, VA......................................    43
    Mr. Nova J. Daly, Senior Public Policy Advisor, Wiley Rein 
      LLP, Washington, DC........................................    47
    Ms. Angela Dingle, Founder, President and CEO, Ex Nihilo, 
      Washington, DC.............................................    51
Questions and Answers for the Record:
    Questions from Hon. Grace Meng and Answers from Mr. Nova J. 
      Daly.......................................................    57
Additional Material for the Record:
    Statement from Hon. Robert Pittenger.........................    62

 
           FOREIGN CYBER THREATS: SMALL BUSINESS, BIG TARGET

                              ----------                              


                        WEDNESDAY, JULY 6, 2016

                  House of Representatives,
               Committee on Small Business,
                                                    Washington, DC.
    The Committee met, pursuant to call, at 2:03 p.m., in Room 
2360, Rayburn House Office Building, Hon. Steve Chabot 
[Chairman of the Committee] presiding.
    Present: Representatives Chabot, Luetkemeyer, Hanna, 
Gibson, Brat, Radewagen, Curbelo, Hardy, Kelly, Davidson, 
Velazquez, Clarke, Hahn, Payne, Meng, Lawrence, and Adams.
    Also Present: Representative Pittenger.
    Chairman CHABOT. The Committee will come to order. Good 
afternoon, I want to thank everyone for being here. A special 
thank you to all our witnesses who came here to share their 
experience and their expertise with us here this afternoon. We 
very much appreciate it.
    Small business cybersecurity has been a top priority for 
our Committee throughout this Congress. In our previous 
hearings, we have heard stories from small business owners who 
have been the victims of cyber attacks. We have also heard dire 
warnings from cybersecurity experts about the new and varied 
cyber threats facing America's 28 million small businesses all 
across the country.
    There is no doubt that the information technology, or IT, 
revolution has provided small businesses with new tools and 
opportunities to compete in the global economy. However, we 
must be mindful that as small businesses use this technology, 
the risk of a foreign cyber attack has increased dramatically.
    According to a recent report by Verizon Enterprise, over 70 
percent of cyber attacks occurred in businesses with fewer than 
100 employees, so small businesses. As we have heard many 
times, even one cyber attack can be devastating for small 
businesses, making prevention and protection absolutely 
critical. A 2014 survey from the National Small Business 
Association estimated the average cost of a cyber attack on a 
small business to be over $32,000, which is a huge hit for a 
small business.
    Our Committee's efforts to spotlight these serious and 
growing threats have made it abundantly clear that the Federal 
Government needs to step up its game when it comes to 
protecting the cybersecurity of small businesses and 
individuals.
    Today's hearing will examine the increased threats posed by 
foreign actors to American small businesses in cyberspace. This 
is an important dimension of the cybersecurity threat that 
impacts both our national security and our economic security, 
and I believe it demands much more attention than it has 
received thus far.
    The FBI has already determined that foreign state actors 
pose a serious cyber threat to the telecommunications supply 
chain. It is also clear that many foreign nations are 
responsible for direct cyber attacks on the United States in an 
effort to steal intellectual property and sensitive personal 
information.
    The Office of the National Counterintelligence Executive 
released a report in 2011 stating that tens of billions of 
dollars in trade secrets, intellectual property, and technology 
are being stolen each year from computer systems in the Federal 
Government, from corporations, and from academic institutions. 
China and Russia were cited as the two largest participants in 
cyber espionage.
    In a report by our colleagues on the House Permanent Select 
Committee on Intelligence, U.S. businesses and cybersecurity 
experts have reported persistent attacks that could be traced 
back to China and were thought to be supported by the Chinese 
Government. Studies from the Department of Defense have warned 
of the difficulties associated with defending against threats 
posed by foreign nations, stating, quote, ``means and 
opportunity are present throughout the supply chain and 
lifecycle of software development,'' unquote.
    This is particularly troublesome for small businesses that 
not only rely on products from but also engage in commerce with 
globalized telecommunications firms from countries like China. 
Small businesses play an indispensable role in providing the 
Federal Government with products and services. They are 
integral links in the government's supply chain, but are often 
ill-equipped to combat against sophisticated foreign cyber 
attacks. This makes them a prime target for state sponsors of 
cyber terrorism who wish to undermine America's commerce and 
security.
    I think we all look forward to hearing from our witnesses' 
assessment of this threat, as well as their suggestions for how 
we may better guard against this cybersecurity that we are 
discussing here today.
    I ask for unanimous consent that our colleague from North 
Carolina, Mr. Robert Pittenger, be permitted to sit on the dais 
today and also ask questions in the order that we would 
normally follow. He will be at the end of the list of members 
that were here when we started, of course.
    Without objection, so ordered.
    I would now like to yield to the Ranking Member, Ms. 
Velazquez, for her opening statement.
    Ms. VELAZQUEZ. Thank you, Mr. Chairman.
    Over the past 15 years, the Internet and associated 
technologies have changed the way business is conducted. The 
Internet allows businesses of all sizes and from any location 
to reach new and larger markets, and provides opportunities to 
work more efficiently by using computer-based tools. It affords 
America's 23 million small businesses a unique opportunity to 
sell their products not only across the country but around the 
world. And while the Internet has fostered a tremendous degree 
of economic growth, it has also introduced profound security 
risks. Reports of massive data breaches have become 
commonplace, and the average cost of such breaches are 
devastatingly high.
    Whether a business is thinking of adopting cloud computing 
or just using email and maintaining a Web site, cybersecurity 
should be a part of their plan. Theft of digital information 
has become the most commonly reported fraud, surpassing 
physical theft, and small businesses are the primary target. 
Just last year, 60 percent of all targeted attacks struck small 
and medium sized entities.
    Among the worst threats to American businesses, 
particularly small firms, is cyber warfare performed by foreign 
entities. Not only are these cyber infiltrators accessing 
intellectual property and trade secrets, they are using the 
company's PCs to disguise attacks against other companies and 
the Federal Government. In fact, the Office of the National 
Counterintelligence Executive reported that tens of billions of 
dollars in trade secrets, IP, and technology are being stolen 
each year.
    These actions have costly implications for small businesses 
and their ability to operate. According to research, 74 percent 
of small- and medium-sized businesses reported being affected 
by cyber attacks in 2011, with an average cost of $188,000 per 
incident and totaling over $2 million.
    Combating these attacks have led to the U.S. Government 
issuing bans on certain foreign products and services, and also 
requiring small business contractors to meet demanding IT 
specifications. While these efforts are necessary, they prove 
confusing and costly to small businesses who are attempting to 
protect themselves and their customers from data breaches, stay 
globally competitive, and win Federal contracts.
    Clearly, cybersecurity should be a priority to protect our 
national security and the economy. Failure to do so leaves all 
of us at risk. As we move forward, comprehensive reform must 
balance a number of priorities, including being able to adapt 
to evolving technologies, preventing undue costs and 
regulations of small businesses, and protecting our sensitive 
information.
    During today's hearing, we will explore the critical issues 
facing small businesses that operate online and the resources 
they need to leverage innovative technologies. I look forward 
to hearing your recommendations to better educate and inform 
the small business community on cyber issues and how the 
Federal Government can facilitate a more robust and efficient 
cybersecurity environment.
    I also would like to thank all the witnesses for being here 
and providing your expertise and have a broad discussion on 
this issue. Thank you, and I yield back.
    Chairman CHABOT. Thank you. The gentlelady yields back.
    If Committee members have opening statements prepared, I 
would ask that they submit them for the record.
    I would now like to take a moment to explain our timing 
lights here and how we operate. We are under the 5-minute rule. 
It is pretty simple. You all will get 5 minutes and then we 
will ask questions, and we will limit ourselves to 5 minutes as 
well.
    The lighting system is to assist you. The green light will 
be on for about 4 minutes, then the yellow light will come on 
to let you know you got about a minute to wrap up, and then the 
red light will come on and we would ask you to stop, not 
necessarily exactly at that point, but, within reason. Try to 
stay within those times, if at all possible.
    I now would like to introduce our very distinguished panel 
here this afternoon.
    Our first witness will be Jamil Jaffer, Director of 
Homeland and National Law Program at George Mason School of Law 
in Arlington, Virginia. He also serves as the Vice President 
for Strategy and Business Development in IronNet Cybersecurity. 
Prior to IronNet, Mr. Jaffer served as Chief Counsel for the 
Senate Committee on Foreign Relations. He attended the 
University of Chicago Law School, the Naval War College for a 
master's degree, and received his bachelor's degree from UCLA. 
We welcome you here this afternoon.
    Our next witness will be Justin Zeefe, who is Cofounder and 
Chief Strategy Officer of Nisos Group in Alexandria, Virginia. 
The Nisos Group is a collection of former military and 
intelligence agency officials who specialize in cyber warfare, 
counterterrorism, and geopolitical operatives. Before the Nisos 
Group, Mr. Zeefe worked for the Department of Defense. He went 
to law school at the Boston University School of Law and earned 
his bachelor's from the Ohio State University. We welcome you 
here this afternoon, Mr. Zeefe.
    Our third witness is Nova Daly, senior public policy 
adviser at Wiley Rein LLP in Washington, D.C. Mr. Daly 
specializes in international trade, cybersecurity, data and 
network security issues. Prior to joining Wiley Rein, Mr. Daly 
held senior positions at the Departments of the Treasury and 
Commerce, the White House, and the U.S. Senate. Mr. Daly 
received his master's in international law and organizations 
from American University and his bachelor's from the University 
of California Irvine. We welcome you here.
    I would like to yield to the Ranking Member for the 
introduction of our fourth and final witness.
    Ms. VELAZQUEZ. Thank you, Mr. Chairman. It is my pleasure 
to introduce Ms. Angela Dingle, Founder, President, and CEO of 
Ex Nihilo Management, a management and consulting firm that 
specializes in strategic assessments and information technology 
management. Ms. Dingle is a certified management consultant 
with over 20 years of experience in business leadership, IT 
governance, and risk management. She holds an MS in management 
information systems from Bowie State University and a BS in 
computer science from DeVry Institute. She is testifying today 
as a national partner for Women Impacting Public Policy, a 
national nonpartisan public policy organization advocating for 
and on behalf of women and minorities in business. Welcome.
    Chairman CHABOT. Thank you very much.
    Mr. Jaffer, you are recognized for 5 minutes.

