[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]
CYBERSECURITY: THE EVOLVING NATURE OF
CYBER THREATS FACING THE PRIVATE SECTOR
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON
INFORMATION TECHNOLOGY
OF THE
COMMITTEE ON OVERSIGHT
AND GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED FOURTEENTH CONGRESS
FIRST SESSION
__________
MARCH 18, 2015
__________
Serial No. 114-11
__________
Printed for the use of the Committee on Oversight and Government Reform
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.fdsys.gov
http://www.house.gov/reform
______________
U.S. GOVERNMENT PUBLISHING OFFICE
94-349 PDF WASHINGTON : 2015
________________________________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].
COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM
JASON CHAFFETZ, Utah, Chairman
JOHN L. MICA, Florida ELIJAH E. CUMMINGS, Maryland,
MICHAEL R. TURNER, Ohio Ranking Minority Member
JOHN J. DUNCAN, JR., Tennessee CAROLYN B. MALONEY, New York
JIM JORDAN, Ohio ELEANOR HOLMES NORTON, District of
TIM WALBERG, Michigan Columbia
JUSTIN AMASH, Michigan WM. LACY CLAY, Missouri
PAUL A. GOSAR, Arizona STEPHEN F. LYNCH, Massachusetts
SCOTT DesJARLAIS, Tennessee JIM COOPER, Tennessee
TREY GOWDY, South Carolina GERALD E. CONNOLLY, Virginia
BLAKE FARENTHOLD, Texas MATT CARTWRIGHT, Pennsylvania
CYNTHIA M. LUMMIS, Wyoming TAMMY DUCKWORTH, Illinois
THOMAS MASSIE, Kentucky ROBIN L. KELLY, Illinois
MARK MEADOWS, North Carolina BRENDA L. LAWRENCE, Michigan
RON DeSANTIS, Florida TED LIEU, California
MICK MULVANEY, South Carolina BONNIE WATSON COLEMAN, New Jersey
KEN BUCK, Colorado STACEY E. PLASKETT, Virgin Islands
MARK WALKER, North Carolina MARK DeSAULNIER, California
ROD BLUM, Iowa BRENDAN F. BOYLE, Pennsylvania
JODY B. HICE, Georgia PETER WELCH, Vermont
STEVE RUSSELL, Oklahoma MICHELLE LUJAN GRISHAM, New Mexico
EARL L. ``BUDDY'' CARTER, Georgia
GLENN GROTHMAN, Wisconsin
WILL HURD, Texas
GARY J. PALMER, Alabama
Sean McLaughlin, Staff Director
David Rapallo, Minority Staff Director
Subcommittee on Information Technology
WILL HURD, Texas, Chairman
BLAKE FARENTHOLD, Texas, Vice Chair ROBIN L. KELLY, Illinois, Ranking
MARK WALKER, North Carolina Member
ROD BLUM, Iowa GERALD E. CONNOLLY, Virginia
PAUL A. GOSAR, Arizona TAMMY DUCKWORTH, Illinois
TED LIEU, California
Troy Stock, Staff Director
Mike Flynn, Counsel
Sarah Vance, Clerk
C O N T E N T S
----------
Page
Hearing held on March 18, 2015................................... 1
WITNESSES
Mr. Richard Bejtlich, Chief Security Strategist, FireEye, Inc.
Oral Statement............................................... 4
Written Statement............................................ 6
Mr. David French, Senior Vice President, Government Relations,
National Retail Federation
Oral Statement............................................... 17
Written Statement............................................ 19
Mr. Daniel Nutkis, CEO and Founder, Health Information Trust
Alliance
Oral Statement............................................... 54
Written Statement............................................ 56
Mr. Doug Johnson, Senior Vice President and Chief Advisor,
Payments and Cybersecurity Policy, American Bankers Association
Oral Statement............................................... 61
Written Statement............................................ 63
Mr. Edmund Mierzwinski, Consumer Program Director and Senior
Fellow
Oral Statement............................................... 72
Written Statement............................................ 74
CYBERSECURITY: THE EVOLVING NATURE OF CYBER THREATS FACING THE PRIVATE
SECTOR
----------
Wednesday, March 18, 2015,
House of Representatives,
Subcommittee on Information Technology,
Committee on Oversight and Government Reform,
Washington, DC.
The subcommittee met, pursuant to notice, at 1:01 p.m. in
room 2154, Rayburn House Office Building, the Honorable Will
Hurd (chairman of the subcommittee), presiding.
Present: Representatives Hurd, Carter, Kelly, Duckworth and
Cummings.
Mr. Hurd. The Subcommittee on Information Technology will
come to order.
Without objection, the Chair is authorized to declare a
recess at any time.
Good afternoon and welcome, everyone. I appreciate you all
being here.
It is great to finally be here. This hearing has been
rescheduled a number of times. Hopefully, this is the first of
many hearings for this Subcommittee on Information Technology
within Oversight and Government Reform.
As we all know, the Oversight Committee exists because of
two fundamental principles. First, Americans have a right to
know that the money Washington takes from them is well spent.
Second, Americans deserve an efficient and effective government
that works for them.
I thank all the members for being here this afternoon. I
would especially like to thank the Ranking Member, Ms. Kelly,
for her efforts on behalf of the committee thus far. It has
been great working with you already and I am looking forward to
the next year and a half.
As the Chairman of the IT Subcommittee, we are looking to
do four things over this Congress. One of those issues we will
look at is IT procurement and acquisition.
When I was running for Congress, I never thought I would be
talking about IT procurement as much as I do but it is an
important area where we can reduce the size and scope of the
Federal Government.
The second area we will look at is emerging technologies.
Our technology landscape is shifting and with emerging
technologies such as drones, 3-D printing, these are all things
that the government has not dealt in before.
We have to make sure that we are not stifling any growth in
these areas, but are protecting consumers as well.
The third area we will look at is privacy. I know we will
have a conversation today about this issue. When information is
becoming increasingly accessible to folks and the masses, we
need to make sure that we are protecting our information. We
can protect our digital infrastructure and our civil liberties
at the same time.
I am looking forward to delving into this topic over these
next few months.
The fourth area we will talk about today is cybersecurity
and information sharing. I think the Federal Government should
be doing everything it can to share information with the
private sector so that the private sector can protect itself.
I spent 9 years as an undercover officer in the CIA. My
background is in computer science. I may be able to bang out
some Fortran 77 code right now but it has been great having
that experience and background and using it to help us as we
chart our course forward.
