[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]


 
                CYBERSECURITY: THE EVOLVING NATURE OF 
                CYBER THREATS FACING THE PRIVATE SECTOR

=======================================================================

                                HEARING

                               BEFORE THE

                            SUBCOMMITTEE ON
                         INFORMATION TECHNOLOGY

                                 OF THE

                         COMMITTEE ON OVERSIGHT
                         AND GOVERNMENT REFORM
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED FOURTEENTH CONGRESS

                             FIRST SESSION

                               __________

                             MARCH 18, 2015

                               __________

                           Serial No. 114-11

                               __________

Printed for the use of the Committee on Oversight and Government Reform


[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]


         Available via the World Wide Web: http://www.fdsys.gov
                      http://www.house.gov/reform
                      
                      
                               ______________
                               
                       U.S. GOVERNMENT PUBLISHING OFFICE
94-349 PDF                 WASHINGTON : 2015                       
                     
________________________________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, 
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].  
                      
                      
                      
              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM

                     JASON CHAFFETZ, Utah, Chairman
JOHN L. MICA, Florida                ELIJAH E. CUMMINGS, Maryland, 
MICHAEL R. TURNER, Ohio                  Ranking Minority Member
JOHN J. DUNCAN, JR., Tennessee       CAROLYN B. MALONEY, New York
JIM JORDAN, Ohio                     ELEANOR HOLMES NORTON, District of 
TIM WALBERG, Michigan                    Columbia
JUSTIN AMASH, Michigan               WM. LACY CLAY, Missouri
PAUL A. GOSAR, Arizona               STEPHEN F. LYNCH, Massachusetts
SCOTT DesJARLAIS, Tennessee          JIM COOPER, Tennessee
TREY GOWDY, South Carolina           GERALD E. CONNOLLY, Virginia
BLAKE FARENTHOLD, Texas              MATT CARTWRIGHT, Pennsylvania
CYNTHIA M. LUMMIS, Wyoming           TAMMY DUCKWORTH, Illinois
THOMAS MASSIE, Kentucky              ROBIN L. KELLY, Illinois
MARK MEADOWS, North Carolina         BRENDA L. LAWRENCE, Michigan
RON DeSANTIS, Florida                TED LIEU, California
MICK MULVANEY, South Carolina        BONNIE WATSON COLEMAN, New Jersey
KEN BUCK, Colorado                   STACEY E. PLASKETT, Virgin Islands
MARK WALKER, North Carolina          MARK DeSAULNIER, California
ROD BLUM, Iowa                       BRENDAN F. BOYLE, Pennsylvania
JODY B. HICE, Georgia                PETER WELCH, Vermont
STEVE RUSSELL, Oklahoma              MICHELLE LUJAN GRISHAM, New Mexico
EARL L. ``BUDDY'' CARTER, Georgia
GLENN GROTHMAN, Wisconsin
WILL HURD, Texas
GARY J. PALMER, Alabama

                    Sean McLaughlin, Staff Director
                 David Rapallo, Minority Staff Director
                 Subcommittee on Information Technology

                       WILL HURD, Texas, Chairman
BLAKE FARENTHOLD, Texas, Vice Chair  ROBIN L. KELLY, Illinois, Ranking 
MARK WALKER, North Carolina              Member
ROD BLUM, Iowa                       GERALD E. CONNOLLY, Virginia
PAUL A. GOSAR, Arizona               TAMMY DUCKWORTH, Illinois
                                     TED LIEU, California

                       Troy Stock, Staff Director
                          Mike Flynn, Counsel
                           Sarah Vance, Clerk
                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on March 18, 2015...................................     1

                               WITNESSES

Mr. Richard Bejtlich, Chief Security Strategist, FireEye, Inc.
    Oral Statement...............................................     4
    Written Statement............................................     6
Mr. David French, Senior Vice President, Government Relations, 
  National Retail Federation
    Oral Statement...............................................    17
    Written Statement............................................    19
Mr. Daniel Nutkis, CEO and Founder, Health Information Trust 
  Alliance
    Oral Statement...............................................    54
    Written Statement............................................    56
Mr. Doug Johnson, Senior Vice President and Chief Advisor, 
  Payments and Cybersecurity Policy, American Bankers Association
    Oral Statement...............................................    61
    Written Statement............................................    63
Mr. Edmund Mierzwinski, Consumer Program Director and Senior 
  Fellow
    Oral Statement...............................................    72
    Written Statement............................................    74