STATEMENTS OF JAMIL JAFFER, DIRECTOR, HOMELAND AND NATIONAL LAW 
 PROGRAM, GEORGE MASON SCHOOL OF LAW; JUSTIN ZEEFE, COFOUNDER 
  AND CHIEF STRATEGY OFFICER, NISOS GROUP; NOVA DALY, SENIOR 
   PUBLIC POLICY ADVISOR, WILEY REIN LLP; AND ANGELA DINGLE, 
             FOUNDER, PRESIDENT, AND CEO, EX NIHILO

                   STATEMENT OF JAMIL JAFFER

    Mr. JAFFER. Thank you, Mr. Chairman and Ranking Member, for 
inviting me and our panel here today to testify. I also want to 
thank the Chairman for his leadership on these issues. You 
know, you had a successful amendment recently, the State 
Department authorization legislation requiring the comptroller 
general to report on the State Department's potential use of 
devices and systems from cyber threat nations.
    This is all the more important in light of FBI Director 
Comey's statement yesterday about the evidence they have 
acquired about the State Department's culture regarding the 
lack of security with respect to classified information, and in 
particular, the critical role the State Department plays in 
negotiations with foreign countries and the sensitive 
information they deal with from allies. In 2014 and 2015, we 
saw significant breaches of the State Department, breaches that 
actually led them to shut down their unclassified email systems 
and potentially expose classified--or sensitive data.
    Now we are in a very evolving threat environment. The speed 
at which the Internet is growing is dramatic. 26.3 billion 
devices by 2020, almost three network-connected devices per 
person. There are a lot of opportunities and benefits that this 
environment provides to us. People in developing nations will 
have the opportunity to access information and markets they 
never had the opportunity to, and for people in developed 
countries like ours, we will have the opportunity to rapidly 
innovate.
    Small businesses will be at the leading edge of that 
innovation. Startups in the Silicon Valley, from Chattanooga, 
Tennessee, to Northern Virginia, to various other places in the 
country are at the heart of this developing Internet 
environment. In our new economy, protecting our technology and 
our innovative edge is critical.
    There are huge issues with cybersecurity threats today. The 
vast majority of breaches today, 75 percent by one estimate, 
are focused on the United States. That includes three out of 
the top five breaches last year alone.
    We know about the cyber threats we face from nation--
states. Countries like China are engaged in a constant and 
steady effort to siphon off our intellectual property for their 
own economic benefit. Russia is attempting to put in place 
efforts and programs for the next major conflict. North Korea 
and Iran have increasingly important cyber capabilities and are 
perhaps more willing than nations like China and Russia to use 
those capabilities.
    We have seen in recent years the use of destructive cyber 
attacks. We saw Saudi Aramco in 2012 and Qatari Gas Ras 
attacked, roughly 30,000 computers bricked at Saudi Aramco. 
Here in the United States, at the Las Vegas Sands Corporation 
and the Sony Corporation last year, we saw cyber attacks where 
there were actual destructive efforts taking place, and that is 
a real concern.
    The DNI, the director of the NSA, the FBI director, and the 
CIA director have all recently told us that cyber threats are 
the number one threat facing the nation, even exceeding the 
threat, as prevalent as it is, of counterterrorism.
    Key to protecting our cyberspace is ensuring the 
confidentiality, integrity, and availability of information 
that flows through these networks. In order to do so, we must 
architect ourselves as a nation to defend against these 
threats, that means cooperation between the public and private 
sectors. Today, over 90 percent of the Internet is controlled 
by the private sector. We look to private sector companies to 
defend themselves, and yet in no other context do we expect the 
private sector to defend themselves against nation-state 
threats. We don't expect Target, for example, to have surface-
to-air missiles on the top of their warehouses. To be sure, we 
expect them to have high fences, armed guards, and perhaps 
guard dogs, but we don't expect them to defend against a 
Russian bomber coming and bombing their warehouses, and yet we 
expect our private sector companies today to defend against the 
Chinese, the Russians, North Koreans, and the Iranians. We need 
to have a national conversation about how to defend ourselves.
    Now, this is not to say that we expect the government to be 
on our networks at all times constantly protecting the nation 
with surveillance and the like methods. Nobody wants that 
today. To the contrary, we enjoy an open, free Internet, but we 
have to have that conversation about what the right role for 
the government and the private sector working together is in 
this modern threat environment.
    In particular, China, we have talked about their IP theft, 
but one other thing we should really talk about is their desire 
to access key U.S. infrastructure. When I was at the House 
Intelligence Committee working for Chairman Mike Rogers, our 
Committee issued a report talking about the threat posed by 
Huawei and ZTE, two major Chinese telecommunications companies, 
to U.S. infrastructure. That report had very strong 
recommendations over 4 years ago about what the government and 
private sector entities should do with respect to Huawei and 
ZTE, and it is critical, as the chairman's amendment does, that 
we continue to look at this issue.
    I would like to sum up by saying there are seven things 
that we could consider doing as a country, Congress working 
with the private sector, to address these issues. Number one, 
large and small businesses alike need to think about and get 
buy-in from their highest levels, board of directors to the C 
suite, down to workers about the need for cybersecurity.
    Second, small businesses must consider working together 
collaboratively to share cyber threat information and use their 
collective buying power to address cyber threats.
    Third, small businesses and large businesses must work 
together with the government to share information in real time 
and network speed.
    Fourth, we need to get more serious about deterring cyber 
threats.
    We need to make sure that the government gives more 
classified information to private sector entities. We need to 
consider positive incentives like tax breaks for investments in 
cybersecurity and information sharing.
    Finally, if Congress is willing, we might want to consider 
amendments to the recently passed Cybersecurity Information 
Sharing Act to provide better and more incentives for 
cybersecurity information sharing.
    That is just a short list, but thank you, Mr. Chairman. I 
know I am over time. I appreciate you taking the time.
    Chairman CHABOT. Thank you very much.
    Mr. Zeefe, you are recognized for 5 minutes.

                   STATEMENT OF JUSTIN ZEEFE

    Mr. ZEEFE. Good afternoon. Thank you, Chairman and Ranking 
Member Velazquez and all Small Business Committee members, for 
the opportunity to testify on foreign cyber threats to American 
small business.
    It is an honor to address members of this distinguished 
body, both as a small business owner and also as a citizen who 
notes that small businesses not only employ 50 percent of the 
private sector workforce in this country, but also produce 
approximately 50 percent of the non-farming GDP in the United 
States. They are, therefore, a vital part of the economy, and 
their well-being and the need to ensure their ability to 
operate in a transparent and secure environment is paramount.
    My name is Justin Zeefe. I am Cofounder and Chief Strategy 
Officer of the Nisos Group, a cybersecurity firm in Alexandria, 
Virginia, composed of entirely former elite cyber operators and 
U.S. special forces officers. I and each of my associates have 
more than a decade of assessing and mitigating cyber risk to 
U.S. national security interests.
    We each observed, over recent years, a shift by foreign 
cyber threats increasingly toward private sector concerns. This 
evolution, magnified by our observation that the commercial 
sector is wildly unprepared for this inbound threat, prompted 
us to bring our capabilities to industry.
    It is also an honor to speak to you today regarding the 
most significant present and near-term threat to the national 
business economy: foreign cyber threats in the form of 
cybercrime. There are no shortages of statistics to this end. 
It is indeed the fastest growing economic crime, according to 
PWC, and is projected to cost the global economy $445 billion 
by the end of 2016. In fact, according to McAfee, the well-
known security research firm, if cybercrime were a country, its 
GDP would rank 27th in the world, above Austria, Norway, and 
Egypt, along with others.
    How would we collectively react if we knew that the 27th 
largest economy in the world was absolutely dedicated to 
attacking our value? What if they were overwhelmingly directing 
their actions against small business here in the United States? 
In fact, if you turn both of those into statements, they would 
be accurate.
    Symantec, another very well respected research firm, found 
in June of 2015 that 75 percent of cyber attacks were directed 
at organizations with fewer than 2,500 employees, a dramatic 
increase from years prior. Not a week goes by that we don't 
read about a major data breach in the paper, with mention of 
what the attackers stole and often how they managed to gain 
access.
    Most voices and solutions in the field of cybersecurity 
address the what and the how of the threat, yet without an 
intimate understanding of the threat actors, their motivations, 
vulnerabilities, capabilities, intent, and adaptability, the 
discussion is really incomplete. Never in the history of 
mankind has there been an industry, illicit or otherwise, which 
could be addressed strategically without factoring in the 
players of the game. Cybercrime and the threat it represents 
against small business and large alike is no outlier.
    This very thing, the why, is a vital part of the equation, 
which requires understanding the humans behind the threat and, 
just as importantly, the vulnerabilities which these threat 
actors seek to exploit. By understanding the driving forces and 
motivations behind the threat actors, as well as the evolution 
of their tools, it is possible to narrow the gap between threat 
actor capability and cybersecurity solutions in the 
marketplace.
    Once we understand those threat actors and their 
motivations, it becomes easier to model future behavior from 
state-sanctioned or state-sponsored activity and criminal 
enterprise, the source of almost all cyber incidents. Armed 
with these insights, only then should we deliberately consider 
legislative incentives, penalties, and appropriate distribution 
of risk to aid, not hamper, small business.
    So, why? Why do foreign cyber threats target small 
business? One word and one analogy are sufficient to 
encapsulate this trend. The word is ``profit.'' The analogy is 
that like water or electricity, malicious actors follow the 
path of least resistance.
    As larger organizations professionalized their defensive 
and reactive posture to cyber incidents, and as stolen data 
became less profitable due to stricter regulatory and law 
enforcement environments, threat actors in search of profit 
turned the focus of their targets to small business, which had 
neither the capacity nor the budget to address this threat. A 
positive feedback loop ensued, and continues to this day, in 
which threat actors become only more dangerous as they adapt to 
this sophisticated target set and the unsophisticated target 
set alike.
    The first and most significant evolution was the 
professionalization of the threat actor. What only a few years 
ago was best described as small bands of hackers who 
occasionally worked together have, by virtue of their success, 
drawn the attention of traditional organized crime. These 
groups, with many years of experience in the conduct of 
criminal enterprise, accurately assessed that cybercrime 
represented an opportunity for increased profit and decreased 
risk. Rather than trafficking in weapons, drugs, or other 
contraband as they had been accustomed, activities dependent on 
physical items, which present a significant risk of detection 
or interdiction, these groups of experienced criminals 
increasingly invest in individuals or groups whose cybercrime 
activities are wildly successful and stealthy when it comes to 
attribution.
    In conclusion, it is vital that we not only consider the 
what and the how, but the why and the actors behind these 
incidents. Thank you for your time.
    Chairman CHABOT. Thank you very much.
    Mr. Daly, you are recognized for 5 minutes.