I also helped build a cybersecurity company. One of the
things we always tell our clients is that in this day and age,
you have to begin with the presumption of breach. If you give
me enough time and money, I am going to get in. What do you do
to detect someone on your network? How can you contain them and
then kick them out?
I think the conversation today is pretty timely with the
recent attacks on Sony, Anthem, J.P. Morgan Chase and other big
names. Just yesterday, we found out about 11 million customers
who may have had their health records compromised in an attack
on Blue Cross that occurred last May.
With each passing day and week, there is a new hack, a new
breach or a theft being committed over the Internet. Because of
this, we must encourage the sharing of cyber threat information
to help deal with those breaches when they occur.
Having been on both the private side and the public side of
this issue, I know that both sides are not communicating as
well as they could be. I hope this committee can shed light on
the growing problem and work with the authorizing committees
and the appropriators on bringing forth beneficial cyber
legislation.
The goal of today's hearing is to paint a picture of common
threats, understand how the Federal Government can better
engage with the private sector and get some suggestions and
prescriptive measures that the Federal Government should take.
I want to thank everyone again for being here and
participating today in this important hearing.
Mr. Hurd. With that, I would like to now recognize my
friend, the ranking member of the subcommittee, Ms. Kelly of
Illinois, for 5 minutes for an opening Statement.
Ms. Kelly. Thank you, Mr. Chairman. I too look forward to
working with you over the next year and a half.
Thank you, Mr. Chairman, for holding this hearing on
cybersecurity threats faced by the private sector. As you just
said, the announcement of the attack against Blue Cross reminds
us that no company is immune from cyber attacks and data
breaches.
Sophisticated companies such as Sony, Home Depot, Target,
Anthem and USIS were all targeted and breached by cyber
attackers. The most recent attack against Anthem, one of the
Nation's leading health insurers, resulted in an attack on up
to 80 million personal records of customers and employees.
That attack is particularly disturbing because, as I
pointed out in an article I wrote in Roll Call last month,
medical identity theft represents a new norm in cyber crime.
The real victims of cyber crime are the employees and customers
whose sensitive personal information is stolen and used by
cyber thieves in other crimes.
Cyber theft of social security numbers, birth dates and
sensitive medical information puts individuals at heightened
risk of crimes such as financial fraud and tax refund fraud.
Corporations collect and utilize a lot of personal
information about their customers and employees. It is
imperative that those businesses employ more effective means to
safeguard it.
I look forward to hearing from today's witnesses about best
practices they are recommending to help their members protect
against cyber attacks and mitigate any damage from data
breaches.
Today's hearing is also a recognition of the fact that the
Federal Government and private sector must work more
effectively together to thwart cyber crime.
I also look forward to hearing from today's witnesses about
what government can do to help protect businesses and consumers
from future cyber attacks and data breaches.
It is worth noting that the President recently issued a
series of new initiatives to improve cyber security information
sharing between the government and private sector to better
assist in thwarting cyber attacks. I applaud him for that but
Congress needs to do more.
Thank you again, Mr. Chairman. I yield the balance of my
time.
Mr. Hurd. The gentlewoman yields the balance of her time.
I will hold the record open for five legislative days for
any members who would like to submit written Statements.
Now we get to recognize our panel of witnesses. This is a
great panel. This is actually one of those issues where I think
the House, the Senate and the White House can work together. We
are looking forward to that opportunity.
I am pleased to welcome our witnesses: Mr. Richard
Bejtlich, Chief Security Strategist at FireEye; Mr. David
French, Senior Vice President, Government Relations, National
Retail Federation; Mr. Daniel Nutkis, CEO and founder of the
Health Information Trust Alliance; Mr. Doug Johnson, Senior
Vice President and Chief Advisor, Payments and Cybersecurity
Policy, of the American Bankers Association; and Mr. Edmund
Mierzwinski, Consumer Program Director and Senior Fellow, U.S.
Public Interest Research Group. I want to welcome everyone here
today.
Pursuant to committee rules, all witnesses will be sworn
before they testify. Please rise and raise your right hand.
Do you solemnly swear or affirm that the testimony you are
about to give will be the truth, the whole truth, and nothing
but the truth?
[Witnesses respond in the affirmative.]
Mr. Hurd. In order to allow time for discussion, please
limit your testimony to 5 minutes. Your entire written
Statement will be made a part of the record.
With that, Mr. Bejtlich, we will start off with you.
WITNESS STATEMENTS
STATEMENT OF RICHARD BEJTLICH
Mr. Bejtlich. Chairman Hurd, Ranking Member Kelly, members
of the committee, thank you for the opportunity to testify.
I am Richard Bejtlich, Chief Security Strategist at
FireEye. Today I will discuss digital threats, how to think
about risk and some strategies to address these challenges.
Who is the threat? In our work, we have discovered and
countered nation-State actors from China, Russia, Iran, North
Korea, Syria, and other countries.
The Chinese and Russians tend to hack for commercial and
geopolitical gain. The Iranians and North Koreans extend these
activities to include disruption via denial of service and
sabotage using destructive malware.
Activity from Syria relates to the regional civil war and
sometimes affects Western news outlets and other victims.
Eastern Europe continues to be a source of criminal operations,
and we worry that the conflict between Ukraine and Russia will
extend into the digital realm.
Threat attribution, or identifying responsibility for a
breach, depends on the political stakes surrounding an
incident.
For high-profile intrusions, such as those in the news over
the last few months, attribution has been a priority. National
technical means, law enforcement, and counter-intelligence can
pierce anonymity. Some elements of the private sector have the
right experience and evidence to assist with this process.
I would like to emphasize that attribution is possible, but
it is a function of what is at stake.
Who is being breached? In March 2014, the Washington Post
reported that in 2013, Federal agents, often the FBI, notified
more than 3,000 U.S. companies that their computer systems had
been hacked. This count represents clearly identified breach
victims. Many were likely compromised more than once.
In the 18 or so years I have been doing this work, this to
me is the single best statistic we have because these were not
attacks, these were not near misses, these were actual, serious
breaches that merited notification by law enforcement.
How do victims learn of a breach? Unfortunately, in 70
percent of cases, someone else, likely the FBI, tells a victim
about a serious compromise. Only 30 percent of the time do
victims identify intrusions on their own.
The median amount of time from when an intruder's initial
compromise, to the time when a victim learns of a breach,
according to our research, is currently 205 days. This number
is better last year's research where the number was 229 days.
Unfortunately, it means that, for nearly 7 months after gaining
initial entry, intruders are free to roam within victim
networks.
