[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]





    SMALL BUSINESS CYBERSECURITY: FEDERAL RESOURCES AND COORDINATION

=======================================================================

                                HEARING

                               before the

                      COMMITTEE ON SMALL BUSINESS
                             UNITED STATES
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED FIFTEENTH CONGRESS

                             FIRST SESSION

                               __________

                              HEARING HELD
                             MARCH 8, 2017

                               __________



[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


            Small Business Committee Document Number 115-007
              Available via the GPO Website: www.fdsys.gov




                                   ______

                         U.S. GOVERNMENT PUBLISHING OFFICE 

24-421                         WASHINGTON : 2017 
-----------------------------------------------------------------------
  For sale by the Superintendent of Documents, U.S. Government Publishing 
  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
                          Washington, DC 20402-0001
  

















                   HOUSE COMMITTEE ON SMALL BUSINESS

                      STEVE CHABOT, Ohio, Chairman
                            STEVE KING, Iowa
                      BLAINE LUETKEMEYER, Missouri
                          DAVE BRAT, Virginia
             AUMUA AMATA COLEMAN RADEWAGEN, American Samoa
                        STEVE KNIGHT, California
                        TRENT KELLY, Mississippi
                             ROD BLUM, Iowa
                         JAMES COMER, Kentucky
                 JENNIFFER GONZALEZ-COLON, Puerto Rico
                          DON BACON, Nebraska
                    BRIAN FITZPATRICK, Pennsylvania
                         ROGER MARSHALL, Kansas
                                 VACANT
               NYDIA VELAZQUEZ, New York, Ranking Member
                       DWIGHT EVANS, Pennsylvania
                       STEPHANIE MURPHY, Florida
                        AL LAWSON, JR., Florida
                         YVETTE CLARK, New York
                          JUDY CHU, California
                       ALMA ADAMS, North Carolina
                      ADRIANO ESPAILLAT, New York
                        BRAD SCHNEIDER, Illinois
                                 VACANT

               Kevin Fitzpatrick, Majority Staff Director
      Jan Oliver, Majority Deputy Staff Director and Chief Counsel
                     Adam Minehardt, Staff Director
                     
                     
                     
                     
                     
                     
                     
                     
                     
                     
                     
                     
                     
                     
                     
                     
                     
                     
                     
                     
                     
                     
                     
                     
                     
                            C O N T E N T S

                           OPENING STATEMENTS

                                                                   Page
Hon. Steve Chabot................................................     1
Hon. Nydia Velazquez.............................................     2

                               WITNESSES

The Honorable Maureen K. Ohlhausen, Acting Chairman, Federal 
  Trade Commission, Washington, DC...............................     4
Chuck Romine, Ph.D., Director, Information Technology Lab, 
  National Institute of Standards and Technology, Gaithersburg, 
  MD.............................................................     6
Mr. Charles Rowe, President & CEO, America's Small Business 
  Development Centers, Arlington, VA.............................     7
Mr. Jim Mooney, President and CEO, Chevron Federal Credit Union, 
  Cybersecurity Committee Chair, National Association of 
  Federally-Insured Credit Unions, Arlington, VA, testifying on 
  behalf of the National Association of Federally-Insured Credit 
  Unions.........................................................     9

                                APPENDIX

Prepared Statements:
    The Honorable Maureen K. Ohlhausen, Acting Chairman, Federal 
      Trade Commission, Washington, DC...........................    22
    Chuck Romine, Ph.D., Director, Information Technology Lab, 
      National Institute of Standards and Technology, 
      Gaithersburg, MD...........................................    34
    Mr. Charles Rowe, President & CEO, America's Small Business 
      Development Centers, Arlington, VA.........................    42
    Mr. Jim Mooney, President and CEO, Chevron Federal Credit 
      Union, Cybersecurity Committee Chair, National Association 
      of Federally-Insured Credit Unions, Arlington, VA, 
      testifying on behalf of the National Association of 
      Federally-Insured Credit Unions............................    48
Questions for the Record:
    Questions and Responses from Hon. Adriano Espaillat to Hon. 
      Maureen K. Ohlhausen.......................................    77
    Questions and Responses from Hon. Adriano Espaillat to Chuck 
      Romine, Ph.D...............................................    79
    Questions and Responses from Hon. Adriano Espaillat to 
      Charles Rowe...............................................    82
    Questions and Responses from Hon. Adriano Espaillat to Jim 
      Mooney.....................................................    85
Additional Material for the Record:
    ICBA - Independent Community Bankers of America..............    87