                     STATEMENT OF NOVA DALY

    Mr. DALY. Thank you, Mr. Chairman and Ranking Member 
Velazquez and members of this Committee. Thank you very much 
for the opportunity to appear before you today.
    Today, I offer my perspective on cybersecurity broadly and 
distinctly as it pertains to small business. My perspective is 
drawn from experience as a former official with the U.S. 
Department of Treasury helping administer the Committee on 
Foreign Investment for the United States, which saw much 
cybersecurity transactions; with the National Security Council 
helping with not only trade and investment, but also cyber 
policy; and also in the private sector working with my 
colleagues to help small businesses confront the cybersecurity 
threats that are out there.
    As this Committee knows very well, cybersecurity issues are 
clearly significant and growing economic risks for all small 
businesses, and Americans broadly. These issues have become 
increasingly relevant as we now depend on Internet access and 
connectivity in nearly every aspect of our work and lives, from 
the communication devices and processing devices we use at home 
and at work, to the vehicles we drive, the infrastructure we 
depend on, and even the appliances in our home.
    It has been forecast that, on average, 5.5 million new 
devices are connected to the Internet each day, and that by 
2020, over 20 billion devices will be connected to the 
Internet. For small businesses, the very connectivity that 
allows for greater freedom and versatility in conducting day-
to-day business, linking phones, computers, routers, copiers, 
even alarms and ventilation systems, also brings with it 
significant and sometimes paralyzing risk, risk that is often 
difficult to address both financially and in terms of human 
resources.
    As small businesses increase their connectivity to the 
Internet, they face significant challenges, not just in 
infrastructure and the nuts and bolts of establishing business 
connectivity, but also in security-related costs. Both domestic 
and foreign criminals, as well as foreign governments, have 
been known to exploit and are even actively targeting Internet-
based vulnerabilities in order to gain access to financial 
information, customer data, and intellectual property. Three 
years ago, a study issued by the Center for Strategic and 
International Studies estimated that the annual cost of 
cybercrime in the U.S. was $1 billion. According to more recent 
reports, cybercrime costs quadrupled since then and are even 
going to quadruple into 2015 to 2019.
    While large businesses typically have the means to fund and 
invest in strong and resilient cybersecurity measures to 
protect their interests, small businesses generally do not have 
this luxury. They often lack the capabilities or the resources 
to pursue strong entity-wide cyber protections. Further, small 
businesses often may not be privy to the kinds of broad 
industry-wide threat notifications to which larger companies 
may be. Often, larger companies have the resources to 
continually monitor and review threats that may arise from 
certain technology and supply chains, and at times are 
contacted by the U.S. Government when breaches occur. A notable 
example was a 2014 Department of Justice investigation and 
prosecution of several Chinese military officials who were 
responsible for breaches of numerous U.S. companies' security 
perimeters. There, at least some of the affected companies were 
contacted and alerted while the breaches were occurring.
    However, given the breadth of existing cyber threats and 
continued growth of our cybercrime, our government simply does 
not have the resources to address all the cybersecurity-related 
issues faced by businesses, critical infrastructure, and 
government systems, let alone those faced by small business.
    In 2012, the House Permanent Select Committee on 
Intelligence issued a report on its findings regarding security 
threats posed by certain telecommunications companies doing 
business in the United States. Despite the report's negative 
findings, the companies investigated continue to grow as 
dominant players in the global technology market. While it has 
been effectively restricted from selling network equipment to 
Tier 1 carriers, Huawei is growing its sales to smaller 
wireless U.S. carriers, supplying network infrastructure 
equipment to cities in the States of Washington and Oregon, and 
is targeted to continue growth in cell phone sales. Last year, 
ZTE was the fourth largest smartphone vendor in the United 
States, with 7.2 percent market share. Both these companies 
were notably sanctioned for export control violations.
    Although much larger U.S. companies can engage other 
vendors and many vendors to provide certain cybersecurity 
monitoring and reinforcement of their perimeters, small 
businesses don't have the funds or capacity to do so.
    While doing business with such companies can present 
heightened risk, it should not be overlooked that there is 
significant and growing vulnerability within the entire U.S. 
technology supply chain. Increasingly, our technology 
communications equipment and systems are produced or assembled 
abroad, and we are seeing nations taking strong measures to 
grow their own semiconductor and technology industries. 
Further, the United States is finding itself with a talent 
shortage in cybersecurity.
    So how do we deal with this issue? I present a couple ideas 
or perspectives or views. First, focus on current laws. 
Enforcement is key. We should continue to do so and send 
signals to the market and to the private business and small 
business.
    Promote cyber standards. We should consider frameworks such 
as ISO standards to promote best practices.
    We should engage small businesses not only in education and 
outreach, but also in funding. A bill that was introduced, H.R. 
5064, the Improving Small Business Cybersecurity Act of 2016, 
would be an important end.
    Lastly, we have to address the supply chain security issues 
in the United States and close the cyber deficit. As I 
mentioned earlier, our supply chains and much of our equipment 
is being produced abroad. If we lose the capabilities and 
talents, not only in cybersecurity, but also in our 
capabilities of technology, we will lose our edge and our 
innovation.
    Thank you very much for this time.
    Chairman CHABOT. Thank you very much.
    Ms. Dingle, you are recognized for 5 minutes.