What are you supposed to do about this? I like to first
think of defining the risk. In this hearing, we are thinking
about the risk of intrusion to private companies in the United
States, but there are many other risks we could talk about.
That is the focus of this hearing.
Step two is to try to figure out some ways to measure
progress. When I work with companies, I try to encourage them
to think in terms of a couple metrics.
The first one is how many intrusions are occurring because
there are many intrusions occurring in companies but not all of
them rise to the level of somebody stealing your data or
somebody destroying your data.
Second, they need to track the amount of time that elapses
from when the intrusion first occurs and when they do something
about it. We want to drive down both of those numbers.
Some things happen outside companies which impact the
threat and the cost to the intrusion. Law enforcement and
counter intelligence are the primary means by which you can
mitigate the threat.
I did an editorial for Brookings recently called Target
Malware Kingpins where I asked what makes more sense, expecting
2 billion Internet users to adequately secure their personal
information or reducing the threat posed by the approximately
100 malware kingpins in the world?
Reducing the cost side of the equation takes a little more
creativity. One step--I noticed it in the testimony of some of
my fellow panelists--is tokenization of payment card data such
that you are not dealing in credit cards when you are trying to
authorize transactions.
A second step would be to drastically reduce or preferably
eliminate the value of a Social Security number. With a Social
Security number, as noted in the testimony in more detail by my
colleagues, you can get credit reports and just an opening to
much more damage.
In brief, at least from the perspective of a private
company, we can win when we stop intruders from achieving their
objectives. It is ideal to prevent an adversary from getting
into your network but that goal is increasingly difficult.
Instead, we need to focus on quickly detecting the
intrusion, containing the adversary and stopping him before he
destroys, steals or whatever his mission is, as Chairman Hurd
mentioned.
Finally, we must appreciate that the time to find and
remove intruders is now. If you were to hire me to be your CSO,
the first step I would take would be to hunt for intruders
already in your network.
I look forward to your questions.
[Prepared Statement of Mr. Bejtlich follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Mr. Hurd. Thank you, Mr. Bejtlich.
The Chair now recognizes Mr. French.
STATEMENT OF DAVID FRENCH
Mr. French. Thank you for the opportunity to provide you
with our views on cyber security threats facing the private
sector as well as achievable solutions to better protect
sensitive information.
Retailers are just one of the targets in an evolving and
escalating war on our digital economy. Merchants collectively
spend billions of dollars safeguarding sensitive customer
information.
At the outset, let me State that data intrusion is a crime
of a particularly international character. In virtually every
reported incident, it seems as if the criminals are operating
from abroad beyond the reach of U.S. law enforcement.
In all of the congressional scrutiny over data security,
there has been a conspicuous lack of attention paid to
strengthening our national ability to interdict and prosecute
these criminals. We do not have specific recommendations in
this area but it is an observation that this committee is
uniquely well situated to conduct such an inquiry.
Beyond better law enforcement tools, my remarks center on
three themes: better payment card security; effective breach
notification and sharing of cyber threat information.
In our view, security alone is not the answer. The issue
must be considered much more holistically. We must work
together to prevent cyber attacks and help reduce fraud or
other economic harm that may result when breaches occur.
Ultimately, we must make data less valuable. If breaches
become less profitable to criminals, then criminals will
dedicate fewer resources to committing them and our common data
security goals will become much more achievable.
Cyber attacks are a fact of life in the United States.
Virtually every network is at risk. In its 2014 data breach
investigation report, Verizon determined that there were more
than 63,000 data security incidents reported by industry,
educational institutions and government entities in 2013. Of
those, more than 1,300 had confirmed data losses. The financial
industry suffered 34 percent of these and the retail industry
had less than 11 percent.
I do not cite these figures to criticize our colleagues in
the banking industry but merely to illustrate the fact that the
incidents of data breaches are proportionate to the relative
value of information that can be stolen.
It should not be surprising that three times more data
breaches occur at financial institutions than at retailers.
Criminals seek high value information and data thieves know
that banks are most sensitive to financial and personal
information, including not just card numbers but bank account
numbers, Social Security numbers and other identified data that
can be used to steal identities beyond completing some
fraudulent transaction.
When it comes to payment card data, there is one single
fact that banks and the card networks must acknowledge. All of
the decisions about card design and security are theirs alone.
Retailers did not forgo chip technology in the U.S. for almost
two decades and we did not conceive of the complex, costly and
largely ineffective payment card industry data security
standards. We have to live with the downstream costs of these
decisions every day.
Without fraud-prone payment card information and retailer
systems, criminals would find the rest of the information
retailers typically hold and that is benign data such as phone
book information, shoe size or color preferences to be all that
interesting or more importantly, lucrative on the black market.
That is why payment card security is essential and the
adoption of a microchip in payment cards is a long overdue step
in the right direction.
For retailers, however, the debate over card security comes
down to a basic question about why the card networks and banks
continue to rely on signature-based authentication methods
rather than the proven security of a four digit personal
identification number of pin.
Around the globe, most industrialized nations have adopted
pin-based solutions. We know that pins provide an extra layer
of security against downstream fraud, even if the card numbers
are stolen in a breach.
In pin-based transactions, for example, the stored 16
digits from the card would alone be insufficient to conduct a
fraudulent transaction in a store without the four digit pin
which is known to the consumer and not present on the card
itself. In short, the value of the pin is hard to question.
It is clear to retailers that simple business practices
improvements like eliminating signature and adopting pin would
be easier and more quickly implemented than any other steps.
They hold the promise of being more effective in preventing the
kind of financial harm that could impact consumers as companies
suffer data security breaches affecting payment cards in the
future.
NRF also commends the President's recent Executive Order
which called for establishing cyber threat information sharing
among non-critical infrastructure industries such as retail
through what are called information sharing and analysis
organizations, ISAOs.
The information sharing groups proposed appear similar to
the Information Technology Security Council formed by NRF last
year that currently shares cyber threat information among more
than 170 information security professionals in retail.
More than 2,000 cyber threat alerts have been sent to our
retail members since the inception of our program and we
continue to expand its reach among the retail community.
Mr. Chairman, the remainder of my comments are in my
written remarks. Thank you for the opportunity to testify. I
look forward to your questions.
[Prepared Statement of Mr. French follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Mr. Hurd. Thank you, Mr. French.
Mr. Nutkis?
STATEMENT OF DANIEL NUTKIS
Mr. Nutkis. Good afternoon, Chairman Hurd and Ranking
Member Kelly. It is a pleasure to join the subcommittee this
afternoon to share HITRUST's perspective on the cyber threats
facing the health care industry.