 
    SMALL BUSINESS CYBERSECURITY: FEDERAL RESOURCES AND COORDINATION

                              ----------                              


                        WEDNESDAY, MARCH 8, 2017

                  House of Representatives,
               Committee on Small Business,
                                                    Washington, DC.
    The Committee met, pursuant to call, at 11:00 a.m., in Room 
2360, Rayburn House Office Building, Hon. Steve Chabot 
[chairman of the Committee] presiding.
    Present: Representatives Chabot, Luetkemeyer, Knight, 
Kelly, Blum, Comer, Bacon, Fitzpatrick, Velazquez, Evans, 
Murphy, Lawson, Clarke, Espaillat, and Schneider.
    Chairman CHABOT. Good morning. I will call the Committee to 
order now. And we want to thank everyone for coming today.
    Over the past year, this Committee has turned its attention 
to an issue that is increasingly serious for small business, 
and that is cybersecurity. In past hearings, we heard firsthand 
accounts from small business owners who have been victims of 
cyberattacks.
    We have also heard dire warnings from cybersecurity experts 
about the new and varied cyber threats facing America's 28 
million small businesses.
    There is no question that advances in information 
technology have helped small businesses to increase their 
productivity, become more efficient, and ultimately more 
successful.
    However, the same tools and resources that have given small 
business owners a greater role in the marketplace have also 
provided cyber criminals and foreign bad actors with more 
opportunities to steal sensitive and valuable information that 
small businesses rely on to remain competitive.
    In 2015 alone, the United States Department of Justice 
recorded nearly 300,000 cybersecurity complaints.
    We have also learned that a cyber attack can have serious 
consequences, not only for small businesses, but also their 
customers and their employees and business partners. Sixty 
percent of small businesses that fall victim to a cyberattack 
close up shop within 6 months. Sixty percent. A 2014 survey 
from the National Small Business Association estimated the 
average cost of cyber attacks on a small business to be over 
$32,000.
    In our Committee's efforts to spotlight these serious and 
growing threats, it has been abundantly clear that the Federal 
Government needs to step up its game when it comes to 
protecting the cybersecurity of small businesses and 
individuals. And, to some extent, Federal agencies have begun 
offering resources directly to small businesses in recent 
years.
    Today we will hear from some of the Federal agencies that 
are already providing cybersecurity resources to small 
businesses. We will examine how these tools can be more easily 
accessed by small business owners and ensure that they are 
effective.
    Since the late 1990s, the Federal Government has become 
increasingly active in protecting our Nation's critical 
infrastructure and information technology, IT, systems. It has 
gone to great lengths to coordinate these efforts with State 
and local governments, as well as the private sector. However, 
it was not until recently that the Federal Government was 
encouraged to engage in greater information-sharing practices 
with businesses through the development of an overall framework 
for cybersecurity protocols. The framework would enable 
businesses of all sizes to implement a set of best practices 
for assessing cyber threats and reinforce their cybersecurity 
systems.
    Just last year, the House passed the Improving Small 
Business Cybersecurity Act, a bill that helps small businesses 
facing cyber threats by providing access to additional tools 
and resources through existing Federal cyber resources. The 
bill became law as part of the National Defense Authorization 
Act of 2017. The Department of Homeland Security, DHS, and 
other Federal agencies have been permitted to work through the 
Small Business Development Centers, SBDCs, to streamline cyber 
support and resources for small businesses.
    While I believe this is a very good start, I think it is 
glaringly obvious that Federal agencies tasked with providing 
cybersecurity resources to small businesses can be better 
coordinated. They should drive down duplicative resources and 
processes and ensure that small businesses are equipped to deal 
with the growing cyber threats.
    I look forward to hearing from our witnesses and their 
points of view on how we can more efficiently disseminate 
Federal cybersecurity resources to all of America's small 
businesses, and I would now like to yield to the ranking member 
for her opening statement.
    Ms. VELAZQUEZ. Thank you, Mr. Chairman.
    Developing new innovations is fundamental to our nation's 
prosperity in the 21st century. But these technologies can only 
be beneficial if small businesses can adopt them without fear 
of malicious cyberattacks. Cybercrimes are becoming more 
commonplace and more sophisticated. And no matter what form 
they take, they can be devastating to business owners and their 
customers. A single attack can wipe out a small business, 
making cybercrime a severe problem for small entities.
    While businesses of all sizes must increasingly monitor 
cyber threats, small firms must prepare for these problems with 
far fewer resources than their larger counterparts. Because of 
the complexity and cost associated with implementing a security 