                   STATEMENT OF ANGELA DINGLE

    Ms. DINGLE. Thank you, Chairman, Ranking Member Velazquez, 
and distinguished members of the Committee. Thank you for the 
opportunity to testify.
    My name is Angela Dingle. I am the president and CEO of Ex 
Nihilo, a woman-owned small business based in Washington, D.C., 
that provides cybersecurity, IT governance, and risk management 
services to government agencies. I am here today representing 
Women Impacting Public Policy, which is a national nonpartisan 
public policy organization advocating on behalf of women 
entrepreneurs.
    First, I would like to thank the Committee for holding this 
hearing. Few topics are as timely as today's hearing.
    The National Cybersecurity Alliance found that 60 percent 
of businesses will close within 6 months of a cyber attack. 
Narrowing the focus, businesses that work with the Federal 
Government are an additional security risk, given that the U.S. 
Government's research data and engineering specifications are 
of high value to individuals, companies, and governments across 
the world. Due to increasing privacy requirements and recent 
cybersecurity attacks, the Department of Defense responded by 
implementing new contract requirements.
    In August of 2015, DOD finalized a regulation requiring 
companies of all sizes to safeguard unclassified, controlled 
technical information that resides on their information 
systems. The goal of the rule is to provide minimum standards 
to protect government information that finds its way into 
contractor information systems. The guidelines include 14 
families of security requirements, commonly known as security 
controls or security objectives, that must be satisfied. These 
groupings range from identification and authentication, to 
physical protection.
    Contractors that do not implement safeguards for the 14 
families must submit a written explanation of why the required 
security control is not applicable or explain how an 
alternative control or protective measure is being used to 
achieve the same level of protection.
    This past February, the SBA Office of Advocacy found that 
this DOD rule grossly underestimated the number of affected 
small businesses. The cost of compliance with this rule will be 
a significant barrier to small businesses engaging in the 
federal acquisition process.
    Even more concerning is the May 2016 National Industrial 
Security Program Operating Manual, or NISPOM, Conforming Change 
2, commonly referred to as the insider threat program. This 
regulation stems directly from concerns over contractor 
employees' ability to bypass security safeguards. The rule 
requires contractors to gather, integrate, and report relevant 
credible information that may indicate a potential or actual 
insider threat. It is especially burdensome for small 
businesses because it has to be implemented by November 30, 
2016. WIPP is particularly concerned about the significant 
burdens associated with these new requirements and their 
potential to push women-owned firms out of the federal market.
    Lack of technical knowledge is not an excuse for failure to 
comply with basic cybersecurity regulations. Small businesses 
need to proactively understand the scope and impact of changes 
on the business; align organizational policies, practices, and 
procedures to comply; empower those with the technical 
expertise necessary to implement changes; provide adequate 
training to ensure employees are aware of their 
responsibilities; and hold individuals accountable for 
compliance.
    The first step is to get a jump start on the new 
requirements by assessing current information systems and 
determining changes necessary for compliance with new 
guidelines. Implementing effective governance processes can 
help small businesses manage information security risks, 
increase stakeholder confidence, and reduce the costs 
associated with compliance. To that end, small businesses could 
use assistance in determining their cybersecurity needs.
    WIPP supports Representative Hanna's H.R. 5064, which was 
included in this year's National Defense Authorization Act. The 
legislation authorizes small business development centers to 
support small businesses in developing affordable cybersecurity 
plans. However, we would encourage the Committee to consider 
adding other SBA resource partners, including over 100 women's 
business centers.
    In conclusion, women entrepreneurs consider the federal 
marketplace a key opportunity to grow their businesses. While 
there is a need to protect federal data and small businesses 
need to protect themselves from cyber attacks, the government 
has gone too far with new regulations. One size did not fit 
all. Ensuring that new cybersecurity requirements are 
attainable for small business is of paramount importance. This 
Committee has always acted in a bipartisan manner to support 
women entrepreneurs, and we appreciate your examination of this 
issue.
    Thank you for the opportunity to testify, and I am happy to 
answer any questions.
    Chairman CHABOT. Thank you very much.
    We will now move into the questioning part, and I will 
recognize myself for 5 minutes.
    Mr. Jaffer, I will begin with you. When a foreign company 
is caught stealing data or information from another entity, 
what are the common enforcement mechanisms available and what 
recommendations would you make to improve on those enforcement 
mechanisms in order to further deter foreign cyber attacks?
    Mr. JAFFER. Sure. Mr. Chairman, part of the challenge, as 
you know, with foreign companies stealing U.S. information is 
our ability to get jurisdiction over them, and particularly if 
they are state actors. State actors are particularly the most 
problematic, whether it is China or its proxies or other 
nation--states, stealing our information is something we have 
got to critically address.
    The best way to deter nation states from doing it, whether 
they are operating through their companies or not, is to have a 
deterrence policy. The key elements of a deterrence policy are, 
one, describing what our capabilities are; describing how we 
might use them, if and when we have information stolen or 
attacks made on our country; and then actually carrying those 
out, and part of it is credibility. So that is one of them.
    In addition, we obviously have the ability to prosecute 
folks, but we have got to be able to get jurisdiction over 
them. That is the really hard part.
    Chairman CHABOT. Thank you very much.
    Mr. Zeefe, I will move to you next. You had mentioned, why 
are so many small businesses in particular targeted, and you 
said it is because of profit, it is the least resistance is 
among small business folks. What are a few things that small 
business folks who may be watching or may hear about the 
hearing or that we may correspond with, what are some things 
practically that they could do, as small businesses, to protect 
themselves from cyber attacks?
    Mr. ZEEFE. Thank you. The majority of threat actors 
operating today are operating for profit, as mentioned. The 
best thing that a small business could do is ensure that their 
network is relatively secure by following the protocols that 
are standard across all industry; that is, ensuring that you 
have configured your network correctly, ensuring that you are 
encrypting your most sensitive data when possible, not being 
lax when it comes to security, ensuring that your password 
management is reasonable, ensuring that the folks who have 
administrator access on your domain do not use the same 
password there as they do at their gymnasium or anywhere else 
that might be hacked, as very regularly these hacks come 
through third-party incidents. So it is not that your business 
is hacked, but rather that a third party is hacked, I gain 
credentials to your business and I use them.
    Chairman CHABOT. Thank you very much.
    Mr. Daly, I will move to you next, if I can. What are, and 
this is somewhat related to what I just discussed with Mr. 
Zeefe, some of the common mistakes that you see made by small 
business folks that leave them vulnerable to cyber attacks?
    Mr. DALY. I think it is not providing the education within 
their own workforce to let their employees know the 
vulnerabilities that are out there, in terms of making sure 
their passwords are protected, making sure the systems are 
protected in the way they operate it. So I think it is that 
employee knowledge.
    Also, in terms of not necessarily the equipment, but making 
sure they have the right software, making sure it is updated, 
and continuously taking sort of a proactive approach to the 
cybersecurity that they provide their systems.
    Chairman CHABOT. Thank you very much.
    Ms. Dingle, let me ask you this. When you started off, it 
struck me that you said 60 percent of businesses, I guess small 
businesses in particular, close within 6 months of a cyber 
attack. I had mentioned in my opening statement that the 
average loss is about $32,000 that a business suffers.
    Do you want to expound upon why such a large number do go 
out of business when there is a cyber attack? Are there any 
stories or cases in particular that you would want to let us 
know about?
    Ms. DINGLE. Certainly. As many of the panelists here have 
spoken about, the cost of responding to a cybersecurity breach 
is very expensive. As this Committee may be aware, small 
businesses don't necessarily have the financial means. They 
don't necessarily have reserves that they can quickly allocate 
to address a cybersecurity breach. The cost of having to pay 
for outside expertise to come in, help investigate and identify 
the actual problem that has occurred, and mitigate that can be 
very expensive, and that is why they end up going out of 
business.
    I personally know of small businesses who, like some of the 
other panelists have spoken about, just did not understand what 
it takes to properly secure their business, only to be hacked 
or to have a security breach, and have had to tap a number of 
different resources that one would tap to finance your business 
for payroll or other sources to try to combat these 
cybersecurity issues.
    Chairman CHABOT. Thank you very much.
    My time has expired.
    The gentlelady from New York, the Ranking Member, is 
recognized for 5 minutes.
    Ms. VELAZQUEZ. Thank you, Mr. Chairman.
    Ms. Dingle, as you mentioned before, the DOD, NASA, and GSA 
recently issued rules pertaining to all future federal 
contracts, which require a contractor to implement a set of 
cybersecurity measures to safeguard information, and more 
agencies will continue to identify and prioritize cyber 
standards.
    What can we do to ensure that small contractors are 
involved in this process as uniform cybersecurity guidelines 
are developed?
    Ms. DINGLE. Thank you. It is really important that small 
businesses have education sources. A lot of times these 
discussions are happening in environments where small 
businesses don't necessarily have a representative or a 
presence, and the Federal Acquisition Council may be having 
discussions about the timing of when these will be implemented. 
Although there was research that was done about that DOD rule, 
as the owner of a federal contractor, we certainly were not 
questioned about how timely we thought the requirements should 
be with respect to our ability to comply.
    I think education is really important, and allowing the 
small business resource centers to provide that education would 
be extremely helpful to small businesses.
    Ms. VELAZQUEZ. Do you see any active role being played by 
the Small Business Administration to make sure that small 
businesses understand the risks so that they could implement 
cybersecurity measures?
    Ms. DINGLE. In the last 12 months, I have seen webinars and 
other information that the SBA has tried to make available to 
small businesses. But, again, depending on how small the 
business is, finding the time to participate in those and to 
stay ahead of and abreast of those is really what is difficult. 
Partnerships between the SBA and resource centers and 
organizations such as WIPP to educate small businesses is what 
I think would really be beneficial to them.
    Ms. VELAZQUEZ. Thank you.
    Mr. Jaffer, federal spending to combat cybercrime continues 
to grow at an extremely rapid rate. What steps can be taken to 
tap the unique talents of nimble small technology firms in an 
effort to strengthen our national security defenses?
    Mr. JAFFER. Thank you, Ranking Member Velazquez. I think 
that is exactly right. We have to tap the resources that 
startup companies in the Silicon Valley and across the nation 
have, the innovative ideas to address concerns that the Federal 
Government has, but the Federal Government is challenged when 
it comes to buying from small startups. There are all these 
regulations, that Ms. Dingle correctly talked about, that make 
it hard for small businesses to get in front of and actually 
sell to the government, even though they have some of the best, 
newest ideas.
    We have to figure out a way to reduce that burden on small 
businesses and allow the government to buy from the most 
innovative parts of our community to address these very real 
threats. If we don't do that, we are never going to have access 
to that capability. It is unfortunate because the government, 
most of all, needs that access to innovative, smart, capable 
companies that are at the leading edge of cybersecurity 
technology. I think Ms. Dingle is exactly correct. We have to 
reduce the regulatory burden on those companies.
    Ms. VELAZQUEZ. Thank you.
    Mr. Daly, nearly every single company selling technology to 
the U.S. Government and consumers, HP, Dell, Cisco, Apple, use 
foreign components in their products. Many of these products 
are used by small businesses. If there are any ill intentions, 
small firms are often not savvy enough to monitor foreign 
threats posed by these products or components.
    What danger does this product integration within our market 
pose for small firms, and what is the best way to assist small 
firms in combating it?
    Mr. DALY. Thank you, Ranking Member. I think the threats to 
our supply chain are very significant, and they permeate not 
only into large businesses, but our government systems and 
small businesses equally as well. So those vulnerabilities that 
the large businesses have, small businesses are going to have 
as well.
    The issue is how to address that, as I alluded to, we have 
to think long term and structurally towards ways we can secure 
our supply chains, whether that be standards we are going to 
use in terms of making sure that the equipment is certified to 
a certain industry-held standard, and then that standard is 
something that the GSA complies with that will permeate its way 
into the private sector and flow down to private small 
businesses.
    Ms. VELAZQUEZ. Thank you. I yield back.
    Chairman CHABOT. Thank you. The gentlelady's time has 
expired.
    The gentleman from Missouri, Mr. Luetkemeyer, who is the 
Vice Chairman of this Committee, is recognized for 5 minutes.
    Mr. LUETKEMEYER. Thank you, Mr. Chairman.
    Mr. Jaffer, you made some interesting comments, and I 
appreciate you being here today. You were talking a minute ago 
with regards to the small businesses being attacked and the 
venues for going after the attackers. I want to focus on the 
small business, because I think you were talking mainly about 
the government side of this, but I want to talk about the small 
business guys.
    If you have a small business out there and they get 
attacked by a hacker, where do they go? Who is the law 
enforcement agency that they need to go to, talk to, to get 
some sort of restitution? Is it possible, because I think a 
comment was made a minute ago with regards to tracking these 
people down, and if it is a government-sponsored hack, how do 
you go after something like that? Can you elaborate a little 
bit on that?
    Mr. JAFFER. Sure. Thank you, Mr. Vice Chairman. The first 
responder in these circumstances typically is the FBI. Small 
businesses and large businesses should go to the FBI. The 
challenge we have as a government, though, is you have DHS out 
there talking about its capabilities, you have FBI, you have 
DOD, and everyone is talking about the role they play. We as a 
government, haven't done a very good job of bringing that 
together and telling the private sector, particularly small 
businesses, who the lead is.
    When it comes to investigations, I think the Bureau is the 
first place to go, at the local field office. The FBI is 
engaged in an effort to build bridges, but they are typically 
doing it with large companies. We need to figure out how to get 
small businesses, particularly private sector small business 
resource centers, like Ms. Dingle highlighted, and get the FBI 
and other agencies in with that part of the community to better 
address their concerns when they are hacked.
    Mr. LUETKEMEYER. Do we have the ability and have you seen 
cases where we actually win against the bad guys, we catch the 
bad guys and then the small business gets restitution for 
whatever IP they have lost?
    Mr. JAFFER. I am not aware of specific examples. I know 
that we have prosecuted folks and put them in jail. Getting 
actual restitution may be harder, and it may be an opportunity 
for Congress to consider legislation to create a cause of 
action to allow going after foreign cyber threat actors for 
restitution with stolen IP.
    Mr. LUETKEMEYER. Okay. So right now, because there is 
limited ability to get restitution, the small business is 
sitting there basically on its own if it gets hacked, hopefully 
the information is not such that it is going to drive it out of 
business.
    Mr. JAFFER. One area to think about might be sanctions 
collections and look at that as a potential pot of money that 
is here domestically that might be accessed by small businesses 
and other folks that are hacked by foreign nation-state actors 
or foreign companies.
    Mr. LUETKEMEYER. Very good.
    Mr. Daly, you talked a minute ago about a talent shortage 
in cybersecurity. It is interesting, because today in the 
Washington Times commentary section is a story titled Meeting 
the Cyber Challenge. In the article it says, during the last 20 
years, the size and skill level of the technology workforce has 
not kept pace with the demand for workers. Routinely, American 
companies and government agencies post more job vacancies than 
there are qualified candidates to fill. Over three-quarters of 
K through 12 schools do not offer computer science classes.
    The article goes on to say that the Bureau of Labor 
Statistics estimates that almost 5 million jobs will be 
available in computing and information technology by 2024.
    The gist of the article is to try and get Congress to spend 
more money and help bridge this technology gap. But we have a 
problem here that is recognized by a lot of folks, apparently, 
that we have a shortage of people in this field to be able to 
do the work to protect our companies, our government, and our 
assets from being hacked or being taken advantage of.
    Where do we go from here? This is very concerning, because 
if we don't have the experts to be able to keep us in the lead, 
we are going to fall behind and then we are going to be in real 
big trouble. Do you care to comment?
    Mr. DALY. I absolutely agree with you. I have talked to 
folks at Mandiant and Symantec and McAfee and others, and this 
is something that is very apparent, that we don't have the 
capabilities to deal with this sort of knowledge-base gap in 
cybersecurity.
    I think you have to make market-based incentives that drive 
people to want to get that education, want to get those 
capabilities, and that is where people respond. Look, if they 
can get a great job, they are going to do the extra technology 
training, go to additional schooling to be able to have a job 