While I prepared my written Statement for the record, I
would like to share with you a few key points.
Health Information Trust Alliance was formed in 2007 with
the singular mission to streamline the safeguarding of
sensitive information systems and devices in use within the
health care system.
Our perspective on the evolving cyber security threats
facing the health care industry is formed based on our deep
engagement with industry around information protection. That
engagement includes data from over 10,000 security assessments
done in 2014 alone, leveraging the HITRUST CSF.
The HITRUST CSF is a scalable prescriptive and certifiable
risk-based framework developed for and with the health care
industry, incorporating relevant NIST, ISAO, PCI and other
standards, supports various Federal and State regulations like
HIPPA and HP300 in Texas, incorporates best practices and
lessons learned including analysis of breached data,
incorporates 135 security controls and 14 privacy controls. It
was first released in 2008 and is currently on Version 7.
It should also be noted that we identified security
controls relevant to cyber threats prior to the release of the
NIST cyber security framework which is now fully mapped into
the HITRUST CSF.
It should also be noted that approximately 85 percent
adoption by hospitals and health plans make it the most widely
adopted in the industry.
Also influencing our perspective is the HITRUST Cyber
Threat Intelligence and Incident Coordination Center, C3, which
is the most active cyber center in health care established in
2012. It is a federally recognized ISAO or information sharing
and analysis organization.
It supports threat intelligence sharing and incident
coordination for the health care industry. It includes threat
sharing with the Department of Health and Human Services and
Homeland Security. It has four key components.
The Cyber Threat XChange, CTX, was created to accelerate
the sharing, distribution and consumption of threat indicators.
It has been noted that the CTX is a revamp of a process that
failed, in this case providing indicators of compromise in
electronic consumer format such as STIX, TAXII and proprietary
SIEM formats, streamlining the process of making information
more consumable. We make that available free of charge.
The second component is something called Health Care
CyberVision which was created to enhance awareness of unknown
threats, provide early warning or a more perspective view into
the unknown cyber threat environment which provides situational
awareness by testing the effectiveness of security defenses
against emerging and unknown threats.
The third component is something we call CyberRx which is
in its second year, which is a series of cyber preparedness and
response exercises to simulate cyber attacks on health care
organizations. We expanded that significantly this year to
include a much larger part of the industry.
The fourth component is our cyber monthly threat briefings.
Every month, HITRUST, in conjunction with the Department of
Health and Human Services hosts a cyber threat briefing to help
raise awareness and educate the industry relating to cyber
threats.
Our familiarity in engaging with industry affords us
certain insights into cyber preparedness, risk management and
cyber risk indicators that have the potential to impact
privacy, disrupt facility operations or cause direct harm to
patients.
We have information protection maturity in organization
with over 400,000 organizations ranging from Fortune 15 to solo
practitioners. We have a wide range of information security
sophistication which significantly complicates the detection
sharing and response of any solution or approach. More needs to
be done to ensure we are addressing the real needs of the
market.
Many organizations do not understand the cyber threats and
risks relevant to their organization and spend unnecessary and
limited resources in tracking down things that are not
relevant.
We need to look more at high tech, low touch approaches to
automate more of the process and make it more actionable for a
wider range of organizations.
As to specific motives, many health care organizations are
a treasure trove for threat actors. They store or process IP,
EII, DII, DHI, financial information, medical information and
much of it fully linked together. This makes the industry a
high value target.
The other panelists already mentioned threat actors. It is
a wide range of actors from nations, States to hackers of
opportunity.
A health plan was most recently a target of choice given
the magnitude and breadth of information they possess.
Hospitals face unique threats given their position of providing
care directly to patients and their position of procuring and
implementing medical devices and new technologies in their
infrastructure.
I do not make these Statements lightly with the intention
of causing undue harm. As I said before, health care is a high
value and target rich environment. We have come a long way but
still have a long journey ahead of us.
With that, Mr. Chairman, I am pleased to answer the
committee's questions.
[Prepared Statement of Mr. Nutkis follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Mr. Hurd. Thank you very much, Mr. Nutkis.
Mr. Johnson.
STATEMENT OF DOUG JOHNSON
Mr. Johnson. Chairman Hurd, Ranking Member Kelly and
members of the subcommittee, my name is Doug Johnson. I am
Senior Vice President and Chief Advisor, Payments and
Cybersecurity Policy at the American Bankers Association.
I really do appreciate the opportunity to be here today and
discuss cyber security as well as representing the ABA. I am
also the Vice Chairman of the Financial Services Sector
Coordinating Council and on the board of the Financial Service
Information Sharing and Analysis Center.
The Council has been in operation since 2002. The ISAC has
been in operation since 1999. We are fairly mature in terms of
our approach to these issues. I really do appreciate having the
opportunity to provide the perspectives we have developed over
the years.
As the 114th Congress engages in public debate on the
important issue of cyber security, we share your concerns
regarding the evolving nature of the threats. We certainly do
support effective cyber security policy. We want to continue to
work with Congress toward that.
I will focus on three main points: the evolving nature of
cyber threats, the role of technology in addressing those
threats and the role of expanded information sharing in
protecting against the threats as well I think is very
important.
One thing that is evidence is that attacks used to be very
singular in focus, be it a denial of service attack against a
financial institution, an attack against a merchant's point of
sale device or maybe an attempt to destroy or wipe data of an
energy company like Saudi ARAMCO.
I think what we see now is sort of blended attacks where
these multifaceted attacks create particular challenges for us
because essentially they necessitate a simultaneous maintenance
of availability integrity and confidentiality of data where
formerly a cyber security attack would maybe have the impact on
one of those data components.
That creates some resource constraints in some instances
when you are trying to respond to those incidents.
We are also seeing is attackers of every variety are
becoming increasingly adept at defeating security practices. We
have seen the velocity increase with which companies must move
so they can ensure they understand how the cyber risks are
changing and mitigating measures most effective against those
risks. It is an arms race. Indeed, it really is an arms race.
Another increased challenge for institutions and the
private sector--Mr. Nutkis alluded to this--is essentially the
voluminous nature of the threat data which we have now. It is
not as readily consumable as it could be.
Determining the relevance of a particular piece of threat
data, analyzing the magnitude of the threat, evaluating which
systems might be impacted and devising the appropriate course
to take in mitigating against the threat is becoming
increasingly difficult to accomplish. I will touch on that when
we talk about information sharing.