CYBERSECURITY: THE EVOLVING NATURE OF CYBER THREATS FACING THE PRIVATE 
                                 SECTOR

                              ----------                              


                       Wednesday, March 18, 2015,

                  House of Representatives,
            Subcommittee on Information Technology,
              Committee on Oversight and Government Reform,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 1:01 p.m. in 
room 2154, Rayburn House Office Building, the Honorable Will 
Hurd (chairman of the subcommittee), presiding.
    Present: Representatives Hurd, Carter, Kelly, Duckworth and 
Cummings.
    Mr. Hurd. The Subcommittee on Information Technology will 
come to order.
    Without objection, the Chair is authorized to declare a 
recess at any time.
    Good afternoon and welcome, everyone. I appreciate you all 
being here.
    It is great to finally be here. This hearing has been 
rescheduled a number of times. Hopefully, this is the first of 
many hearings for this Subcommittee on Information Technology 
within Oversight and Government Reform.
    As we all know, the Oversight Committee exists because of 
two fundamental principles. First, Americans have a right to 
know that the money Washington takes from them is well spent. 
Second, Americans deserve an efficient and effective government 
that works for them.
    I thank all the members for being here this afternoon. I 
would especially like to thank the Ranking Member, Ms. Kelly, 
for her efforts on behalf of the committee thus far. It has 
been great working with you already and I am looking forward to 
the next year and a half.
    As the Chairman of the IT Subcommittee, we are looking to 
do four things over this Congress. One of those issues we will 
look at is IT procurement and acquisition.
    When I was running for Congress, I never thought I would be 
talking about IT procurement as much as I do but it is an 
important area where we can reduce the size and scope of the 
Federal Government.
    The second area we will look at is emerging technologies. 
Our technology landscape is shifting and with emerging 
technologies such as drones, 3-D printing, these are all things 
that the government has not dealt in before.
    We have to make sure that we are not stifling any growth in 
these areas, but are protecting consumers as well.
    The third area we will look at is privacy. I know we will 
have a conversation today about this issue. When information is 
becoming increasingly accessible to folks and the masses, we 
need to make sure that we are protecting our information. We 
can protect our digital infrastructure and our civil liberties 
at the same time.
    I am looking forward to delving into this topic over these 
next few months.
    The fourth area we will talk about today is cybersecurity 
and information sharing. I think the Federal Government should 
be doing everything it can to share information with the 
private sector so that the private sector can protect itself.
    I spent 9 years as an undercover officer in the CIA. My 
background is in computer science. I may be able to bang out 
some Fortran 77 code right now but it has been great having 
that experience and background and using it to help us as we 
chart our course forward.
    I also helped build a cybersecurity company. One of the 
things we always tell our clients is that in this day and age, 
you have to begin with the presumption of breach. If you give 
me enough time and money, I am going to get in. What do you do 
to detect someone on your network? How can you contain them and 
then kick them out?
    I think the conversation today is pretty timely with the 
recent attacks on Sony, Anthem, J.P. Morgan Chase and other big 
names. Just yesterday, we found out about 11 million customers 
who may have had their health records compromised in an attack 
on Blue Cross that occurred last May.
    With each passing day and week, there is a new hack, a new 
breach or a theft being committed over the Internet. Because of 
this, we must encourage the sharing of cyber threat information 
to help deal with those breaches when they occur.
    Having been on both the private side and the public side of 
this issue, I know that both sides are not communicating as 
well as they could be. I hope this committee can shed light on 
the growing problem and work with the authorizing committees 
and the appropriators on bringing forth beneficial cyber 
legislation.
    The goal of today's hearing is to paint a picture of common 
threats, understand how the Federal Government can better 
engage with the private sector and get some suggestions and 
prescriptive measures that the Federal Government should take.
    I want to thank everyone again for being here and 
participating today in this important hearing.
    Mr. Hurd. With that, I would like to now recognize my 
friend, the ranking member of the subcommittee, Ms. Kelly of 
Illinois, for 5 minutes for an opening Statement.
    Ms. Kelly. Thank you, Mr. Chairman. I too look forward to 
working with you over the next year and a half.
    Thank you, Mr. Chairman, for holding this hearing on 
cybersecurity threats faced by the private sector. As you just 
said, the announcement of the attack against Blue Cross reminds 
us that no company is immune from cyber attacks and data 
breaches.
    Sophisticated companies such as Sony, Home Depot, Target, 
Anthem and USIS were all targeted and breached by cyber 
attackers. The most recent attack against Anthem, one of the 
Nation's leading health insurers, resulted in an attack on up 
to 80 million personal records of customers and employees.
    That attack is particularly disturbing because, as I 
pointed out in an article I wrote in Roll Call last month, 
medical identity theft represents a new norm in cyber crime. 
The real victims of cyber crime are the employees and customers 
whose sensitive personal information is stolen and used by 
cyber thieves in other crimes.
    Cyber theft of social security numbers, birth dates and 
sensitive medical information puts individuals at heightened 
risk of crimes such as financial fraud and tax refund fraud.
    Corporations collect and utilize a lot of personal 
information about their customers and employees. It is 
imperative that those businesses employ more effective means to 
safeguard it.
    I look forward to hearing from today's witnesses about best 
practices they are recommending to help their members protect 
against cyber attacks and mitigate any damage from data 
breaches.
    Today's hearing is also a recognition of the fact that the 
Federal Government and private sector must work more 
effectively together to thwart cyber crime.
    I also look forward to hearing from today's witnesses about 
what government can do to help protect businesses and consumers 
from future cyber attacks and data breaches.
    It is worth noting that the President recently issued a 
series of new initiatives to improve cyber security information 
sharing between the government and private sector to better 
assist in thwarting cyber attacks. I applaud him for that but 
Congress needs to do more.
    Thank you again, Mr. Chairman. I yield the balance of my 
time.
    Mr. Hurd. The gentlewoman yields the balance of her time.
    I will hold the record open for five legislative days for 
any members who would like to submit written Statements.
    Now we get to recognize our panel of witnesses. This is a 
great panel. This is actually one of those issues where I think 
the House, the Senate and the White House can work together. We 
are looking forward to that opportunity.
    I am pleased to welcome our witnesses: Mr. Richard 
Bejtlich, Chief Security Strategist at FireEye; Mr. David 
French, Senior Vice President, Government Relations, National 
Retail Federation; Mr. Daniel Nutkis, CEO and founder of the 
Health Information Trust Alliance; Mr. Doug Johnson, Senior 
Vice President and Chief Advisor, Payments and Cybersecurity 
Policy, of the American Bankers Association; and Mr. Edmund 
Mierzwinski, Consumer Program Director and Senior Fellow, U.S. 
Public Interest Research Group. I want to welcome everyone here 
today.
    Pursuant to committee rules, all witnesses will be sworn 
before they testify. Please rise and raise your right hand.
    Do you solemnly swear or affirm that the testimony you are 
about to give will be the truth, the whole truth, and nothing 
but the truth?
    [Witnesses respond in the affirmative.]
    Mr. Hurd. In order to allow time for discussion, please 
limit your testimony to 5 minutes. Your entire written 
Statement will be made a part of the record.
    With that, Mr. Bejtlich, we will start off with you.