that is going to be very secure.
    Unfortunately, I took a recent trip and talked to three 
folks who are in college. They told me they were psych majors. 
I was, like, that is great, but, we really need to get back to 
the basics, focus on the technologies that are going to be 
core, and find incentives, market-based incentives to get us 
there.
    Mr. LUETKEMEYER. Thank you.
    I yield back the balance of my time.
    Chairman CHABOT. Thank you. The gentleman yields back.
    The gentlelady from North Carolina, Ms. Adams, who is the 
Ranking Member of the Investigations, Oversight, and 
Regulations Subcommittee, is recognized for 5 minutes.
    Ms. ADAMS. Thank you, Mr. Chair, and thank you, Ranking 
Member Velazquez, for hosting the hearing today. Thank you all 
for your testimony.
    My first question, Mr. Jaffer, it seems like most 
cybersecurity solutions are geared toward larger companies, 
leaving small- and medium-sized enterprises vulnerable to cyber 
criminals and hackers. What options are there for small 
businesses that want to protect themselves but have limited 
resources?
    Mr. JAFFER. Yes, ma'am. That is a great question. One 
opportunity that small businesses could take is to band 
together in associations or the like to use their purchasing 
power to buy larger scale cybersecurity solutions, have perhaps 
common security operations centers. A lot of big companies have 
these amazing rooms with big flat screen TVs, and they are 
looking at all the cyber threats and confronting them. Small 
businesses don't have the ability to do that, obviously. Maybe 
by banding together through their associations they can buy 
that capability from larger companies and work collectively.
    Ms. ADAMS. Okay. One issue for small firms is the theft of 
intellectual property. This type of crime can be devastating to 
small firms and will result, as has been said, with many of 
them going out of business. How can IP theft, particularly from 
small businesses, hurt our economy and national security?
    Mr. JAFFER. Again, I think you are absolutely right. It is 
a totally crushing threat, particularly for small businesses, 
but net net for our larger economy. As we shift to this 
technology-driven industrial and services economy, our economy 
fundamentally depends on our innovative capabilities and our 
ability to protect our intellectual property. If we can't do 
that--and today we simply aren't, China is taking it right out 
the backdoor in tremendous amounts--we have got to find a way 
to do that. That is a collective government and private sector 
problem. I think we have to address it for small businesses, as 
Ms. Dingle said, through the SBA and other organizations.
    Ms. ADAMS. Thank you.
    Mr. Zeefe, human error can usually be blamed for a fair 
amount of security breaches. How could setting a minimum 
threshold for cybersecurity best practices help small firms 
reduce the number of and severity of cyber attacks?
    Mr. ZEEFE. The cybersecurity insurance industry has been 
setting the benchmark for that by creating checklists and 
essentially a punch list of things that an organization must 
accomplish in order to qualify for a policy, and then 
identifying and closing those loopholes which might trigger 
that policy or an exemption thereto.
    Probably the best way, ultimately, is for both the small 
business community around the United States, as well as 
governments, to create a regimented checklist of things that 
organizations must do. Many of them revolve around human error, 
which incidentally is the vector by which the vast majority of 
these attacks are promulgated.
    Ms. ADAMS. Could these best practices also help to reduce 
the burdens and the costs of keeping up with ever changing 
threats?
    Mr. ZEEFE. They could. To your last point, they also have 
to be ever changing, because the methodology by which these 
attacks are conducted is shifting in response to our defensive 
posture. In order for us to stay ahead of the problem, we have 
to focus--in my opinion, we have to focus less on purely 
automated solutions and more on a hybrid of understanding what 
can be automated. That which cannot be automated has to be 
human driven, as the threat is entirely human driven.
    Ms. ADAMS. Okay.
    Ms. Dingle, implementation costs for IT security is of 
paramount concern that can cause small institutions to lose or 
even decide not to compete for bids against larger companies 
for federal and state government bids. In your estimation, what 
steps can be taken to ensure that small businesses don't have 
to choose between security and their bottom line?
    Ms. DINGLE. Thank you for the question, and it is really an 
interesting one. In particular, entry into the federal 
marketplace can make or break a revenue source for a small 
business, and with these new regulations, very often a small 
business does have to make that choice. I think providing some 
balance between what is expected of a very large corporation 
and what is expected of a small corporation from a 
cybersecurity standpoint is going to be that balancing act.
    Is it that everyone has to comply all at the same time, or 
to one of the other panelist's point, is it possible for small 
businesses to be able to band together to try to address those 
requirements? In particular, the DOD regulation that I 
mentioned earlier in my testimony requires that the small 
business itself handle some of those things. They have taken 
away that small business's ability to partner with either a 
contractor or with someone else to assist them in solving the 
problem. So just some flexibility in a small business's ability 
to respond would be helpful.
    Ms. ADAMS. Thank you very much.
    Mr. Chair, I yield back my time.
    Chairman CHABOT. Thank you. The gentlelady's time has 
expired.
    The gentleman from Mississippi, Mr. Kelly, is recognized 
for 5 minutes.
    Mr. KELLY. Thank you, Mr. Chairman, and thank you witnesses 
for being here.
    In my experience working with small businesses, number one, 
is the education or technical expertise of owners in this area 
is lacking. It is also very expensive in time, it is 
inconvenient, it is expensive in money. A lot of times small 
businesses use the hope method, which is, I hope I don't get 
attacked and they don't do that. It is very frustrating.
    I am in the Guard and I have spent time with cybersecurity, 
also I was with the district attorney's office when I was 
there. A lot of the things that you have to do are extremely 
frustrating, especially to upper management old people like me 
who don't understand what these kids understand. We don't like 
changing our passwords, because we can't remember it. We don't 
like keeping things on separate computers because it is 
inconvenient. We don't like all the things that are necessary 
to do that.
    That is across the board, whether you are military, whether 
you are civilian in small businesses, it is a cost. But the 
reality is they can't afford not to be prepared for this. I 
know that hard targets right now are going to be bypassed, 
because there are plenty of weak targets out there. How do we 
get this message across?
    Mr. Jaffer and Mr. Zeefe, if you would answer this, how do 
we get this message across to our small business owners in a 
way that they understand, you can't afford to be a soft target, 
you have to harden up?
    Mr. JAFFER. Mr. Kelly, that is exactly right. I think we 
have to figure out a way to ensure that small businesses get 
how critical it is to them. For them, at the core of their 
business is their reputation and their intellectual property, 
that innovative thing that makes them special and that makes 
them more competitive against these bigger companies. That is 
what makes them unique and makes them such a productive part of 
our economy.
    Through the SBA and other organizations that this Committee 
has jurisdiction over, we have to strengthen them at the heart 
of their role as small business to protect that very unique 
edge. Without doing that, they are going to be much more 
vulnerable than larger businesses are, and that is a real 
problem.
    Mr. ZEEFE. There are a number of policy prescriptions we 
could put in place to encourage, but ultimately, I suspect it 
will be an existential event or a series of existential events 
whereby a number of medium- or large-size companies have their 
reputations damaged or financial positions damaged to such a 
point that they go out of business. I think that will be the 
clarion call that brings some awareness to the table.
    By and large, the reason that small businesses are being 
attacked with such aggressiveness is because they are so weak, 
because they are third-party providers to larger organizations, 
and because they can be squeezed for small amounts of money 
across the board. So as an attacker, I can go after 10 or 15 
companies in an hour and extract $10- or $15,000 from each 
apiece far easier than I can going after a large financial 
institution and making an effort there.
    So the short answer is, I don't know that there is much 
that can be done other than making this a public affair.
    Mr. KELLY. Mr. Jaffer, again, I am a father, I have a young 
kid, and we all want to take work home, especially when we 
don't have the millions to buy multiple tools. A lot of parents 
take home their work computer and let their kids play games, or 
their work iPad or their work iPhone, and they let them use 
those. They don't understand that there is a danger of 
spillage. That is what we refer to in the military as spillage, 
it is when you take something from one net and take it to 
another net and expose it to threat.
    Is there any way that you can think of so people understand 
that when you take either different classifications of 
information or when you have an intranet, and you expose it to 
the extranet--you know, you can't even use thumb drives on a 
lot of military computers and other things. How do we 
communicate this to let them know it is simple, but it is 
inconvenient?
    Mr. JAFFER. Well, I think you raise a really good point. I 
have a 7-year-old, Nikko, and he plays on my iPad and my 
laptop; you are exactly right. He recently purchased a bunch of 
apps, so I learned about parental controls first hand. I think 
we have got to create separate accounts for our kids and for 
other family members that don't have access to those parts of 
the system.
    Of course, hackers will be able to get through some those 
walls, but the higher we can build those walls, just at the 
very base level, keeping your system up-to-date, patch, 
creating separate accounts, that can help a lot. For small 
businesses, doing small things like that can make a difference. 
As you said, they are going after the weakest targets, and so 
we have to make ourselves stronger and not be the weak gazelle 
in the herd, as it were.
    Mr. KELLY. I don't have to run faster than the bear. I just 
have to run faster than you.
    I thank you, Mr. Chairman. I yield back.
    Chairman CHABOT. Thank you. The gentleman yields back.
    Mr. Jaffer, I hope you will encourage your son to go on the 
Small Business Committee Web site. I am sure he will find this 
fascinating.
    Mr. JAFFER. As long as you have apps to purchase.
    Chairman CHABOT. The gentlelady from Michigan, Mrs. 
Lawrence, is recognized for 5 minutes.
    Mrs. LAWRENCE. Thank you so much.
    Ms. Dingle, you stated that there were some webinars 
available for small businesses, but has the SBA proven to be 
effective in educating the small business owners and employers 
on the need to safeguard against potential threats? In your 
view, what are some of the recommendations you have had? I 
heard that we really need to get this going, and it is so 
critical. Can I get your opinion and recommendations?
    Ms. DINGLE. Sure. Let me first address the latter part of 
your comment about whether or not people have been informed. 
Cybersecurity and information technology is a huge, huge issue. 
For companies that are not in the business of providing 
information technology products or services, it is a whole new 
world, for lack of a better term. If you have a firm whose day-
to-day business is providing healthcare services or providing 
home improvement services, they are not thinking about 
technology.
    The SBA, even if it is able to help, has to, first, make 
businesses aware that these regulations and the cybersecurity 
issues apply to all of us. I don't think that across the board 
people understand that this is a problem that affects us all. 
It affects us as individuals; it affects us as employees, as 
managers, and as business owners.
    I am in the information technology space, so I don't look 
to the SBA for that assistance. I will tell you that I have not 
seen a lot of that, but that does not mean that the resources 
are not available. Trying to comply with the newest set of 
regulations, even though we are in the technology business, 
they are occurring so quickly that we have to bring in external 
resources to help us to comply with them all.
    If there were small business cyber centers that were 
available, where we could go--and to Mr. Jaffer's point combine 
our resources to get access to the tools and technologies and 
expertise that we need to address this problem, that would be 
really helpful and beneficial.
    Mrs. LAWRENCE. I just--I try to support small business, and 
they have these pop-ups I went to one of these pop-ups, and I 
saw something I wanted to purchase. The owner of this upcoming 
business said, I can't take a credit card. I have been hacked. 
She went over to a fellow pop-up person there saying, we are 
friends, can you pay? I found that very concerning, because 
here she is trying to start a business, and the pop-up industry 
is so exciting and really growing around America, and before 
she got off the ground, she had been hacked. It impaired her 
ability to take credit cards, because they had shut her down.
    Ms. DINGLE. Indeed.
    Mrs. LAWRENCE. The other question I have is to Mr. Daly. In 
your testimony, you mentioned strengthening information-sharing 
initiatives as a way to engage small business. Can you briefly 
talk about the organizations, we call them ISAOs, that were 
established by the executive order of President Obama in 2015, 
and is it enough, or what do we need to enhance it?
    Mr. DALY. I think it was definitely very helpful, the work 
that it is looking toward making the SBA do, I think, is also 
very helpful. One of the intuitive things I draw from is one of 
the things we did at the White House. When we knew intellectual 
property was being stolen to such a degree, we did an entire 
initiative where we essentially ran it out of the White House 
pulling all the agencies together saying, look, can we do a 
combined initiative? It is called the Stop Initiative. We 
combined the resources of all the departments, made sure that 
they communicated, functioned, and had a one-stop shop for 
dealing with that issue.
    I still think while it is helpful, that sort of initiative 
needs to occur.
    Mrs. LAWRENCE. So, then, did it occur and stop, or is it 
still available?
    Mr. DALY. It did occur. In terms of STOP, yeah, it did 
occur. At Department of Commerce, we have an IP czar that was 
established and continued. It led to a number of initiatives, 
not only creating a czar, but also creating commerce at a 
point, and was able to put new legislation as part of it too. 
So it was effective.
    Mrs. LAWRENCE. Thank you.
    Chairman CHABOT. Thank you.
    Mrs. LAWRENCE. I yield back.
    Chairman CHABOT. Thank you. The gentlelady's time has 
expired.
    The gentleman from Ohio, Mr. Davidson, is recognized for 5 
minutes.
    Mr. DAVIDSON. Thank you, Mr. Chairman.
    Thank you for you all being here and having some good 
information for small businesses and for our Committee. It is a 
pleasure to talk with you guys.
    Ms. Dingle, one of my questions involves the National 
Institute of Standards and Technology framework. Are you 
familiar with that?
    Ms. DINGLE. Yes, I am.
    Mr. DAVIDSON. Okay. How have you found that to be--I think 
there was recently a review in April on how is that process 
going? What kind of impact is that likely to have for small 
businesses and industry in general?
    Ms. DINGLE. The NIST framework that you reference does 
provide a framework for all things information security with 
respect to how you protect your information systems. There is 
an overarching 800-53 special publication that is revised on a 
regular basis, recently to Revision 4, and then there are 
associated special publications that have to do with various 
things that need to be protected. It is essentially the Bible 
that one needs to follow with respect to securing your systems.
    The challenge, when you talk about a small business being 
able to comply with that, I talked about the new regulation for 
Department of Defense that had 14 families of controls. This 
one has much larger families of control to the tune to 2- to 
300 things that a technical person would have to implement in 
order to secure a system.
    In terms of a guideline, it is a very clear and distinct 
guideline on how one should protect information systems. It is 
just a very big, big, big set of regulations.
    Mr. DAVIDSON. Okay.
    Maybe, Mr. Jaffer, internationally, are there any 
technologies or practices that are not currently accessible or 
permissible here in the United States that are in use elsewhere 
in the world that would actually improve our cybersecurity 
here?
    Mr. JAFFER. Thank you, Mr. Davidson. I am not sure--I am 
not aware of any specific technologies, but I do think that 
this goes to the larger issue about getting innovation into our 
system, whether it is foreign or American. We have got to find, 
particularly as a government, but also large businesses, ways 
to buy from the most innovative amongst us, the startups, those 
young companies.
    I think, as Ms. Dingle correctly highlighted, it is a real 
challenge for small businesses worldwide to get into the U.S. 
Government sector. The U.S. Government needs our help. It needs 
the help of small, startup companies to get in there and give 
them innovative ideas. Whether it is international or the U.S., 
we have to figure out a way to make that happen.
    Mr. DAVIDSON. Thank you.
    In the assessment that you do, it seems like you do a bit 
of overall view of security. Is there a best practice that you 
would say, globally, if there is a country that really has a 
strong--that is actually connected to the grid--obviously, the 
countries that have no infrastructure maybe are more secure 
because there is nothing to be hacked. But those of us that 
choose to have access to the world, who has the best practices 
right now? If we wanted to say, is the U.S. a world leader or 
is the U.S. lagging, and who is leading?
    Mr. ZEEFE. There are probably statistics. I am just using, 
what metrics I don't know, but I would say Estonia would be a 
surprising but accurate choice. They are the home of the NATO's 
Cyber Centre of Excellence. They are very careful to proscribe 
best practices to both their citizens as well as their 
companies that are formed from within the country. They take it 
very seriously, particularly as they have Russia on their 
doorstep.
    Whether and where the United States would rank in that, to 
be honest, I don't know.
    Mr. DAVIDSON. Not sure.
    Okay. And then, Mr. Daly, just a question. In light of this 
week's news about the handling of confidential, if not 
classified, information and security, are there new laws that 
ought to be in place to make it clear that all of America, are 
subject to the Lady Justice, that there is no exemptions 
regardless of whomever you are?
    Mr. DALY. I think that is a good and tough question. I 
think the laws, in terms of handling classified information, 
are fairly strong and you just need a Federal workforce that 