Last, the victim of the attack is also changing. Prior to
2014, much of the private and public sector energy was focused
on critical infrastructure and payments. I think what we have
seen based on 2014 is a recognition that there is a broader
motivation for attackers in conducting a cyber attack.
Essentially any company in any sector could be subject to a
significant and highly visible attack.
Technology obviously plays a significant role in protecting
our Nation's companies and consumers. My written testimony
spends a lot of time discussing that.
I would say two things we really focused on in the
testimony was the necessity to get rid of static numbers in the
environment. I think one of the things the President's Cyber
Security Summit demonstrated was there was a lot of energy
around having customers have to essentially remember things in
digits and symbols to socially prove they are who they are,
ways through biometrics and ways through tokenization and other
ways to authenticate transactions.
Individuals are essentially going to be the mechanization
by which I think we really can make a much greater impact on
the fraud we are seeing today in the payments base and
otherwise.
I do think from a technology standpoint, the other
promising thing is STIX and TAXI which has also been discussed
whereby we are developing a mechanism for even the smallest
financial institution and the smallest health company to be
able to consume data and spend more time analyzing that data as
opposed to having to make a determination as to whether or not
the data even has any meaning in their environment.
Those are my oral remarks. I look forward to your
questions.
[Prepared Statement of Mr. Johnson follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Mr. Hurd. Thank you, Mr. Johnson.
Mr. Mierzwinski, please.
STATEMENT OF EDMUND MIERZWINSKI
Mr. Mierzwinski. Thank you, Mr. Chairman, Representative
Kelly and members of the committee.
I am Ed Mierzwinski of the U.S. Public Interest Research
Group.
In my oral remarks, I want to talk about some of the
threats that consumers face from the large amount of their
information that is floating around in cyber space and is often
obtained by hackers and other people intent on doing evil.
I identify in my written testimony, three levels of breach.
The first level is a simple card number breach. A card number
breach results in what is called existing account fraud. It is
a problem but consumers are generally well protected by law in
the case of existing account fraud.
If, of course, your debit card is breached, you do have the
additional problem of losing money from your bank account until
the bank puts the money back in. That is why consumer advocates
recommend the use of credit cards, if you can avoid credit card
debt.
The second level of breach is a breach that also obtains
email names, email addresses, telephone numbers, the sort of
information that allows the bad guy to conduct what is called
phishing expeditions to try to obtain additional information
about you.
I should point out that after any big breach, it is not
only the serious bad guy that got into your account that
conducts phishing expeditions, it is anybody with an email list
can then send mail out to people and say, hey, if you are a
person who shopped at Target, we need your information.
They are not even the guy that has part of your
information. They are just another bad guy hoping to capitalize
on it. It is a serious problem.
The third level of breach is the one that results in the
mother lode of information being collected that allows worse
harm to directly be conducted against you. Phishing expeditions
are designed to collect your Social Security number but the
Anthem breach and now the Premera breach resulted in the breach
of Social Security numbers which can be used to easily to
commit financial identity theft which is a problem that has
been around for 20 years.
The additional problem of tax refund identity theft has
been around fewer years but is something worthy of the
committee's further review and another hearing probably.
Third is medical identity theft where bad guys get medical
attention in your name because they take advantage of your good
medical insurance to get their own medical treatment.
The fourth kind of problem many consumers have faced over
the years--I have talked to Secret Service agents about this--
is a bad guy with the bad name wants to use your name to commit
crime because you might not be in the system, you do not have
two strikes against you already.
There are also emotional and other problems that people
face from identity theft.
What can consumers do? Often companies recommend credit
monitoring. In the Anthem and Premera breaches, I say take the
credit monitoring. In an existing account breach, it does not
help. It will not stop identity theft. It is a sop, something
that will cause you to think you are better protected than you
actually are.
We recommend any consumer who is not directly in the market
for new credit to get a security freeze. My testimony goes into
detail on how the security freeze is really the only way to
protect your credit report.
We recommend to Congress, as committees of jurisdiction can
consider legislation, do not preempt the States. The States are
privacy leaders. Do not impose any sort of harm trigger in any
breach legislation. Use an acquisition trigger.
If a company loses your information, it should not have the
right to decide whether to tell you. It should have its own
reputation at risk. Use a broad definition of personally
identifiable information in any legislation that goes forward.
Most of the bills that I have seen are narrower than State
laws. The Attorney General of Illinois has just proposed
amendments to their State law, for example, that add geo-
locational and marketing information to the definition of
personal information.
Information is no longer just tracked in computers but
tracked on your smart phone. Geo-location is very important.
As Mr. French talked about, we totally agree with the
merchant's technology neutral performance standard. Chip and
pin is the highest current standard. Why are the banks stopping
at chip and signature? It is illogical.
Apple Pay and tokenization have some hope but Apple Pay has
been breached in low tech ways, so a lot more needs to be done
there.
My testimony concludes by going into some detail on the
general ecosystem we have today that simply collects too much
information and keeps it for too long. Consumers need privacy
rights based on a robust of code fair information practices.
Thank you for the opportunity to testify.
[Prepared Statement of Mr. Mierzwinski follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Mr. Hurd. Thank you, Mr. Mierzwinski.
I now recognize Mr. Walker from North Carolina for 5
minutes of questioning.
Mr. Walker. Thank you, Mr. Chairman.
This is a lot of information to process. It is very
studious work on your parts. I appreciate that.
I have two or three things I want to address. Mr. Nutkis,
let me start with you.
I have a lot of family in the health care industry. More
and more that is becoming technological. Concerns and
challenges facing this industry when addressing cyber threats
is that something that has come across the table as far as
discussion?
I want to know what you are hearing on this and how you
would address it? Is it a problem that you are hearing or
facing in the medical community?
Mr. Nutkis. Cyber threats specific to medical devices?
Mr. Walker. Correct, yes.
Mr. Nutkis. Absolutely. That has been an ongoing issue. We
were the first to start tracking vulnerabilities associated
with medical devices. We see them on two sides, the implantable
and the non-implantable as well as the control systems that are
associated or controlling the devices as well. It is an ongoing
problem.
At this point, we do not track an exorbitant number of
threats associated with them but there is no question we track
vulnerabilities.
Mr. Walker. At some point, is this considered a life and
death matter? Could someone hack a system where they increase
the defibrillator or are we at that point to be concerned about
that?
Mr. Nutkis. There have been demonstrations where, in fact,
that has occurred. The circumstances are very specific. The
answer is absolutely.