                       WITNESS STATEMENTS

                  STATEMENT OF RICHARD BEJTLICH

    Mr. Bejtlich. Chairman Hurd, Ranking Member Kelly, members 
of the committee, thank you for the opportunity to testify.
    I am Richard Bejtlich, Chief Security Strategist at 
FireEye. Today I will discuss digital threats, how to think 
about risk and some strategies to address these challenges.
    Who is the threat? In our work, we have discovered and 
countered nation-State actors from China, Russia, Iran, North 
Korea, Syria, and other countries.
    The Chinese and Russians tend to hack for commercial and 
geopolitical gain. The Iranians and North Koreans extend these 
activities to include disruption via denial of service and 
sabotage using destructive malware.
    Activity from Syria relates to the regional civil war and 
sometimes affects Western news outlets and other victims. 
Eastern Europe continues to be a source of criminal operations, 
and we worry that the conflict between Ukraine and Russia will 
extend into the digital realm.
    Threat attribution, or identifying responsibility for a 
breach, depends on the political stakes surrounding an 
incident.
    For high-profile intrusions, such as those in the news over 
the last few months, attribution has been a priority. National 
technical means, law enforcement, and counter-intelligence can 
pierce anonymity. Some elements of the private sector have the 
right experience and evidence to assist with this process.
    I would like to emphasize that attribution is possible, but 
it is a function of what is at stake.
    Who is being breached? In March 2014, the Washington Post 
reported that in 2013, Federal agents, often the FBI, notified 
more than 3,000 U.S. companies that their computer systems had 
been hacked. This count represents clearly identified breach 
victims. Many were likely compromised more than once.
    In the 18 or so years I have been doing this work, this to 
me is the single best statistic we have because these were not 
attacks, these were not near misses, these were actual, serious 
breaches that merited notification by law enforcement.
    How do victims learn of a breach? Unfortunately, in 70 
percent of cases, someone else, likely the FBI, tells a victim 
about a serious compromise. Only 30 percent of the time do 
victims identify intrusions on their own.
    The median amount of time from when an intruder's initial 
compromise, to the time when a victim learns of a breach, 
according to our research, is currently 205 days. This number 
is better last year's research where the number was 229 days. 
Unfortunately, it means that, for nearly 7 months after gaining 
initial entry, intruders are free to roam within victim 
networks.
    What are you supposed to do about this? I like to first 
think of defining the risk. In this hearing, we are thinking 
about the risk of intrusion to private companies in the United 
States, but there are many other risks we could talk about. 
That is the focus of this hearing.
    Step two is to try to figure out some ways to measure 
progress. When I work with companies, I try to encourage them 
to think in terms of a couple metrics.
    The first one is how many intrusions are occurring because 
there are many intrusions occurring in companies but not all of 
them rise to the level of somebody stealing your data or 
somebody destroying your data.
    Second, they need to track the amount of time that elapses 
from when the intrusion first occurs and when they do something 
about it. We want to drive down both of those numbers.
    Some things happen outside companies which impact the 
threat and the cost to the intrusion. Law enforcement and 
counter intelligence are the primary means by which you can 
mitigate the threat.
    I did an editorial for Brookings recently called Target 
Malware Kingpins where I asked what makes more sense, expecting 
2 billion Internet users to adequately secure their personal 
information or reducing the threat posed by the approximately 
100 malware kingpins in the world?
    Reducing the cost side of the equation takes a little more 
creativity. One step--I noticed it in the testimony of some of 
my fellow panelists--is tokenization of payment card data such 
that you are not dealing in credit cards when you are trying to 
authorize transactions.
    A second step would be to drastically reduce or preferably 
eliminate the value of a Social Security number. With a Social 
Security number, as noted in the testimony in more detail by my 
colleagues, you can get credit reports and just an opening to 
much more damage.
    In brief, at least from the perspective of a private 
company, we can win when we stop intruders from achieving their 
objectives. It is ideal to prevent an adversary from getting 
into your network but that goal is increasingly difficult.
    Instead, we need to focus on quickly detecting the 
intrusion, containing the adversary and stopping him before he 
destroys, steals or whatever his mission is, as Chairman Hurd 
mentioned.
    Finally, we must appreciate that the time to find and 
remove intruders is now. If you were to hire me to be your CSO, 
the first step I would take would be to hunt for intruders 
already in your network.
    I look forward to your questions.
    [Prepared Statement of Mr. Bejtlich follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] 
    
    Mr. Hurd. Thank you, Mr. Bejtlich.
    The Chair now recognizes Mr. French.

                    STATEMENT OF DAVID FRENCH

    Mr. French. Thank you for the opportunity to provide you 
with our views on cyber security threats facing the private 
sector as well as achievable solutions to better protect 
sensitive information.
    Retailers are just one of the targets in an evolving and 
escalating war on our digital economy. Merchants collectively 
spend billions of dollars safeguarding sensitive customer 
information.
    At the outset, let me State that data intrusion is a crime 
of a particularly international character. In virtually every 
reported incident, it seems as if the criminals are operating 
from abroad beyond the reach of U.S. law enforcement.
    In all of the congressional scrutiny over data security, 
there has been a conspicuous lack of attention paid to 
strengthening our national ability to interdict and prosecute 
these criminals. We do not have specific recommendations in 
this area but it is an observation that this committee is 
uniquely well situated to conduct such an inquiry.
    Beyond better law enforcement tools, my remarks center on 
three themes: better payment card security; effective breach 
notification and sharing of cyber threat information.
    In our view, security alone is not the answer. The issue 
must be considered much more holistically. We must work 
together to prevent cyber attacks and help reduce fraud or 
other economic harm that may result when breaches occur.
    Ultimately, we must make data less valuable. If breaches 
become less profitable to criminals, then criminals will 
dedicate fewer resources to committing them and our common data 
security goals will become much more achievable.
    Cyber attacks are a fact of life in the United States. 
Virtually every network is at risk. In its 2014 data breach 
investigation report, Verizon determined that there were more 
than 63,000 data security incidents reported by industry, 
educational institutions and government entities in 2013. Of 
those, more than 1,300 had confirmed data losses. The financial 
industry suffered 34 percent of these and the retail industry 
had less than 11 percent.
    I do not cite these figures to criticize our colleagues in 
the banking industry but merely to illustrate the fact that the 
incidents of data breaches are proportionate to the relative 
value of information that can be stolen.
    It should not be surprising that three times more data 
breaches occur at financial institutions than at retailers. 
Criminals seek high value information and data thieves know 
that banks are most sensitive to financial and personal 
information, including not just card numbers but bank account 
numbers, Social Security numbers and other identified data that 
can be used to steal identities beyond completing some 
fraudulent transaction.
    When it comes to payment card data, there is one single 
fact that banks and the card networks must acknowledge. All of 
the decisions about card design and security are theirs alone. 
Retailers did not forgo chip technology in the U.S. for almost 
two decades and we did not conceive of the complex, costly and 
largely ineffective payment card industry data security 
standards. We have to live with the downstream costs of these 
decisions every day.
    Without fraud-prone payment card information and retailer 
systems, criminals would find the rest of the information 
retailers typically hold and that is benign data such as phone 
book information, shoe size or color preferences to be all that 
interesting or more importantly, lucrative on the black market.
    That is why payment card security is essential and the 
adoption of a microchip in payment cards is a long overdue step 
in the right direction.
    For retailers, however, the debate over card security comes 
down to a basic question about why the card networks and banks 
continue to rely on signature-based authentication methods 
rather than the proven security of a four digit personal 
identification number of pin.
    Around the globe, most industrialized nations have adopted 
pin-based solutions. We know that pins provide an extra layer 
of security against downstream fraud, even if the card numbers 
are stolen in a breach.
    In pin-based transactions, for example, the stored 16 
digits from the card would alone be insufficient to conduct a 
fraudulent transaction in a store without the four digit pin 
which is known to the consumer and not present on the card 
itself. In short, the value of the pin is hard to question.
    It is clear to retailers that simple business practices 
improvements like eliminating signature and adopting pin would 
be easier and more quickly implemented than any other steps. 
They hold the promise of being more effective in preventing the 
kind of financial harm that could impact consumers as companies 
suffer data security breaches affecting payment cards in the 
future.
    NRF also commends the President's recent Executive Order 
which called for establishing cyber threat information sharing 
among non-critical infrastructure industries such as retail 
through what are called information sharing and analysis 
organizations, ISAOs.
    The information sharing groups proposed appear similar to 
the Information Technology Security Council formed by NRF last 
year that currently shares cyber threat information among more 
than 170 information security professionals in retail.
    More than 2,000 cyber threat alerts have been sent to our 
retail members since the inception of our program and we 
continue to expand its reach among the retail community.
    Mr. Chairman, the remainder of my comments are in my 
written remarks. Thank you for the opportunity to testify. I 
look forward to your questions.
    [Prepared Statement of Mr. French follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] 
    
    Mr. Hurd. Thank you, Mr. French.
    Mr. Nutkis?