plan, only 31 percent of small firms take active measures to 
guard against such attacks.
    More than 80 percent of the time, the owner handles 
cybersecurity personally, making small firms more vulnerable 
than a competitor with a dedicated IT security consultant or 
staff member. In fact, last year, 60 percent of all targeted 
attacks struck small- and medium-sized entities.
    These actions have costly implications for the small 
companies. The average cost of a data breach is nearly 
$200,000, and leads to 60 percent of targeted small businesses 
closing their doors within 6 months of being attacked.
    Because small firms stand to lose so much without data 
protection, it is imperative that they have the resources of 
the federal government at their disposal. The federal 
government has a duty to secure federal information systems and 
assist in protecting private systems.
    All agencies have their own duty to protect their systems, 
but due to rapid changes in cyberspace, agency roles are 
complex. The presence of over 50 relevant statutes addressing 
various aspects of federal cybersecurity responsibilities adds 
yet more confusion. And because agencies are busy navigating 
the rules pertaining to their own systems, efforts to help 
small firms have generally been neglected.
    However, the Department of Defense and Homeland Security, 
and the National Institute of Standards and Technology, have 
all recently embarked on efforts to assist businesses with 
cybersecurity needs.
    Additionally, federal spending on cybersecurity is expected 
to rise above $20 billion over the next several years. 
Implementation of the Cybersecurity Information Sharing Act of 
2015 continues moving ahead. Despite this progress, 
collaboration between agencies and small firms is lacking, 
which affects us all.
    We must improve our efforts to help small businesses 
overcome these challenges. I was pleased, for example, that the 
National Defense Authorization Act includes a provision 
instructing SBA to coordinate with DHS to develop a small 
business cyber strategy.
    Most importantly, it leverages the SBA's vast network of 
Small Business Development Centers, which have a proven record 
of helping entrepreneurs all over the country.
    Although this is a step in the right direction, we must do 
more to encourage small firms to protect themselves and their 
customers from cyber threats. Today's hearing will give us an 
opportunity to review federal investment in cybersecurity and 
how we can facilitate collaboration with the small business 
community. We cannot accept the bare minimum as our nation 
seeks to end continued data breaches.
    With that, I want to thank all the witnesses for being here 
today, for your participation and insights into this important 
topic.
    I yield back, Mr. Chairman.
    Chairman CHABOT. Thank you very much. The gentlelady yields 
back.
    And if Committee members have opening statements prepared, 
we would ask that they be submitted for the record.
    And I will now take just a moment to explain our lighting 
system. It is really pretty simple. Each of you get 5 minutes. 
We all get 5 minutes. And the lights will assist you in kind of 
keeping within that. The green light will stay on for the first 
4 minutes. The yellow light will come on to let you know you 
have got about a minute to wrap up. And then the red light will 
come on, and, hopefully, you are finished by that time or will 
be shortly thereafter. So if you could stay within those, we 
would greatly appreciate it.
    And I would like to introduce our very distinguished panel 
here this morning. I will begin with our first witness.
    Maureen Ohlhausen, who is acting chairman of the FTC, 
Federal Trade Commission. She was sworn in as the commissioner 
back in 2012. She also served as director of the Office of 
Policy Planning from 2004 to 2008, where she led the FTC's 
Internet Taskforce. And we welcome you this morning.
    Our second witness will be Chuck Romine, director of the 
Information Technology Lab at the National Institute of 
Standards and Technology. Dr. Romine oversees a program that 
promotes U.S. innovation and industrial competiveness by 
developing standards and guidelines for Federal agencies and 
U.S. industry, and we welcome you here, Doctor.
    And our third witness will be Tee Rowe, who is the 
president and CEO of America's Small Business Development 
Centers. He is also the chairman of the Small Business 
Legislative Council and a member of the U.S. Chamber of 
Commerce's Council on Small Business. Mr. Rowe also served the 
Small Business Committee for 10 years as counsel. So welcome 
back.
    And I would now like to yield to the ranking member to 
introduce our fourth witness.
    Ms. VELAZQUEZ. Thank you, Mr. Chairman.
    It is my pleasure to introduce Mr. James Mooney, President 
and CEO of Chevron Federal Credit Union, located in California, 
and serving members since 1935. Mr. Mooney is also the 
Cybersecurity Committee Chair for the National Association of 
Federally-Insured Credit Unions, NAFCU. He is testifying on 
behalf of NAFCU, which is the only national organization 
exclusively representing the nation's federally-insured credit 
unions. Welcome. Thank you for being here.
    Chairman CHABOT. Thank you very much.
    And now we will hear from our distinguished panel. And Ms. 
Ohlhausen, you are recognized for 5 minutes.