The likelihood based on all the circumstances that would
have to occur, there is no question this is a concern,
disruption of life. One of the things we do is look at risk
assessments and the analysis. We escalate from the PII to the
PHI to sensitive health information to other types of
information, the disruption of the facility itself to
disruption of care.
It goes beyond the device. You have electronic health
records systems used for ordering. What if people start
removing your drug allergies from your systems and you have
contraindication.
I think these are all being worked on. We actually created
a new working group specifically to look at better disclosure
and how to move along this process.
Mr. Walker. Mr. Bejtlich, earlier I believe you categorized
different cyber attacks by the Chinese and Russians were for
financial purposes. Can you go through that process again? I
want to make sure I get that information because you said some
of it was financial and some was more malicious intent. You
make sure I have all that information correct?
Mr. Bejtlich. At the top, the nation-State end, you see the
Russians, the Chinese, increasingly now the North Koreans and
the Iranians.
The problems you discussed with health care, that could
come from any sector. It could be a criminal element, an
activist element and so forth.
Briefly, we do have part of an answer. That is in the
security community specifically with researchers. Part of the
problem they are encountering is some of the research they do
could be construed as hacking and put them at risk of being
prosecuted simply for trying to identify these vulnerabilities.
We need to create a safe space for that sort of work.
Mr. Walker. In your opinion, if you are looking at lone
wolf, guy on the mountain based criminal behavior versus some
of the international threats, give me a concern overall in your
community as far as what we are looking at? Where is the
weightedness as far as immediate concern we are.
Mr. Bejtlich. From the chronic theft of intellectual
property, business methods and that sort of thing, I care about
the Chinese the most. If I care about geo-political problems
that could leak from the physical area, I worry about the
Russians and what is going on in Ukraine and their using cyber
capability to deter or back up something they are doing
physically.
Mr. Walker. Do you have any numbers as far as how many
attacks we might be trying fiend off on a daily basis?
Mr. Bejtlich. The best number I gave, sir, was the 3,000.
Those are not trivial hacks caused by someone in a basement.
Those are serious intruders that are tracked on a campaign
basis by the FBI.
Mr. Walker. Before my time expires, you mentioned three
things earlier as far as working to prevent some of this,
better credit cards. Can you address some of that? What do you
mean by that?
Mr. French. Better payment card security. The card security
choices have been made by the card industry and the banks. Part
of it is hardening the card, putting a chip on the card and
that is going on currently.
As Mr. Mierzwinski noted, the banks are choosing to use
chip and signature, not chip and pin. The only really effective
method of authenticating and individual is a pin.
A system also needs end to end encryption as well as
tokenization. Ultimately you want to take the number out of the
system so that the number cannot be captured and replicated.
Mr. Walker. Thank you, Mr. Chairman. I yield back.
Mr. Hurd. Thank you, Mr. Walker.
I now recognize the Ranking Member, Ms. Kelly, from
Illinois.
Ms. Kelly. Thank you, Mr. Chairman.
In a survey of health care providers published last year,
the Ponemon Institute found ``90 percent of health care
organizations in the study have had at least one data breach in
the past 2 years.''
A New York Times article that was published stated,
``Health organizations like Anthem are likely to be vulnerable
targets because they have been slower to adopt measures like
keeping personal information in separate data bases that can be
closed off in an attack. They are generally less secure than
financial services companies with the same type of customer
data.''
Mr. Nutkis, as the CEO of an organization that works with
many leading health care organizations to improve their data
security, what are the most pressing challenges the industry
faces when it comes to securing the personal data of its
patients from cyber thieves?
Mr. Nutkis. That is a question we deal with all the time.
We have a maturity problem. We have a resource problem. I think
we have seen the two of them come together.
I think we have done a good job in moving the yardsticks
with regard to industry's maturity. We have seen large
organizations implement stronger security controls. I think it
is important to note we do this on a risk basis, meaning that
we assume health care data is never going to be as well
protected as launch codes to a nuclear silo or payloads.
I think there is an expectation that there is always an
amount of risk. Certainly we can do a much better job. We have
tried to do this with education and bringing in tools. One of
the things we are really transitioning from being a compliance-
based industry, not a risk-based industry.
Our major focus, although we have known for many years that
cyber was coming, we had regulations to comply with in regard
to HIPPA privacy and people were spending more resources on
those things because the data supported a privacy breach versus
a security breach.
Where do you spend your resources? You look at the top ten
list. You focus on privacy. I think we have seen this
transition very quickly to security. I think now we are seeing
organizations take it seriously.
It would certainly help, and we have looked for, a degree
of safe harbor. You do the right things, you implement the
right controls, you get management support to get the funding,
and when you do that, if something happens, which will happen
by the way in some cases, you did everything you could.
Right now, by the way, organizations look at Anthem, look
at other organizations that did extremely well. They were able
to detect it themselves, they communicated quickly and have
done a number of things. They go, well if Anthem cannot protect
themselves, we do not have a chance.
I think we are trying to let them know that is not the
case. There is a lot that you can do. As a matter of fact, as
those other organizations start to build stronger security
measures, you are going to be a bigger target because you are
all that is left.
Ms. Kelly. Would you cite the reasons you just shared with
us for the health care industry being technologically behind
other industries because of where the focus has been and the
resources have gone?
Mr. Nutkis. I think there are two reasons. One certainly is
the resources, no question about it. The other, I think to some
degree, is we have a lot of organizations. We have at least
400,000 directly in the industry and some that are sole
practitioners, two doc practices, so I think when you get below
the first 50,000 in the industry, you are really talking about
very resource challenged.
I think a lot of what we have tried to do is figure out how
to move the maturity. Unfortunately, they are all
interconnected. The small doc's practice still gets access to
the same records that the health plan or hospital has. You end
up with a big weak link problem. We have really tried to move
that. We see it as a resource problem and also a priority
problem.
Ms. Kelly. What would be your key recommendations for
improving the apparent security vulnerabilities?
Mr. Nutkis. Our recommendations are providing a degree of
safe harbor, recognizing organizations that implement strong
security controls, and get assessed against those controls to
demonstrate, in fact, that they are doing everything they can.
The State of Texas is a good example. Texas has something
called Secure Texas which if you comply with and get certified,
you get a degree of liability protection if something happens.
Organizations seem to be very receptive and see that as the
right way to go get the funding they need.
We look at information sharing as a great approach. I think
it important to note that to some degree--look at the Premera
breach yesterday or even the Anthem breach--the information
that is being shared is quite old. Those breaches occurred in a
period of time previously.