                   STATEMENT OF DANIEL NUTKIS


    Mr. Nutkis. Good afternoon, Chairman Hurd and Ranking 
Member Kelly. It is a pleasure to join the subcommittee this 
afternoon to share HITRUST's perspective on the cyber threats 
facing the health care industry.
    While I prepared my written Statement for the record, I 
would like to share with you a few key points.
    Health Information Trust Alliance was formed in 2007 with 
the singular mission to streamline the safeguarding of 
sensitive information systems and devices in use within the 
health care system.
    Our perspective on the evolving cyber security threats 
facing the health care industry is formed based on our deep 
engagement with industry around information protection. That 
engagement includes data from over 10,000 security assessments 
done in 2014 alone, leveraging the HITRUST CSF.
    The HITRUST CSF is a scalable prescriptive and certifiable 
risk-based framework developed for and with the health care 
industry, incorporating relevant NIST, ISAO, PCI and other 
standards, supports various Federal and State regulations like 
HIPPA and HP300 in Texas, incorporates best practices and 
lessons learned including analysis of breached data, 
incorporates 135 security controls and 14 privacy controls. It 
was first released in 2008 and is currently on Version 7.
    It should also be noted that we identified security 
controls relevant to cyber threats prior to the release of the 
NIST cyber security framework which is now fully mapped into 
the HITRUST CSF.
    It should also be noted that approximately 85 percent 
adoption by hospitals and health plans make it the most widely 
adopted in the industry.
    Also influencing our perspective is the HITRUST Cyber 
Threat Intelligence and Incident Coordination Center, C3, which 
is the most active cyber center in health care established in 
2012. It is a federally recognized ISAO or information sharing 
and analysis organization.
    It supports threat intelligence sharing and incident 
coordination for the health care industry. It includes threat 
sharing with the Department of Health and Human Services and 
Homeland Security. It has four key components.
    The Cyber Threat XChange, CTX, was created to accelerate 
the sharing, distribution and consumption of threat indicators. 
It has been noted that the CTX is a revamp of a process that 
failed, in this case providing indicators of compromise in 
electronic consumer format such as STIX, TAXII and proprietary 
SIEM formats, streamlining the process of making information 
more consumable. We make that available free of charge.
    The second component is something called Health Care 
CyberVision which was created to enhance awareness of unknown 
threats, provide early warning or a more perspective view into 
the unknown cyber threat environment which provides situational 
awareness by testing the effectiveness of security defenses 
against emerging and unknown threats.
    The third component is something we call CyberRx which is 
in its second year, which is a series of cyber preparedness and 
response exercises to simulate cyber attacks on health care 
organizations. We expanded that significantly this year to 
include a much larger part of the industry.
    The fourth component is our cyber monthly threat briefings. 
Every month, HITRUST, in conjunction with the Department of 
Health and Human Services hosts a cyber threat briefing to help 
raise awareness and educate the industry relating to cyber 
threats.
    Our familiarity in engaging with industry affords us 
certain insights into cyber preparedness, risk management and 
cyber risk indicators that have the potential to impact 
privacy, disrupt facility operations or cause direct harm to 
patients.
    We have information protection maturity in organization 
with over 400,000 organizations ranging from Fortune 15 to solo 
practitioners. We have a wide range of information security 
sophistication which significantly complicates the detection 
sharing and response of any solution or approach. More needs to 
be done to ensure we are addressing the real needs of the 
market.
    Many organizations do not understand the cyber threats and 
risks relevant to their organization and spend unnecessary and 
limited resources in tracking down things that are not 
relevant.
    We need to look more at high tech, low touch approaches to 
automate more of the process and make it more actionable for a 
wider range of organizations.
    As to specific motives, many health care organizations are 
a treasure trove for threat actors. They store or process IP, 
EII, DII, DHI, financial information, medical information and 
much of it fully linked together. This makes the industry a 
high value target.
    The other panelists already mentioned threat actors. It is 
a wide range of actors from nations, States to hackers of 
opportunity.
    A health plan was most recently a target of choice given 
the magnitude and breadth of information they possess. 
Hospitals face unique threats given their position of providing 
care directly to patients and their position of procuring and 
implementing medical devices and new technologies in their 
infrastructure.
    I do not make these Statements lightly with the intention 
of causing undue harm. As I said before, health care is a high 
value and target rich environment. We have come a long way but 
still have a long journey ahead of us.
    With that, Mr. Chairman, I am pleased to answer the 
committee's questions.
    [Prepared Statement of Mr. Nutkis follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] 
    
    Mr. Hurd. Thank you very much, Mr. Nutkis.
    Mr. Johnson.


                    STATEMENT OF DOUG JOHNSON


    Mr. Johnson. Chairman Hurd, Ranking Member Kelly and 
members of the subcommittee, my name is Doug Johnson. I am 
Senior Vice President and Chief Advisor, Payments and 
Cybersecurity Policy at the American Bankers Association.
    I really do appreciate the opportunity to be here today and 
discuss cyber security as well as representing the ABA. I am 
also the Vice Chairman of the Financial Services Sector 
Coordinating Council and on the board of the Financial Service 
Information Sharing and Analysis Center.
    The Council has been in operation since 2002. The ISAC has 
been in operation since 1999. We are fairly mature in terms of 
our approach to these issues. I really do appreciate having the 
opportunity to provide the perspectives we have developed over 
the years.
    As the 114th Congress engages in public debate on the 
important issue of cyber security, we share your concerns 
regarding the evolving nature of the threats. We certainly do 
support effective cyber security policy. We want to continue to 
work with Congress toward that.
    I will focus on three main points: the evolving nature of 
cyber threats, the role of technology in addressing those 
threats and the role of expanded information sharing in 
protecting against the threats as well I think is very 
important.
    One thing that is evidence is that attacks used to be very 
singular in focus, be it a denial of service attack against a 
financial institution, an attack against a merchant's point of 
sale device or maybe an attempt to destroy or wipe data of an 
energy company like Saudi ARAMCO.
    I think what we see now is sort of blended attacks where 
these multifaceted attacks create particular challenges for us 
because essentially they necessitate a simultaneous maintenance 
of availability integrity and confidentiality of data where 
formerly a cyber security attack would maybe have the impact on 
one of those data components.
    That creates some resource constraints in some instances 
when you are trying to respond to those incidents.
    We are also seeing is attackers of every variety are 
becoming increasingly adept at defeating security practices. We 
have seen the velocity increase with which companies must move 
so they can ensure they understand how the cyber risks are 
changing and mitigating measures most effective against those 
risks. It is an arms race. Indeed, it really is an arms race.
    Another increased challenge for institutions and the 
private sector--Mr. Nutkis alluded to this--is essentially the 
voluminous nature of the threat data which we have now. It is 
not as readily consumable as it could be.
    Determining the relevance of a particular piece of threat 
data, analyzing the magnitude of the threat, evaluating which 
systems might be impacted and devising the appropriate course 
to take in mitigating against the threat is becoming 
increasingly difficult to accomplish. I will touch on that when 
we talk about information sharing.
    Last, the victim of the attack is also changing. Prior to 
2014, much of the private and public sector energy was focused 
on critical infrastructure and payments. I think what we have 
seen based on 2014 is a recognition that there is a broader 
motivation for attackers in conducting a cyber attack. 
Essentially any company in any sector could be subject to a 
significant and highly visible attack.
    Technology obviously plays a significant role in protecting 
our Nation's companies and consumers. My written testimony 
spends a lot of time discussing that.
    I would say two things we really focused on in the 
testimony was the necessity to get rid of static numbers in the 
environment. I think one of the things the President's Cyber 
Security Summit demonstrated was there was a lot of energy 
around having customers have to essentially remember things in 
digits and symbols to socially prove they are who they are, 
ways through biometrics and ways through tokenization and other 
ways to authenticate transactions.
    Individuals are essentially going to be the mechanization 
by which I think we really can make a much greater impact on 
the fraud we are seeing today in the payments base and 
otherwise.
    I do think from a technology standpoint, the other 
promising thing is STIX and TAXI which has also been discussed 
whereby we are developing a mechanism for even the smallest 
financial institution and the smallest health company to be 
able to consume data and spend more time analyzing that data as 
opposed to having to make a determination as to whether or not 
the data even has any meaning in their environment.
    Those are my oral remarks. I look forward to your 
questions.
    [Prepared Statement of Mr. Johnson follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] 
           