makes sure that it follows those guidelines strictly. When I 
had to handle that classified information, losing that 
privilege meant the loss of my job and a loss of confidence.
    That public awareness is necessary. New laws, that is 
something that could be considered. Vigilance on what we have 
is always the key, so----
    Chairman CHABOT. The gentleman's time has expired.
    Mr. DAVIDSON. Thank you. I yield back my time.
    Chairman CHABOT. Thank you. The gentleman's time has 
expired.
    The gentlelady from New York, Ms. Clarke, is recognized for 
5 minutes.
    Ms. CLARKE. Thank you, Mr. Chairman. I thank our Ranking 
Member, and I thank our panelists for bringing your expertise 
to bear on today's subject matter.
    I want to start with Ms. Dingle by asking, what would you 
say are the greatest barriers for small contractors wishing to 
break into the federal marketplace as it pertains to 
cybersecurity guidelines?
    Ms. DINGLE. Thank you for the question. For small 
businesses that are not familiar with doing business with the 
Federal Government, the Federal Acquisition Regulation, and in 
particular if you are talking about doing business with the 
Department of Defense, is a whole other language that they are 
not accustomed to.
    Again, as I was answering Ms. Adams' question, if you are 
not in the business of doing technology, the fact that you have 
to comply with the cybersecurity regulations that are very 
technical in nature can be a barrier. There are essentially 
three types of security measures that one needs to put in 
place. One has to do with management and operations, the other 
has to do with technical implementations, so operations, 
management, and technical.
    The average businessperson is thinking about how to manage 
and operate their business, but then you add these technical 
requirements on top of it. More and more often, when you submit 
a proposal to do business with the government, the requirements 
are already in the solicitations. If you are not able to 
comply, then you can't compete for that business.
    Ms. CLARKE. What makes it difficult for small businesses to 
comply? Is it a financial? Is it a human resource issue? Is it 
a combination of both?
    Ms. DINGLE. Yes.
    Ms. CLARKE. Does the SBA have a role in assisting those who 
may be themselves qualified but do not have the capacity as 
designated in the solicitations?
    Ms. DINGLE. Certainly, it is a combination of those things. 
It would be wonderful for new business owners, as you go to the 
Small Business Administration to get information about how to 
define your target market and how to learn about how different 
Federal agencies buy business, It would be really helpful if at 
that same time small businesses could learn about cybersecurity 
regulations, understand what their responsibility is, because 
that gives you the information that you need to make a decision 
about whether or not you can actually do business with the 
federal market and how great the barriers are.
    It might be partnership with another business or teaming up 
with a larger business or holding off for a little bit of time 
until you can get the resources that you need to be able to 
satisfy all----
    Ms. CLARKE. And build the capacity?
    Ms. DINGLE. Correct.
    Ms. CLARKE. So you would say there is a threshold that 
business has to meet in order to even offer themselves with 
respect to these solicitations?
    Ms. DINGLE. Certainly. The more and more that we begin to 
focus on cybersecurity, it becomes a threshold; it is a barrier 
to entry.
    Ms. CLARKE. Very well. Thank you.
    Mr. Daly, what recommendations would you have for 
encouraging public-private partnerships to address the 
cybersecurity needs of small businesses, particularly those 
that contract with the Federal Government?
    Mr. DALY. Yeah. I think creating standards with government 
procurement, it is amazing how those standards flow down the 
line to secondary providers all the way down to small 
businesses. If we set up a strong set of guidelines--for 
instance, there was a CGS appropriations bill that required 
certain measures to protect critical systems, NASA was involved 
in that, too, and that flowed down their entire supply chain.
    Once you make those standards, the market responds to it. 
If we lift the water on our cybersecurity protections, I think 
all of those, including small business folks, rise with it.
    Ms. CLARKE. So you are saying that the standards aren't 
clear right now? Are they evolving? Because, cybersecurity 
itself, that is a space that is continually shifting. How do we 
standardize a hygiene or a practice to the extent where a small 
business could actually sort of get in on the first floor?
    Mr. DALY. As you said, it is an evolving issue of cyber, 
what the attacks and vectors are. But, as Ms. Dingle talked 
about, creating the standards that are out there that, the 
government response to in terms of its purchasing would be 
something that----
    Ms. CLARKE. Just quickly to everyone on the panel. Do you 
think it is possible for a small business to be able to 
actually meet those standards and still be considered small?
    Mr. ZEEFE. I do.
    Ms. DINGLE. I do as well.
    Ms. CLARKE. Okay.
    Mr. JAFFER. I think it is very hard. I think we have go to 
try and find a way to lift that burden.
    Ms. DINGLE. It is hard.
    Ms. CLARKE. Very well. Very well.
    I yield back. Thank you, Mr. Chairman.
    Chairman CHABOT. Thank you. The gentlelady yields back.
    The gentleman from New York, Mr. Hanna, who is the Chairman 
of the Subcommittee on Contracting and Workforce, is recognized 
for 5 minutes.
    Mr. HANNA. Thank you, Mr. Chairman.
    I am curious, what is the shelf life of security? We know 
it has some expense to get into it, but the theme here is that 
it is a cat-and-mouse, constant getting unsecure, getting 
secure, getting unsecure. What does that look like in the real 
world? What is the cost in the real world? What are the 
dynamics of that based on the size of your business? Along with 
that, what would be that kind of critical mass that everybody 
has to spend? Anybody that might feel comfortable.
    Mr. ZEEFE. I would say relative to other forms of risk that 
enterprise, whether small or large, have faced in the past, 
cyber is relatively new. There is not a lot of actuarial data, 
whether you are looking at it from a regulatory or----
    Mr. HANNA. But is it 6 months, a year, or a week?
    Mr. ZEEFE. I don't know that you can put a bracket around 
either side of it. It is continually evolving. It is, as you 
said, a cat-and-mouse game. A more apt analogy might be, as you 
build a higher castle wall, I build a trebuchet. As you build a 
thicker castle wall, I develop, you know, air superiority.
    Mr. HANNA. How do you manage that? Based on what you are 
saying, it is a moment by moment.
    Mr. ZEEFE. It is, but really, all things offensive and 
defensive by definition have been. It is a matter of staying 
ahead of the threat actors and making sure that you are not the 
most attractive----
    Mr. HANNA. But then the next logical question for me would 
be, is that doable, I mean, in the real world, with that kind 
of dynamic?
    Mr. Jaffer?
    Mr. JAFFER. Certainly for large companies, it is more 
doable than it is for small companies. The financial service 
sector is very innovative when it comes to defense, and they 
are constantly working together and evolving that. But that is 
why, we have to figure out how to get small businesses to work 
together. They are not going to be able to do this on their 
own.
    One thing that Ms. Dingle mentioned was this notion of 
small business cyber centers. That is a really interesting 
concept, where the government might invest alongside a group of 
small businesses to get them a common operational capability 
and buy from some of the big vendors. It is an interesting 
idea. I have never really thought about it, but it is an 
interesting concept.
    Mr. HANNA. Ms. Dingle, I heard what you said about women 
centers. I take it to heart and consider it.
    Ms. DINGLE. Thank you. I wanted to address your question 
about whether or not you can, if it is a moving target, how do 
you ever try to address it? We answered our question about the 
NIST framework. You have to set some form of baseline, 
otherwise, you never get there from here, because the 
technology is changing so frequently.
    I talked about the managerial and operational components of 
cybersecurity, and that really boils down to on any given day, 
if someone leaves your firm or you stop doing business with one 
of your partners, you have just introduced a new set of----
    Mr. HANNA. So what you are really saying is it is a 
continuum?
    Ms. DINGLE. It really is.
    Mr. HANNA. And on that continuum, you can be at any point, 
and the goal is to be as advanced as you can be at any moment. 
As everyone here has implied and said directly, those people 
that are on the lower end of that food chain, if you will, are 
the ones that people go after.
    Along those lines, Mr. Zeefe, I wonder if you could explain 
to me you said that someone would go into five companies and 
collect $10- or $15,000 apiece. How does that look? What does 
that look like in the real world? How would that be?
    Mr. ZEEFE. At present, that is through Ransomeware.
    Mr. HANNA. I hope nobody is taking notes.
    Mr. ZEEFE. At present, Ransomeware is the attack, I want to 
say du jour, but it has really been months and will continue to 
be so in the future. That is effectively--are you familiar with 
the concept?
    Mr. HANNA. Uh-huh.
    Mr. ZEEFE. So for those that aren't, Ransomeware is 
effectively unlocking the doors of your organization, making it 
impossible for you to conduct business, and in exchange, I am 
trying to extract a modest toll respective to what your company 
is worth. It is my hope, as the attacker, that----
    Mr. HANNA. Do people succumb to that kind of extortion?
    Mr. ZEEFE. All the time. I don't have the exact statistics 
in front of me, but I believe it is over half a billion 
dollars.
    Mr. HANNA. So I will give you back your system if you send 
me X amount?
    Mr. ZEEFE. It happens all the time. And, in fact, quite 
regularly we see companies paying it, because the amount of 
money that they lose just for being down for a day dramatically 
eclipses the amount that they would have to pay to unlock it, 
reaching out----
    Mr. HANNA. So nobody succumbs to the kill the captive 
thing? They always rescue the individual.
    Mr. ZEEFE. No. In fact, there's been a development recently 
where it is getting kind of ugly. You have competing 
organizations out there, generally criminal in nature, 
affiliated with traditional organized crime, 85 percent plus, 
who are using tools that are copies of a copy sometimes. Their 
intent may be to release you after you have paid the ransom, 
but the practical effect is that they weren't very good at what 
they were doing, and therefore, even though you have paid the 
ransom, they are unable to unlock you. It creates some 
uncertainty in the marketplace of cybercriminal tools, which, 
believe it or not, is actually a pretty professional----
    Mr. HANNA. That is a wake-up call for anybody who has to 
pay that. That person will respond, like Mr. Jaffer said, they 
go out and do what they needed to do to make sure it doesn't 
happen again.
    Thank you. My time has expired. Thanks, Mr. Chairman.
    Chairman CHABOT. Thank you. The gentleman's time has 
expired.
    The gentleman from New Jersey, Mr. Payne, is recognized for 
5 minutes.
    Mr. PAYNE. Thank you, Mr. Chairman and Ranking Member.
    Mr. Daly?
    The export control system has long been criticized by 
exporters as being too rigorous, cumbersome, and inefficient. 
On the other hand, some argue that the defense and foreign 
policy considerations should trump any commercial concerns. How 
do you balance these two competing forces of increasing 
American competitiveness and American security as it pertains 
to cybersecurity?
    Mr. DALY. It is definitely difficult. I know there is a 
serious issue going on right now in terms of encryption and 
what encryption technology can go abroad and its effect. Like 
anything, the devil is in the details and you have to be smart 
about it. You have to look at what is happening out there in 
the market internationally and say, are U.S. companies being 
disadvantaged, that their technologies are already being sold 
abroad? I know that BIS and the State Department are doing a 
lot to reform that system to make it not only commercially 
appropriate, but also ensuring that it protects national 
security.
    So it is keeping that focus and making sure we are not 
disadvantaging companies where commercial technology is already 
available, readily available outside, but making sure we guard 
the crown jewels of the U.S. national security in terms of 
encryption technologies, and that just means being smart.
    Mr. PAYNE. Okay. Thank you.
    And, Ms. Dingle, the implementation cost for IT security is 
of paramount concern. These costs cause smaller institutions to 
lose or even decide not to compete for bids against larger 
companies for federal and state government bids. In your 
estimation, what are the steps that can be taken to ensure that 
small businesses do not have to choose between security and 
their bottom line?
    Ms. DINGLE. Thank you for the opportunity to testify, and 
the answer to the question, I go back to my earlier comments 
about the small business' ability to combine forces to get 
either economies of scales or access to the resources that some 
of our larger competitors have. It can be as simple as having 
to buy a piece of technology that is $200 for you to purchase 
and use to access a federal system, or it could be as expensive 
as a half a million dollars to secure systems based on the NIST 
framework that I was talking about.
    Anything that we can do to provide a set of resources that 
could be shared amongst small businesses or could be leveraged 
by small businesses to lower their costs and to decrease the 
timeline associated with implementation would be--would be very 
helpful.
    Mr. PAYNE. Thank you.
    In the interest of time, I'll yield back.
    Chairman CHABOT. The gentleman yields back. Thank you very 
much. The chair is very appreciative of that, since we have 
votes called on the floor, and we have one more of our 
colleagues.
    The gentleman from New York is recognized for 5 minutes.
    Mr. PITTENGER. Well, thanks, Mr. Chairman. I appreciate the 
panelists.
    A couple of different questions here. The first one is for 
anyone that wants to jump in, are there any telltale signs that 
the hack, is foreign versus domestic and what are the legal 
ramifications? Are they the same or might they be different? I 
heard earlier, we certainly got the recommendation, FBI is the 
initial entry point for the small business, but is that for 
both domestic and foreign? So let me just start with that one.
    Mr. ZEEFE. I would like to address the nonlegal part of 
that question, the attribution question which you have raised. 
It is a good one and it plays into a lot of questions, 
predominantly the hacking back question which some people ask, 
can we go after them if we know who it was? Can we 
affirmatively ascertain who was responsible for the attack? The 
answer is, it depends. It depends on whether they intended for 
you to know who they were, whether they were very competent at 
what they were doing, and whether there is a reason for them to 
hide who they are.
    The ability of a sophisticated attacker to effectively mask 
their identity or replace it with someone else's identity, it 
is difficult, if not impossible, to determine whether that is 
the case. So if you have been attacked and all of the signs are 
that it was somebody from Russia, that doesn't really mean 
anything. You have to get in there deeper, and it is less a 
forensic question and more of a human question. Is the pattern 
of coding that they used similar to what would be used by 
Russia? Or is it more likely Chinese or Romanian or somewhere 
else in Eastern Europe? The ability to understand who was 
attacking you is very, very complicated issue.
    Mr. JAFFER. The answer to your question is, the FBI does 
operate internationally, so they can be a starting point. But 
they need to work better with the intelligence community, with 
NSA and the like, to figure out who is connected to these 
attacks. In particular, we have never really, as the 
government, made a good case for why the NSA can help the 
private sector. Part of what that is, we are inside of foreign 
government systems all the time looking over what they are 
doing and trying to take their information. One thing that 
could be useful for American companies is to provide some of 
that information back to the private sector in usable form to 
protect themselves. We don't do a very good job doing that. 
Information sharing is a good beginning point, but we need to 
do more there.
    Mr. PITTENGER. The last question is really one I am 
inquisitive about, not necessarily in your inbox, but given 
your expertise, you may very well know. What are the 
requirements now for small business if they win a Federal 
contract? What requirements do they have in terms of briefings, 
compliance, accreditations as it relates to cyber, and 
particularly dealing with potential foreign attacks?
    Mr. JAFFER. I think I will defer to Ms. Dingle on that. 
But, there are a lot, and they are hard.
    Ms. DINGLE. Thank you. The regulations that are outlined in 
my testimony, they are new regulations that have come about in 
the last 12 to 24 months that have to do with protecting 
unclassified information, as well as if you hold a Department 
of Defense contract, those things are defined in the NIST 
framework and in the NISPOM. Essentially, you have to report 
any instances associated with that to the FBI as part of the 
burden that the small businesses are encountering, because they 
have to put a number of tools, techniques, and processes in 
place to enable them to be able to do so.
    Mr. PITTENGER. I thank you, ma'am.
    I apologize for being late. I was on the floor with our 
mental health bill. I don't seem to have your testimony. Maybe 
I can get that from staff in a little bit. I do have Mr. 
Jaffer's testimony. Perhaps they are just all out, you know, 
given the fact that I came late, but I do appreciate that 
input.
    I can imagine for a small business, it is very daunting. So 
many things, so many balls to keep in the air and juggle, and 
then the prospect, the possibility of being hacked and then, 
first of all, what that means for them, and then also what that 
means for them in terms of their requirements. I appreciate you 
putting attention to that, and I look forward to reading that.
    Mr. Chairman, thank you for this hearing, and I appreciate 
it. I will yield back.
    Chairman CHABOT. Thank you very much. The gentleman yields 
back.
    We want to thank the very distinguished panel this 
afternoon. Your testimony was excellent. Your answers, 
responses to questions are very, very good. I think it has been 
very informative for members on both sides here.
    Ms. Dingle, what you said about 60 percent of the small 
businesses after being attacked go out of business within 6 
months is particularly disturbing for those of us on this 
Committee who are doing everything we can to make America a 
great place for a small business to be successful. So thank 
you, all of you, for providing that information.
    I would ask unanimous consent that members have 5 
legislative days to submit statements and supporting materials 
for the record.
    Without objection, so ordered.
    And if there is no further business to come before the 
Committee, we are adjourned. Thank you very much.
    [Whereupon, at 3:32 p.m., the committee was adjourned.]
                            A P P E N D I X