Also, we are still trying to work with the vendor
community. It is a $68 billion market of information security
products. We would like to see them step up more as well. The
small organizations do not have a chance in being able to
affect the save way and the budgets are not the same. They are
going to have to rely more on existing product.
Ms. Kelly. How can Congress help you? How can we be of
assistance?
Mr. Nutkis. We would be very supportive of things like safe
harboring, giving organizations the ability to do the right
things, understand what they are, and implement them.
We certainly are in favor of information sharing but again,
if you do not have mature organizations, you end up with bad
data being shared which really does not help anyone. We are
hoping we get the controls in place. People can adopt those
controls which force more mature organizations, more mature
organizations can more effectively share.
I think we have seen a lot of large organizations in
industry being willing to share. We have seen the new bill
supporting that. We think that is moving along. We see
liability protection with regard to safe harbors being the way
to get the whole process started.
Once everyone starts getting more mature, there is better
sharing, less risk and the whole model comes together.
Ms. Kelly. Thank you so much.
Thank you, Mr. Chair.
Mr. Hurd. I recognize my colleague, Ms. Duckworth, from
Illinois.
Ms. Duckworth. Thank you, Mr. Chairman.
I would like to turn the discussion toward the concept of
data minimization and data reduction as a security measure.
Mr. Bejtlich, could you speak a bit to this principle? Do
you think that as a practice, if businesses adopted data
minimization, would this type of security measure be more
effective in mitigating the damage from a breach?
Mr. Bejtlich. When you think in terms of risk, you have
threat, vulnerability and the impact. To date, most of the
focus has been on vulnerability. The problem is vulnerability
is everywhere.
If we can take steps that make the data less valuable than
if there is a breach, when there is a breach, there will not be
that much of an impact. Furthermore, we should look at ways for
recovery. In other words, we are looking at what can we do to
stop a breach from happening but we need to look at once the
breach has happened, what happens next. Who is responsible for
cleanup the mess of an identity theft? How much does it cost?
There is a misalignment of a lot of these issues so it
falls on the consumer and the citizen. Many times they are in
the worse position to try to affect change.
Ms. Duckworth. Can you speak a bit to the role of
encryption in protecting highly sensitive data, especially on
business and agency networks? This committee's job is to
provide oversight of business and government agencies. Can you
speak a bit to encryption?
I also sit on Armed Services and am looking at some of
their encryption challenges, especially with significant
numbers of subcontractors, sub-subcontractors and the like.
Mr. Bejtlich. Encryption has a value in certain areas. If I
am going to talk to a colleague at the end of the table and
want to make sure no one in between can hear it, I want to
encrypt that data.
If I am carrying around data on an external hard drive or a
thumb drive and I lose it in a taxi, I want to make sure that
is encrypted.
Encryption stops the intruder from getting access to it. In
certain areas encryption can be useful but we have to remember
that in order for data to be useful, it has to be read at some
point. Encryption will not necessarily be valuable at the point
where that data is being used.
Ms. Duckworth. Following this train of thought, I would
like to look at data segmentation. We have talked about data
minimization and encryption. Let us talk about data
segmentation.
Mr. Johnson, can you talk about this as a practice in your
industry, if it is considered a best practice, and what would
be happening if more businesses chose to do data segmentation?
Mr. Johnson. I think it is really systems segmentation when
you look at it. I think we have seen a number of breaches both
within our industry and in the merchant industry and others
where segmentation has not occurred and you have been able to
get into a separate system because there was an ability to
enter into a different system.
An example might be an air conditioning vendor in the case
of Target and in the case of a financial institution, I know of
a work file going into human resources that ended up
compromising an ATM system.
It is very, very important to learn those lessons that you
have segmentation between those systems and only authorize
access to data and substantial rights protections associated
with who has the right to that data, to view that data and
change that data.
I think we spend a lot of time in our industry thinking
through that and our regulatory agencies do as well. One of the
major findings that the regulatory agencies came up with based
upon their 500 audits they did last year of community banks was
there was absolutely undue complication within financial
systems.
There were things plugged into other things that did not
need to be plugged in to other things. There was connectivity
issues associated with systems.
One of the charges we have based on that is to look and
make sure our systems are not unduly complicated so that we do
not unduly add data and potentially be compromised because of
that.
Ms. Duckworth. Mr. Bejtlich, could you speak a bit to the
cooperation between the Chinese government and their business
sector in conducting cyber espionage? Specifically, I am
thinking of the case where there were Chinese companies that
infiltrated Lockheed Martin, stole a lot of data and shared
that data with the Chinese government which then resulted in
their upgrading their fifth generation fighter jets.
Can you talk a bit about that partnership that seems to be
occurring?
Mr. Bejtlich. There is collaboration among different
elements of the Chinese hacking scene. You have top end
military units, militia units, quasi-military and then you have
the patriotic hackers.
There is certainly a career progress that people go
through. As far as the tasking goes, the military units are
tasked to go after private sector companies in the west to
steal intellectual property, business methods and that sort of
data.
Ms. Duckworth. Thank you.
Mr. Hurd. Thank you.
Votes have been called on the floor but I believe we can
make it through questioning so the witnesses will not have to
wait around during the vote series.
With that, I would recognize the Ranking Member of the
Oversight and Government Reform Committee, Mr. Cummings, from
Maryland.
Mr. Cummings. Mr. Chairman, I will be brief because I know
you want to get to your questions.
First of all, I want to welcome you to your chairmanship
and to the committee. I want to thank our Ranking Member.
Congratulations to both of you.
The issue of cyber security has been one which I have been
trying to raise before this committee for years. I give credit
to you and Chairman Chaffetz for addressing it now because it
is so very, very important.
I have a lot of questions but I want to let the Chairman
ask his questions.
I sit on the Naval Academy Board of Trustees and Board of
Visitors. We understand that cyber security is so very
important. We have done a lot to make sure that all of our
midshipmen are exposed to cyber security education.
Do you think that we are preparing our Nation and our young
people and the troops to be able to effectively deal with this
very, very serious threat to our way of life, to our existence?
Right now, we are dealing with the Secret Service. You see
situations where people say we are prepared but when it comes
time for the rubber to meet the road, you discover there is no
road.
I am wondering how you all feel about our colleges,
universities and other institutions? Are we where we need to be
to effectively deal with this serious problem?
Mr. Bejtlich. Sir, I can address that. I am from the Air
Force Academy class of 1994. I maintain contact with my
colleagues there. Also, I have been to beautiful Annapolis.
At the service academies you do see very strong focus on
cyber security. There are contests between the different
academies.