    Mr. Hurd. Thank you, Mr. Johnson.
    Mr. Mierzwinski, please.


                 STATEMENT OF EDMUND MIERZWINSKI


    Mr. Mierzwinski. Thank you, Mr. Chairman, Representative 
Kelly and members of the committee.
    I am Ed Mierzwinski of the U.S. Public Interest Research 
Group.
    In my oral remarks, I want to talk about some of the 
threats that consumers face from the large amount of their 
information that is floating around in cyber space and is often 
obtained by hackers and other people intent on doing evil.
    I identify in my written testimony, three levels of breach. 
The first level is a simple card number breach. A card number 
breach results in what is called existing account fraud. It is 
a problem but consumers are generally well protected by law in 
the case of existing account fraud.
    If, of course, your debit card is breached, you do have the 
additional problem of losing money from your bank account until 
the bank puts the money back in. That is why consumer advocates 
recommend the use of credit cards, if you can avoid credit card 
debt.
    The second level of breach is a breach that also obtains 
email names, email addresses, telephone numbers, the sort of 
information that allows the bad guy to conduct what is called 
phishing expeditions to try to obtain additional information 
about you.
    I should point out that after any big breach, it is not 
only the serious bad guy that got into your account that 
conducts phishing expeditions, it is anybody with an email list 
can then send mail out to people and say, hey, if you are a 
person who shopped at Target, we need your information.
    They are not even the guy that has part of your 
information. They are just another bad guy hoping to capitalize 
on it. It is a serious problem.
    The third level of breach is the one that results in the 
mother lode of information being collected that allows worse 
harm to directly be conducted against you. Phishing expeditions 
are designed to collect your Social Security number but the 
Anthem breach and now the Premera breach resulted in the breach 
of Social Security numbers which can be used to easily to 
commit financial identity theft which is a problem that has 
been around for 20 years.
    The additional problem of tax refund identity theft has 
been around fewer years but is something worthy of the 
committee's further review and another hearing probably.
    Third is medical identity theft where bad guys get medical 
attention in your name because they take advantage of your good 
medical insurance to get their own medical treatment.
    The fourth kind of problem many consumers have faced over 
the years--I have talked to Secret Service agents about this--
is a bad guy with the bad name wants to use your name to commit 
crime because you might not be in the system, you do not have 
two strikes against you already.
    There are also emotional and other problems that people 
face from identity theft.
    What can consumers do? Often companies recommend credit 
monitoring. In the Anthem and Premera breaches, I say take the 
credit monitoring. In an existing account breach, it does not 
help. It will not stop identity theft. It is a sop, something 
that will cause you to think you are better protected than you 
actually are.
    We recommend any consumer who is not directly in the market 
for new credit to get a security freeze. My testimony goes into 
detail on how the security freeze is really the only way to 
protect your credit report.
    We recommend to Congress, as committees of jurisdiction can 
consider legislation, do not preempt the States. The States are 
privacy leaders. Do not impose any sort of harm trigger in any 
breach legislation. Use an acquisition trigger.
    If a company loses your information, it should not have the 
right to decide whether to tell you. It should have its own 
reputation at risk. Use a broad definition of personally 
identifiable information in any legislation that goes forward.
    Most of the bills that I have seen are narrower than State 
laws. The Attorney General of Illinois has just proposed 
amendments to their State law, for example, that add geo-
locational and marketing information to the definition of 
personal information.
    Information is no longer just tracked in computers but 
tracked on your smart phone. Geo-location is very important.
    As Mr. French talked about, we totally agree with the 
merchant's technology neutral performance standard. Chip and 
pin is the highest current standard. Why are the banks stopping 
at chip and signature? It is illogical.
    Apple Pay and tokenization have some hope but Apple Pay has 
been breached in low tech ways, so a lot more needs to be done 
there.
    My testimony concludes by going into some detail on the 
general ecosystem we have today that simply collects too much 
information and keeps it for too long. Consumers need privacy 
rights based on a robust of code fair information practices.
    Thank you for the opportunity to testify.
    [Prepared Statement of Mr. Mierzwinski follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]     
        