[GRAPHICS NOT AVAILABLE IN TIFF FORMAT] 

  Testimony of Justin Zeefe, Small Business Committee, 6 July 
                              2016

    Foreign Cyber Threats: Small Business, Big Target

    Introduction

    Good afternoon and thank you Chairman Chabot and Ranking 
committee member Velazquez and all Small Business Committee 
members for the opportunity to testify on foreign cyber threats 
to American small business.

    It is an honor to address members of this distinguished 
body, both as a small business owner and also as a citizen who 
notes that small businesses not only employ approximately 50% 
of the private sector workforce, but they also produce 
approximately 50% of the non-farming GDP in the United States. 
They are therefore a vital part economy and their well-begin 
and the need to ensure their ability to operate in a transport 
and secure environment is paramount.

    My name is Justin Zeefe, and I am co-founder and Chief 
Strategy Officer of Nisos Group, a cybersecurity firm of former 
elite cyber operators and Special Forces officers from within 
the U.S. government. I, and each of my associates, have more 
than a decade of assessing and mitigating cyber risk to any 
system which, if compromised, could damage U.S. national 
security interests. These systems range from critical 
infrastructure to financial institutions and everything in 
between. We each observed, over recent years, a significant 
shift by foreign cyber threats increasingly toward private 
sector concerns. This evolution, magnified by our observation 
that the commercial sector is unprepared for the inbound 
threat, prompted us to bring our capabilities to industry.

    It is an honor to speak to you today regarding the most 
significant present and near-term threat to the national small 
business economy--foreign cyber threats in the form of 
cybercrime. There are no shortages of statistics to this end--
it is the fastest growing economic crime according to PWC, and 
is projected to cost the global economy $445 billion by the end 
of 2016, according to the World Economic Forum. In fact, 
according to McAfee, the well-renown security company, if 
cybercrime was a country, its GDP would rank 27th in the 
world--above Austria, Norway, and Egypt.

    How would we collectively react if we knew that the 27th 
largest economy was absolutely dedicated to attacking our 
value? What if they were overwhelmingly directing their actions 
against small businesses? In fact, both of these statements are 
accurate. Symantec found in June 2015 that 75% of cyberattacks 
were directed at organizations with fewer than 2,500 
employees--a dramatic increase from years prior. Not a week 
goes by that we don't read of a major data breach in the paper, 
with mention of what the attackers stole, and often how they 
managed to gain access.

    Most voices and solutions in the field of cybersecurity 
address the `what' and `how' of the threat; yet without an 
intimate understanding of the threat actors--their motivations, 
vulnerabilities, capabilities and adaptability--the discussion 
is incomplete. Never in the history of mankind has there been 
an industry--illicit or otherwise--which could be addressed 
strategically without factoring in the players in the game. 
Cybercrime, and the threat it represents against small 
businesses and large alike, is no outlier.

    This very thing--the `why'--is a vital part of the equation 
which requires understanding the humans behind the threat and 
just as importantly, the vulnerabilities which these threat 
actors seek to exploit. By understanding the driving forces and 
motivations behind the threat actors, as well as the evolution 
of their tools, it is possible to narrow the gap between threat 
actor capability and the cybersecurity solutions in the 
marketplace.

    Once we understand attacker motivations, it becomes easier 
to model future behavior from state-sanctioned or state-
sponsored activity, and criminal enterprise--the source of 
almost all cyber incidents. Armed with these insights, only 
then should we deliberate legislative incentives, penalties, 
and the appropriate distribution of risk to aid--not hamper--
small businesses.

    The `why'

    So, why? Why do foreign cyber threats target small 
businesses? One word and one analogy are sufficient to 
encapsulate this trend. The word is `profit' and the analogy is 
that like water or electricity, malicious hackers follow the 
path of least resistance. As larger organizations 
professionalized their defensive and reactive postures to cyber 
incidents, and as stolen data became less profitable due to a 
stricter regulatory and law enforcement environment, threat 
actors--in search of profit--turned their focus to targets 
which had neither the capacity nor the budget to address cyber 
threat. A positive feedback loop ensued, in which threat actors 
only became more dangerous as they adapted to the increasingly 
sophisticated target set.

    The first and most significant evolution was the 
professionalization of the threat actor. What were only a few 
years ago best described as small bands of hackers who 
occasionally work together have, by virtue of their success,, 
drawn the attention of traditional organized criminal elements. 
These groups, with many years of experience in the conduct of 
criminal enterprise, accurately assessed that cybercrime 
represented an opportunity for increased profit and decreased 
risk. Rather than trafficking in weapons, drugs or other 
contraband--activities dependent on physical items which thus 
present a significant risk of detection or interdiction--these 
groups of experienced criminals increasingly invest in 
individuals or groups whose cybercrime activities are both 
wildly successful and stealthy when it comes to attribution.