Outside of that, at the regular universities and such, as
my generation moves into teaching, you are seeing more focus on
what we have done in corporate America in dealing with
intruders, less focus on more abstract topics like
cryptography, which has a role, but it is not the same thing as
the rubber meeting the road that you mentioned. I think that
situation is getting better.
I would like to also mention CyberPatriot. This is a
program for middle school and high school students nationwide.
In my kids' school just won the national championship for the
middle schools.
There is a focus now that is both generational and also at
different levels of schools, not just at the colleges but we
are seeing that migrate down to the middle schools. I would not
be surprised if there a one through five program coming up
next.
Mr. Cummings. Thank you, Mr. Chairman.
Mr. Hurd. Mr. Cummings, I appreciate your being here today
and your leadership on this committee.
I now recognize myself for 5 minutes for questioning.
The first question goes to Mr. French, Mr. Nutkis and Mr.
Johnson. Can you talk to me about the top two digital threats
to your industry and the folks you represent, the kind of
threat actor whether it is a country or a specific individual
or a person looking for a particular type of information?
Mr. French. From the pattern of breaches that we have seen
in recent years, it is organized gangs of criminals using very
sophisticated attacks generally originating in Eastern Europe.
I think that is the pattern we have seen almost in every
instance.
Unfortunately, they have a very sophisticated method of
doing this and wipe their tracks when they go in. It is very
difficult. They know what we are looking for and it is very
difficult for us to track them inside our systems and wipe them
out.
Mr. Hurd. Mr. Nutkis?
Mr. Nutkis. I think we see it in two ways, assuming by the
way that we protected it to begin with, in the first, but I
think we found with the Chinese they are there so long and so
stealthy that the damage is substantial. When they get in, you
are seeing much larger breaches or we are not seeing them at
all because they are getting in and out.
We are also seeing from Russia more financial. There is
either some sort of extortion or financial. They are less
methodical, so they leave a lot more trails.
Those two for us are the ones we see the most.
Mr. Johnson. Unfortunately, sir, we see them all. Of course
during the service attacks, those were political, so those were
from a nation State. From the Chinese, we see the intellectual
property thefts. From the criminals, regardless whether or not
they are attacking for economic gain, any set of breached data
it is going to be a bank customer we end up reimbursing at the
end of the line for potential financial loss.
We become increasingly concerned about threats that have
the potential of manipulating or destroying data. When does
data disruption become data destruction is what we spend a lot
of time thinking about in terms of ensuring we do not have data
with the capacity to be manipulated.
You hear about advanced persistent threats a lot. I think
there are more irritating persistent threats, IPTs, because
they do not necessarily have a level of advancement, they just
happen to be there for very extended periods of time over time.
We see a great deal of patience among all these perpetrators.
Mr. Hurd. Mr. Bejtlich, in our opinion, I know your firm
deals with all of the above threats. Is the Federal Government
prepared to help private industry and the private sector in
fighting these issues?
Mr. Bejtlich. We have seen in recent high profile breaches,
the FBI ready to assist. I do not know their ability to scale,
however. I am not sure if we were to send the Bureau to every
one of the breaches that my company is working, whether they
would become quickly overwhelmed.
That is one of the areas where this is different than a
physical situation where you can call your local police and
they are usually equipped to help you. We do not yet have a
scalable government response to the problem.
Mr. Hurd. Mr. French, Mr. Nutkis and Mr. Johnson, very
quickly, in what ways can the government better provide
information to you or what type of information should the
government be providing to you to help protect your industry
and the folks you represent?
Mr. French. The government could do two things, in our
opinion. First, better cyber sharing legislation would help to
facilitate more real time exchange of information so that
parties within the economy would be sharing with each other.
The government has, through many of their systems, whether
it is US-CERT or the Secret Service or FBI, done a very good
job of working with, for example, Mr. Johnson's FS-ISAC. The
FS-ISAC is a very sophisticated means of flowing that
information out. They use a traffic light protocol that shares
that information with parties and partners in the industry
including retailers.
The information flow is there but we could use some cyber
security legislation.
Mr. Hurd. Mr. Nutkis, briefly.
Mr. Nutkis. I think for us it is the format of the
information. We would like more information that is more
valuable, accurate information and we would like it in a format
that we can get to the consumer quickly.
There is a lot of work involved and a lot of it is
information. The analogy I use is Amazon online, Hulu Plus and
Netflix. We are getting the same information over and over
again. We really just want the stuff we want, so specify what
is really important.
If you end up with too much information, people get
distracted, so we need good information and we need it in a
format that we can distribute quickly.
Mr. Hurd. Mr. Johnson, you have 30 seconds.
Mr. Johnson. First of all, let the record show that I
completely agree with Mr. French on this issue regarding
information sharing.
Second, I think liability protection is the other piece of
that because we need clarity in terms of what that liability
protection for voluntary sharing information is, recognizing
proper privacy protections need to be in place, and data needs
to be minimized.
I think that would greatly enhance the ability of us to
have more adequate information sharing across sectors
particularly.
Mr. Hurd. I would like to recognize Ms. Kelly for 2
minutes.
Ms. Kelly. Mr. Mierzwinski, since not everyone is familiar
with the crime of medical identity theft, can you explain to us
what it is, how it occurs, and then what type of personal
information do cyber thieves target when they commit medical
identity theft?
Mr. Mierzwinski. The medical identity theft is a relatively
newly identified problem. The World Privacy Forum has issued
several reports on it. Essentially, instead of opening bank
accounts in your name, somebody obtains medical services in
your name. They may not be able to afford health insurance but
they use your health insurance to get the services that they
cannot afford.
It is a very significant problem. Again, for the first
time, we understand that the Anthem breach did not include
medical service information but the Premera breach may have.
The Anthem breach, however, provided enough information to
commit all the other kinds of identity theft and possibly to
apply for health insurance in your name.
Ms. Kelly. Thank you so much.
Thank you, Mr. Chairman.
Mr. Hurd. Gentlemen, I wish we had two or three more hours
to continue this conversation. This is an important topic and
something I am looking forward to working with Ranking Member
Kelly on.
I really appreciate you all taking the time to appear
before us today. The materials you provided in advance were
incredibly helpful as well. I am looking forward to following
up with each of you individually on that as we chart a course
on making sure the Federal Government is doing absolutely
everything we can to protect our consumers and our industries
from those trying to do us ill.
If there is no further business, without objection, the
subcommittee stands adjourned.
[Whereupon, at 2:03 p.m., the subcommittee was adjourned.]
[all]