    Mr. Hurd. Thank you, Mr. Mierzwinski.
    I now recognize Mr. Walker from North Carolina for 5 
minutes of questioning.
    Mr. Walker. Thank you, Mr. Chairman.
    This is a lot of information to process. It is very 
studious work on your parts. I appreciate that.
    I have two or three things I want to address. Mr. Nutkis, 
let me start with you.
    I have a lot of family in the health care industry. More 
and more that is becoming technological. Concerns and 
challenges facing this industry when addressing cyber threats 
is that something that has come across the table as far as 
discussion?
    I want to know what you are hearing on this and how you 
would address it? Is it a problem that you are hearing or 
facing in the medical community?
    Mr. Nutkis. Cyber threats specific to medical devices?
    Mr. Walker. Correct, yes.
    Mr. Nutkis. Absolutely. That has been an ongoing issue. We 
were the first to start tracking vulnerabilities associated 
with medical devices. We see them on two sides, the implantable 
and the non-implantable as well as the control systems that are 
associated or controlling the devices as well. It is an ongoing 
problem.
    At this point, we do not track an exorbitant number of 
threats associated with them but there is no question we track 
vulnerabilities.
    Mr. Walker. At some point, is this considered a life and 
death matter? Could someone hack a system where they increase 
the defibrillator or are we at that point to be concerned about 
that?
    Mr. Nutkis. There have been demonstrations where, in fact, 
that has occurred. The circumstances are very specific. The 
answer is absolutely.
    The likelihood based on all the circumstances that would 
have to occur, there is no question this is a concern, 
disruption of life. One of the things we do is look at risk 
assessments and the analysis. We escalate from the PII to the 
PHI to sensitive health information to other types of 
information, the disruption of the facility itself to 
disruption of care.
    It goes beyond the device. You have electronic health 
records systems used for ordering. What if people start 
removing your drug allergies from your systems and you have 
contraindication.
    I think these are all being worked on. We actually created 
a new working group specifically to look at better disclosure 
and how to move along this process.
    Mr. Walker. Mr. Bejtlich, earlier I believe you categorized 
different cyber attacks by the Chinese and Russians were for 
financial purposes. Can you go through that process again? I 
want to make sure I get that information because you said some 
of it was financial and some was more malicious intent. You 
make sure I have all that information correct?
    Mr. Bejtlich. At the top, the nation-State end, you see the 
Russians, the Chinese, increasingly now the North Koreans and 
the Iranians.
    The problems you discussed with health care, that could 
come from any sector. It could be a criminal element, an 
activist element and so forth.
    Briefly, we do have part of an answer. That is in the 
security community specifically with researchers. Part of the 
problem they are encountering is some of the research they do 
could be construed as hacking and put them at risk of being 
prosecuted simply for trying to identify these vulnerabilities.
    We need to create a safe space for that sort of work.
    Mr. Walker. In your opinion, if you are looking at lone 
wolf, guy on the mountain based criminal behavior versus some 
of the international threats, give me a concern overall in your 
community as far as what we are looking at? Where is the 
weightedness as far as immediate concern we are.
    Mr. Bejtlich. From the chronic theft of intellectual 
property, business methods and that sort of thing, I care about 
the Chinese the most. If I care about geo-political problems 
that could leak from the physical area, I worry about the 
Russians and what is going on in Ukraine and their using cyber 
capability to deter or back up something they are doing 
physically.
    Mr. Walker. Do you have any numbers as far as how many 
attacks we might be trying fiend off on a daily basis?
    Mr. Bejtlich. The best number I gave, sir, was the 3,000. 
Those are not trivial hacks caused by someone in a basement. 
Those are serious intruders that are tracked on a campaign 
basis by the FBI.
    Mr. Walker. Before my time expires, you mentioned three 
things earlier as far as working to prevent some of this, 
better credit cards. Can you address some of that? What do you 
mean by that?
    Mr. French. Better payment card security. The card security 
choices have been made by the card industry and the banks. Part 
of it is hardening the card, putting a chip on the card and 
that is going on currently.
    As Mr. Mierzwinski noted, the banks are choosing to use 
chip and signature, not chip and pin. The only really effective 
method of authenticating and individual is a pin.
    A system also needs end to end encryption as well as 
tokenization. Ultimately you want to take the number out of the 
system so that the number cannot be captured and replicated.
    Mr. Walker. Thank you, Mr. Chairman. I yield back.
    Mr. Hurd. Thank you, Mr. Walker.
    I now recognize the Ranking Member, Ms. Kelly, from 
Illinois.
    Ms. Kelly. Thank you, Mr. Chairman.
    In a survey of health care providers published last year, 
the Ponemon Institute found ``90 percent of health care 
organizations in the study have had at least one data breach in 
the past 2 years.''
    A New York Times article that was published stated, 
``Health organizations like Anthem are likely to be vulnerable 
targets because they have been slower to adopt measures like 
keeping personal information in separate data bases that can be 
closed off in an attack. They are generally less secure than 
financial services companies with the same type of customer 
data.''
    Mr. Nutkis, as the CEO of an organization that works with 
many leading health care organizations to improve their data 
security, what are the most pressing challenges the industry 
faces when it comes to securing the personal data of its 
patients from cyber thieves?
    Mr. Nutkis. That is a question we deal with all the time. 
We have a maturity problem. We have a resource problem. I think 
we have seen the two of them come together.
    I think we have done a good job in moving the yardsticks 
with regard to industry's maturity. We have seen large 
organizations implement stronger security controls. I think it 
is important to note we do this on a risk basis, meaning that 
we assume health care data is never going to be as well 
protected as launch codes to a nuclear silo or payloads.
    I think there is an expectation that there is always an 
amount of risk. Certainly we can do a much better job. We have 
tried to do this with education and bringing in tools. One of 
the things we are really transitioning from being a compliance-
based industry, not a risk-based industry.
    Our major focus, although we have known for many years that 
cyber was coming, we had regulations to comply with in regard 
to HIPPA privacy and people were spending more resources on 
those things because the data supported a privacy breach versus 
a security breach.
    Where do you spend your resources? You look at the top ten 
list. You focus on privacy. I think we have seen this 
transition very quickly to security. I think now we are seeing 
organizations take it seriously.
    It would certainly help, and we have looked for, a degree 
of safe harbor. You do the right things, you implement the 
right controls, you get management support to get the funding, 
and when you do that, if something happens, which will happen 
by the way in some cases, you did everything you could.
    Right now, by the way, organizations look at Anthem, look 
at other organizations that did extremely well. They were able 
to detect it themselves, they communicated quickly and have 
done a number of things. They go, well if Anthem cannot protect 
themselves, we do not have a chance.
    I think we are trying to let them know that is not the 
case. There is a lot that you can do. As a matter of fact, as 
those other organizations start to build stronger security 
measures, you are going to be a bigger target because you are 
all that is left.
    Ms. Kelly. Would you cite the reasons you just shared with 
us for the health care industry being technologically behind 
other industries because of where the focus has been and the 
resources have gone?
    Mr. Nutkis. I think there are two reasons. One certainly is 
the resources, no question about it. The other, I think to some 
degree, is we have a lot of organizations. We have at least 
400,000 directly in the industry and some that are sole 
practitioners, two doc practices, so I think when you get below 
the first 50,000 in the industry, you are really talking about 
very resource challenged.
    I think a lot of what we have tried to do is figure out how 