    The second most significant evolution, inextricably linked 
to the first, has been the dramatically improved defensive 
posture of larger organizations. These whales were the first to 
be targeted and given their deep pockets, they were also the 
first to fund an improved posture informed by a corporate 
hierarchy which lends itself to coordinated risk mitigation as 
well as a keen awareness that the regulatory and judicial 
systems track their behavior. This evolutionary development is 
in part driven organically within an organization as well as 
the result of free market products and services which address 
the technical problem.

    A third and critical component, which is less of an 
evolution than it is a failure to evolve, deserves 
consideration here. Small businesses underestimate the degree 
to which they are vulnerable and they often believe--in the 
face of plain evidence--that they aren't a legitimate target of 
cybercriminals. A 2015 survey by the National Small Business 
Association found that half the respondents had been knowingly 
targeted, and that the average cost to remediate was more than 
$20,000. Nevertheless, a report by Travelers Insurance found 
that only 23% of small businesses ``worried a great deal'' 
about cyber risk. In addition to willfully ignoring the first-
degree risks, there are often larger secondary risks presented 
by a vulnerable small business. They are often service 
providers or vendors to larger businesses and often are, to 
reuse the analogy, the path of least resistance by which 
malicious actors can gain unauthorized access to larger 
organizations.

    These two evolutions, along with small business' failure to 
adapt, readily explains the explosive growth of successful 
ransomware attacks. If you will permit another analogy, imagine 
thieves targeting the Louvre museum. Now imagine that a year 
ago, they could have easily gotten in and stolen the Mona Lisa, 
which they could have then sold on the black market for 
millions of dollars. Now consider, much like big business in 
the United States, that the Louvre has upgraded its security. 
At the same time, law enforcement has gotten much better at 
policing the black market. As a consequence, the costs 
associated with both stealing and reselling the painting exceed 
the potential benefit. To this, the thieves realize they can 
simply padlock the entire museum shut, wire all of the art with 
explosives, and demand payment to disarm the explosives and 
unlock the doors. Now imagine the costs of conducting this sort 
of attack were low and could be conducted against thousands of 
museums in an hour, and that the fee charged to remove the 
padlock was tens of thousands of dollars--a significant sum but 
acceptable when compared with the reputational cost of losing 
revenue or reputation by going public with the incident or by 
refusing to comply. A dramatic example perhaps, but considering 
the havoc that ransomware is, at this very moment, causing 
predominantly to small business, it is not an ill-fitting 
example.

    Conclusion

    While understanding the motivations which drive the threat 
actors is not on its own sufficient to build an effective 
framework for deterring or interdicting cyberattacks targeting 
small business, it is a vital component of the problem which 
cannot be ignored and which needs to be prioritized alongside 
other more established business risks. When taken in 
consideration with other factors--such as the advancement of 
technical solutions (both offensive and defensive)--the 
knowledge of the enemy and their tactics, techniques and plans 
may permit a logical and cohesive approach to the ever-evolving 
problem.
                   House Committee on Small Business


         ``Foreign Cyber Threats: Small Business, Big Target''


                         Testimony of Nova Daly


         Senior Policy Advisor, Wiley Rein LLP, Washington, DC


                              July 6, 2016


    Chairman Chabot, Ranking Member Velazquez, and members of 
the Committee, thank you for the opportunity to appear before 
you today.\1\
---------------------------------------------------------------------------
    \1\ The views and opinions expressed in this statement are mine and 
do not necessarily reflect the views or opinions of Wiley Rein LLP or 
any of its clients.

    In this age of the Internet, we have never had so much 
opportunity and with it so much risk. Today, I offer my 
perspective on cyber security, broadly, and distinctly as it 
pertains to small businesses. This perspective is drawn from my 
experience as a former official with the U.S. Department of 
Treasury administering the Committee on Foreign Investment in 
the United States (``CFIUS''), work at the National Security 
Council, and my ongoing efforts in the private sector with my 
colleagues at Wiley Rein to address these issues as they impact 
---------------------------------------------------------------------------
U.S. companies.

    As this Committee knows, cyber security issues are clearly 
significant and growing economic risks for small business and 
Americans broadly. These issues have become increasingly 
relevant as we now allow and depend upon Internet access and 
connectivity in nearly every aspect of our work and lives, from 
the communication and processing devices we use at home and 
work, to the vehicles we drive, the infrastructure on which we 
depend, and even the appliances in our homes.

    It has been forecast that, on average, 5.5 million new 
devices are connected to the Internet each day and, by 2020, 
over 20 billion devices will be connected to the Internet.\2\ 
For small businesses, they very connectivity that allows 
greater freedom and versatility in conducting day-to-day 
business--linking phones, computers, routers, copiers, and even 
alarm and ventilation systems--also brings with it significant 
and sometimes paralyzing risk, risk that is often difficult to 
address both financially and in terms of human resources.
---------------------------------------------------------------------------
    \2\ See http://www.gartner.com/newsroom/id/3165317

    As small businesses increase their connectivity to the 
Internet, they face significant challenges and additional 
costs, not just in infrastructure and the `nuts and bolts' of 
establishing businesses' connectivity, but also security-
related costs. Both domestic and foreign criminals, as well as 
foreign governments, have been known to exploit and are 
actively targeting internet-based vulnerabilities in order to 
gain access to financial information, customer data, and 
intellectual property. Indeed, three years ago, a study issued 
by the Center for Strategic and International Studies estimated 
that the annual cost of cybercrime in the United States was 
approximately $100 billion. According to more recent reports, 
cybercrime costs quadrupled since then, and we are on target 
---------------------------------------------------------------------------
for still another quadrupling of these costs from 2015 to 2019.

    While large U.S. businesses typically have the means to 
fund and invest in strong and resi8lient cyber security 
measures to protect their interests, small businesses generally 
do not have this luxury. They often lack the capabilities and/
or the resources to pursue strong, entity-wide cyber security 
protections. Further, small businesses often may not be privy 
to the kinds of broad, industry-wide threat notifications to 
which larger companies may be. Often, larger companies have the 
resources to continually monitor and review threats that may 
arise from certain technology and supply chains, and at times 
are contacted by the U.S. government when breaches occur. A 
notable example was the 2014 Department of Justice 
investigation and prosecution of several Chinese military 
officials, who were responsible for breaches of numerous U.S. 
companies' security perimeters. There, at least some of the 
affected companies were contacted and alerted as the breaches 
were occurring. However, given the breadth of existing cyber 
threats and the continuing growth of cybercrime, our government 
simply does not have the resources to address all of the cyber 
security-related issues faced by business, critical 
infrastructure, and governmental systems, much less those faced 
by small businesses.

    In 2012, the House Permanent Select Committee on 
Intelligence issued a report on its finding regarding 
counterintelligence and security threats posed by certain 
telecommunications companies doing business in the United 
States. Despite the report's negative findings, the companies 
investigated continue to grow as dominant players in the global 
telecommunications market. While it has been effectively 
restricted from selling network equipment to tier-one U.S. 
wireless carriers, Huawei is growing its sales to smaller 
wireless carriers in the United States, supplying network 
infrastructure equipment to cities in the states of Washington 
and Oregon, and is targeted to continue growth in cell phone 
sales in the U.S. market. Last year, ZTE another of the 
investigated companies, was the fourth-largest smartphone 
vendor in the United States, with a 7.2% market share. In the 
fourth quarter of last year, the single largest market for ZTE 
smartphones was the United States. These companies also sell 
tablets, routers, hotspots, data storage, and cloud computing 
infrastructure and services, all of which are used by small 
businesses.

    Although larger U.S. companies can engage other vendors to 
provide certain cyber security monitoring and reinforcement of 
their security perimeters, small businesses often do not have 
the funds or capacity to do so. Notably, this year, ZTE was 
sanctioned, and according to reports, Huawei has been 
subpoenaed by the U.S. Department of Commerce for potential 
violations of U.S. export laws in sending controlled items to 
countries that have been designated as supporters of 
international terrorism, or are otherwise subject to U.S. trade 
sanctions and economic embargoes, such as Cuba, Iran, North 
Korea, Sudan, and Syria.

    While doing business with such companies can present 
heightened risk, it should not be overlooked that there is 
significant and growing vulnerability within the entire U.S. 
technology supply chain. Increasingly, our telecommunications 
equipment and systems are produced or assembled abroad, and we 
are seeing nations taking strong measures to grow their own 
semiconductor and other technology industries. Further, the 
United States is finding itself with a talent shortage in 
cybersecurity know-how. Thus, there are also broader structural 
problems that should be closely addressed. Cyber security or 
insecurity, as compounded for small business, does have a 
correlation to the capability of our cyber work force and 
security of our entire technology supply chains.

    So how do we ensure that small businesses are not left to 
fend for themselves in an increasingly hostile cyber world? For 
the consideration of this Committee I respectfully submit the 
following recommendations.

    A focus on current laws. A continued focus on the 
enforcement of our export control, cyber and other national 
security laws, such as CFIUS, is appropriate. Understandably, 
when implementing restrictions that prohibit exports, 
reexports, and transfers (in-country) of items subject to the 
punitive action, an administration must take into consideration 
the broader effects that such actions will cause. However, 
ensuring that our laws are enforced against those who violate 
them sends important signals to the market. Such signals can 
make their way to small businesses, allowing them to be better 
served through purchases of products by vendors who follow the 
laws.

    Promoting cyber standards. This Committee should continue 
to consider actions that build and promote industry-led cyber 
security standards in the framework of ISO standards, or 
otherwise, of best practice. Such standards could be applied to 
government procurement, ensuring that government agencies 
access equipment from vendors that achieve acceptable standards 
of cyber security protection. Doing so could ensure that such 
equipment permeates to the private sector broadly and 
especially to small business. Agencies such as the Small 
Business Administration could help to educate small businesses 
on these standards so that they are aware of where best to turn 
for equipment and services that reduce their cyber risk.

    Engaging small businesses. Increasing outreach and 
education to small businesses and finding appropriate funding 
so that they are aware of the risks to their systems and have 
the means to address that risk could be pursued. As part of 
those efforts, it would be useful to strengthen information-
sharing initiatives between entities in order to provide small 
businesses with a more immediate understanding of emerging 
threats and patterns, and arm these businesses with the lessons 
learned from others. We could also consider ways to build 
incentives for purchasing safer equipment. Such market-based 
cyber incentives, whether in purchasing, insurance, or 
otherwise would help justify investments in cyber security. 
Profit-minded organizations must see clear benefits to their 
actions, as every dollar or hour spent on cyber security is not 
spent on the organization's core goals. These actions 
accompanied with industry norms and standards could highlight 
cyber security investments as requisite. Passage of H.R. 5064, 
The Improving Small Business Cyber Security Act of 2016, would 
be important to these ends.

    Addressing supply chain security issues and closing the 
cyber deficit. As noted earlier, given the global nature of 
technology production and cyber threats, we must find ways to 
address the threats that emanate from these supply chains. 
While important work is being done in the government and 
private sector to find and achieve the right answers, this 
should continue to be a focus of U.S. policy. Toward that end, 
and as has been widely reported, we have a troubling cyber 
deficit in terms of talent and training here in the United 
States. We need to build the next generation of cyber 
technicians and engineers. If we do not build this capacity, it 
will be sourced from abroad, and doing so could put us behind 
the technology and innovation curve. One element that makes 
America strong is our ability to innovate, and that comes with 
building the next technologies. We need to reclaim that field.

    Thank you very much again for the opportunity to testify 
before this Committee today on this important topic. I look 
forward to answering any questions that you may have.
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

                                 [all]