to move the maturity. Unfortunately, they are all 
interconnected. The small doc's practice still gets access to 
the same records that the health plan or hospital has. You end 
up with a big weak link problem. We have really tried to move 
that. We see it as a resource problem and also a priority 
problem.
    Ms. Kelly. What would be your key recommendations for 
improving the apparent security vulnerabilities?
    Mr. Nutkis. Our recommendations are providing a degree of 
safe harbor, recognizing organizations that implement strong 
security controls, and get assessed against those controls to 
demonstrate, in fact, that they are doing everything they can.
    The State of Texas is a good example. Texas has something 
called Secure Texas which if you comply with and get certified, 
you get a degree of liability protection if something happens. 
Organizations seem to be very receptive and see that as the 
right way to go get the funding they need.
    We look at information sharing as a great approach. I think 
it important to note that to some degree--look at the Premera 
breach yesterday or even the Anthem breach--the information 
that is being shared is quite old. Those breaches occurred in a 
period of time previously.
    Also, we are still trying to work with the vendor 
community. It is a $68 billion market of information security 
products. We would like to see them step up more as well. The 
small organizations do not have a chance in being able to 
affect the save way and the budgets are not the same. They are 
going to have to rely more on existing product.
    Ms. Kelly. How can Congress help you? How can we be of 
assistance?
    Mr. Nutkis. We would be very supportive of things like safe 
harboring, giving organizations the ability to do the right 
things, understand what they are, and implement them.
    We certainly are in favor of information sharing but again, 
if you do not have mature organizations, you end up with bad 
data being shared which really does not help anyone. We are 
hoping we get the controls in place. People can adopt those 
controls which force more mature organizations, more mature 
organizations can more effectively share.
    I think we have seen a lot of large organizations in 
industry being willing to share. We have seen the new bill 
supporting that. We think that is moving along. We see 
liability protection with regard to safe harbors being the way 
to get the whole process started.
    Once everyone starts getting more mature, there is better 
sharing, less risk and the whole model comes together.
    Ms. Kelly. Thank you so much.
    Thank you, Mr. Chair.
    Mr. Hurd. I recognize my colleague, Ms. Duckworth, from 
Illinois.
    Ms. Duckworth. Thank you, Mr. Chairman.
    I would like to turn the discussion toward the concept of 
data minimization and data reduction as a security measure.
    Mr. Bejtlich, could you speak a bit to this principle? Do 
you think that as a practice, if businesses adopted data 
minimization, would this type of security measure be more 
effective in mitigating the damage from a breach?
    Mr. Bejtlich. When you think in terms of risk, you have 
threat, vulnerability and the impact. To date, most of the 
focus has been on vulnerability. The problem is vulnerability 
is everywhere.
    If we can take steps that make the data less valuable than 
if there is a breach, when there is a breach, there will not be 
that much of an impact. Furthermore, we should look at ways for 
recovery. In other words, we are looking at what can we do to 
stop a breach from happening but we need to look at once the 
breach has happened, what happens next. Who is responsible for 
cleanup the mess of an identity theft? How much does it cost?
    There is a misalignment of a lot of these issues so it 
falls on the consumer and the citizen. Many times they are in 
the worse position to try to affect change.
    Ms. Duckworth. Can you speak a bit to the role of 
encryption in protecting highly sensitive data, especially on 
business and agency networks? This committee's job is to 
provide oversight of business and government agencies. Can you 
speak a bit to encryption?
    I also sit on Armed Services and am looking at some of 
their encryption challenges, especially with significant 
numbers of subcontractors, sub-subcontractors and the like.
    Mr. Bejtlich. Encryption has a value in certain areas. If I 
am going to talk to a colleague at the end of the table and 
want to make sure no one in between can hear it, I want to 
encrypt that data.
    If I am carrying around data on an external hard drive or a 
thumb drive and I lose it in a taxi, I want to make sure that 
is encrypted.
    Encryption stops the intruder from getting access to it. In 
certain areas encryption can be useful but we have to remember 
that in order for data to be useful, it has to be read at some 
point. Encryption will not necessarily be valuable at the point 
where that data is being used.
    Ms. Duckworth. Following this train of thought, I would 
like to look at data segmentation. We have talked about data 
minimization and encryption. Let us talk about data 
segmentation.
    Mr. Johnson, can you talk about this as a practice in your 
industry, if it is considered a best practice, and what would 
be happening if more businesses chose to do data segmentation?
    Mr. Johnson. I think it is really systems segmentation when 
you look at it. I think we have seen a number of breaches both 
within our industry and in the merchant industry and others 
where segmentation has not occurred and you have been able to 
get into a separate system because there was an ability to 
enter into a different system.
    An example might be an air conditioning vendor in the case 
of Target and in the case of a financial institution, I know of 
a work file going into human resources that ended up 
compromising an ATM system.
    It is very, very important to learn those lessons that you 
have segmentation between those systems and only authorize 
access to data and substantial rights protections associated 
with who has the right to that data, to view that data and 
change that data.
    I think we spend a lot of time in our industry thinking 
through that and our regulatory agencies do as well. One of the 
major findings that the regulatory agencies came up with based 
upon their 500 audits they did last year of community banks was 
there was absolutely undue complication within financial 
systems.
    There were things plugged into other things that did not 
need to be plugged in to other things. There was connectivity 
issues associated with systems.
    One of the charges we have based on that is to look and 
make sure our systems are not unduly complicated so that we do 
not unduly add data and potentially be compromised because of 
that.
    Ms. Duckworth. Mr. Bejtlich, could you speak a bit to the 
cooperation between the Chinese government and their business 
sector in conducting cyber espionage? Specifically, I am 
thinking of the case where there were Chinese companies that 
infiltrated Lockheed Martin, stole a lot of data and shared 
that data with the Chinese government which then resulted in 
their upgrading their fifth generation fighter jets.
    Can you talk a bit about that partnership that seems to be 
occurring?
    Mr. Bejtlich. There is collaboration among different 
elements of the Chinese hacking scene. You have top end 
military units, militia units, quasi-military and then you have 
the patriotic hackers.
    There is certainly a career progress that people go 
through. As far as the tasking goes, the military units are 
tasked to go after private sector companies in the west to 
steal intellectual property, business methods and that sort of 
data.
    Ms. Duckworth. Thank you.
    Mr. Hurd. Thank you.
    Votes have been called on the floor but I believe we can 
make it through questioning so the witnesses will not have to 
wait around during the vote series.
    With that, I would recognize the Ranking Member of the 
Oversight and Government Reform Committee, Mr. Cummings, from 
Maryland.
    Mr. Cummings. Mr. Chairman, I will be brief because I know 
you want to get to your questions.
    First of all, I want to welcome you to your chairmanship 
and to the committee. I want to thank our Ranking Member. 
Congratulations to both of you.
    The issue of cyber security has been one which I have been 
trying to raise before this committee for years. I give credit 
to you and Chairman Chaffetz for addressing it now because it 
is so very, very important.
    I have a lot of questions but I want to let the Chairman 
ask his questions.
    I sit on the Naval Academy Board of Trustees and Board of 
Visitors. We understand that cyber security is so very 
important. We have done a lot to make sure that all of our 
midshipmen are exposed to cyber security education.
    Do you think that we are preparing our Nation and our young 
people and the troops to be able to effectively deal with this 
very, very serious threat to our way of life, to our existence?
    Right now, we are dealing with the Secret Service. You see 
situations where people say we are prepared but when it comes 
time for the rubber to meet the road, you discover there is no 
road.
    I am wondering how you all feel about our colleges, 
universities and other institutions? Are we where we need to be 
to effectively deal with this serious problem?
    Mr. Bejtlich. Sir, I can address that. I am from the Air 
Force Academy class of 1994. I maintain contact with my 
colleagues there. Also, I have been to beautiful Annapolis.
    At the service academies you do see very strong focus on 
cyber security. There are contests between the different 
academies.
    Outside of that, at the regular universities and such, as 
my generation moves into teaching, you are seeing more focus on 
what we have done in corporate America in dealing with 
intruders, less focus on more abstract topics like 
cryptography, which has a role, but it is not the same thing as 
the rubber meeting the road that you mentioned. I think that 
situation is getting better.
    I would like to also mention CyberPatriot. This is a 
program for middle school and high school students nationwide. 
In my kids' school just won the national championship for the 
middle schools.
    There is a focus now that is both generational and also at 
different levels of schools, not just at the colleges but we 
are seeing that migrate down to the middle schools. I would not 
be surprised if there a one through five program coming up 
next.
    Mr. Cummings. Thank you, Mr. Chairman.
    Mr. Hurd. Mr. Cummings, I appreciate your being here today 
and your leadership on this committee.
    I now recognize myself for 5 minutes for questioning.
    The first question goes to Mr. French, Mr. Nutkis and Mr. 
Johnson. Can you talk to me about the top two digital threats 
to your industry and the folks you represent, the kind of 
threat actor whether it is a country or a specific individual 
or a person looking for a particular type of information?
    Mr. French. From the pattern of breaches that we have seen 
in recent years, it is organized gangs of criminals using very 
sophisticated attacks generally originating in Eastern Europe. 
I think that is the pattern we have seen almost in every 
instance.
    Unfortunately, they have a very sophisticated method of 
doing this and wipe their tracks when they go in. It is very 
difficult. They know what we are looking for and it is very 
difficult for us to track them inside our systems and wipe them 
out.
    Mr. Hurd. Mr. Nutkis?
    Mr. Nutkis. I think we see it in two ways, assuming by the 
way that we protected it to begin with, in the first, but I 
think we found with the Chinese they are there so long and so 
stealthy that the damage is substantial. When they get in, you 
are seeing much larger breaches or we are not seeing them at 
all because they are getting in and out.
    We are also seeing from Russia more financial. There is 
either some sort of extortion or financial. They are less 
methodical, so they leave a lot more trails.
    Those two for us are the ones we see the most.
    Mr. Johnson. Unfortunately, sir, we see them all. Of course 
during the service attacks, those were political, so those were 
from a nation State. From the Chinese, we see the intellectual 
property thefts. From the criminals, regardless whether or not 
they are attacking for economic gain, any set of breached data 
it is going to be a bank customer we end up reimbursing at the 
end of the line for potential financial loss.
    We become increasingly concerned about threats that have 
the potential of manipulating or destroying data. When does 
data disruption become data destruction is what we spend a lot 
of time thinking about in terms of ensuring we do not have data 
with the capacity to be manipulated.
    You hear about advanced persistent threats a lot. I think 
there are more irritating persistent threats, IPTs, because 
they do not necessarily have a level of advancement, they just 
happen to be there for very extended periods of time over time. 
We see a great deal of patience among all these perpetrators.
    Mr. Hurd. Mr. Bejtlich, in our opinion, I know your firm 
deals with all of the above threats. Is the Federal Government 
prepared to help private industry and the private sector in 
fighting these issues?
    Mr. Bejtlich. We have seen in recent high profile breaches, 
the FBI ready to assist. I do not know their ability to scale, 
however. I am not sure if we were to send the Bureau to every 
one of the breaches that my company is working, whether they 
would become quickly overwhelmed.
    That is one of the areas where this is different than a 
physical situation where you can call your local police and 
they are usually equipped to help you. We do not yet have a 
scalable government response to the problem.
    Mr. Hurd. Mr. French, Mr. Nutkis and Mr. Johnson, very 
quickly, in what ways can the government better provide 
information to you or what type of information should the 
government be providing to you to help protect your industry 
and the folks you represent?
    Mr. French. The government could do two things, in our 
opinion. First, better cyber sharing legislation would help to 
facilitate more real time exchange of information so that 
parties within the economy would be sharing with each other.
    The government has, through many of their systems, whether 
it is US-CERT or the Secret Service or FBI, done a very good 
job of working with, for example, Mr. Johnson's FS-ISAC. The 
FS-ISAC is a very sophisticated means of flowing that 
information out. They use a traffic light protocol that shares 
that information with parties and partners in the industry 
including retailers.
    The information flow is there but we could use some cyber 
security legislation.
    Mr. Hurd. Mr. Nutkis, briefly.
    Mr. Nutkis. I think for us it is the format of the 
information. We would like more information that is more 
valuable, accurate information and we would like it in a format 
that we can get to the consumer quickly.
    There is a lot of work involved and a lot of it is 
information. The analogy I use is Amazon online, Hulu Plus and 
Netflix. We are getting the same information over and over 
again. We really just want the stuff we want, so specify what 
is really important.
    If you end up with too much information, people get 
distracted, so we need good information and we need it in a 
format that we can distribute quickly.
    Mr. Hurd. Mr. Johnson, you have 30 seconds.
    Mr. Johnson. First of all, let the record show that I 
completely agree with Mr. French on this issue regarding 
information sharing.
    Second, I think liability protection is the other piece of 
that because we need clarity in terms of what that liability 
protection for voluntary sharing information is, recognizing 
proper privacy protections need to be in place, and data needs 
to be minimized.
    I think that would greatly enhance the ability of us to 
have more adequate information sharing across sectors 
particularly.
    Mr. Hurd. I would like to recognize Ms. Kelly for 2 
minutes.
    Ms. Kelly. Mr. Mierzwinski, since not everyone is familiar 
with the crime of medical identity theft, can you explain to us 
what it is, how it occurs, and then what type of personal 
information do cyber thieves target when they commit medical 
identity theft?
    Mr. Mierzwinski. The medical identity theft is a relatively 
newly identified problem. The World Privacy Forum has issued 
several reports on it. Essentially, instead of opening bank 
accounts in your name, somebody obtains medical services in 
your name. They may not be able to afford health insurance but 
they use your health insurance to get the services that they 
cannot afford.
    It is a very significant problem. Again, for the first 
time, we understand that the Anthem breach did not include 
medical service information but the Premera breach may have. 
The Anthem breach, however, provided enough information to 
commit all the other kinds of identity theft and possibly to 
apply for health insurance in your name.
    Ms. Kelly. Thank you so much.
    Thank you, Mr. Chairman.
    Mr. Hurd. Gentlemen, I wish we had two or three more hours 
to continue this conversation. This is an important topic and 
something I am looking forward to working with Ranking Member 
Kelly on.
    I really appreciate you all taking the time to appear 
before us today. The materials you provided in advance were 
incredibly helpful as well. I am looking forward to following 
up with each of you individually on that as we chart a course 
on making sure the Federal Government is doing absolutely 
everything we can to protect our consumers and our industries 
from those trying to do us ill.
    If there is no further business, without objection, the 
subcommittee stands adjourned.
    [Whereupon, at 2:03 p.m., the subcommittee was adjourned.]

                                 	[all]