   STATEMENTS OF THE HONORABLE MAUREEN K. OHLHAUSEN, ACTING 
   CHAIRMAN, FEDERAL TRADE COMMISSION; CHUCK ROMINE, PH.D., 
  DIRECTOR, INFORMATION TECHNOLOGY LAB, NATIONAL INSTITUTE OF 
  STANDARDS AND TECHNOLOGY; CHARLES ROWE, PRESIDENT AND CEO, 
   AMERICA'S SMALL BUSINESS DEVELOPMENT CENTERS; JIM MOONEY, 
PRESIDENT AND CEO, CHEVRON FEDERAL CREDIT UNION, CYBERSECURITY 
  COMMITTEE CHAIR, NATIONAL ASSOCIATION OF FEDERALLY-INSURED 
                         CREDIT UNIONS

               STATEMENT OF MAUREEN K. OHLHAUSEN

    Ms. OHLHAUSEN. Chairman Chabot, Ranking Member Velazquez, 
and members of the Committee, I am Maureen Ohlhausen, the 
Acting Chairman of the Federal Trade Commission. And I 
appreciate the opportunity to present the Commission's 
testimony on data security and, in particular, our efforts to 
coordinate with our partners at NIST, who I am pleased to be 
with here today, and the SBA, to educate small business.
    Data breaches are commonplace, and in the case of small 
business, a data breach can be devastating. While they may 
never make headlines, the majority of attacks target small- and 
midsized companies. And as you already mentioned, according to 
the National Cybersecurity Alliance, some 60 percent of all 
small businesses shutter their doors within 6 months of a 
breach.
    The Federal Trade Commission is a small, independent agency 
with a large role to play when it comes to data security, and 
we are committed to protecting consumer privacy and promoting 
data security in the private sector through enforcement and 
education.
    The Commission enforces several statutes and rules that 
place data security requirements on companies: the Gramm-Leach-
Bliley Act, which covers certain financial institutions; the 
Children's Online Privacy Protection Act covering children's 
information; and the Fair Credit Reporting Act covering credit 
report information. The Commission also enforces the FTC Act, 
which applies to a broad range of companies.
    The core requirement under each of these laws is that 
companies must maintain reasonable security. None of the laws 
contain prescriptive, detailed legal requirements; rather, 
their requirement of reasonable security is a flexible one that 
is scalable for small companies. A company's data security 
measures must be reasonable in light of the sensitivity of 
consumer information it holds, the size and complexity of its 
data operations, and the cost of available tools to improve 
security and reduce vulnerabilities.
    Since 2001, the Commission has used its authority to take 
action against approximately 60 companies that it charged with 
failing to provide reasonable protections for consumers' 
personal information. In each of these cases, the data security 
failures were not merely isolated mistakes. Instead, the 
Commission challenged alleged data security failures that were 
multiple and systemic. The Commission has made clear that it 
does not require perfect security, that there is no ``one size 
fits all'' data security program, and that the mere fact that a 
breach occurred does not mean that a company has violated the 
law.
    In addition to law enforcement, the FTC offers guidance to 
help businesses of all sizes improve their data security 
practices. In November, we released an update to ``Protecting 
Personal Information: A Guide for Business,'' a guide we first 
published in 2007. Last fall, the FTC released guidance 
describing immediate steps companies should take when they 
experience a data breach. And in 2015, the FTC launched its 
Start with Security initiative, which includes a guide for 
business that summarizes the lessons learned from the FTC's 
data security cases. As part of this initiative, the FTC hosted 
events across the country, bringing business owners together 
with industry experts to discuss practical tips and strategies 
for implementing effective data security. Last year, staff 
presented our Start with Security materials to thousands of 
small business owners on six cybersecurity webinars sponsored 
by NIST and the SBA.
    We are especially sensitive to the needs of small business. 
Sole proprietors and companies with just a few employees 
generally do not have full-time information technology or human 
resources staff, and that is why I have directed FTC staff to 
create a one-stop shop on our website with materials 
specifically for small business. And in the coming months, we 
will expand our business outreach on data security issues with 
a focus on helping very small companies identify risks and 
develop data security plans.
    So thank you for the opportunity to provide the 
Commission's views, and we look forward to continuing to work 
with the Committee and Congress on this critical issue.
    Chairman CHABOT. Thank you very much.
    Dr. Romine, you are recognized for 5 minutes.

                   STATEMENT OF CHUCK ROMINE

    Dr. ROMINE. Chairman Chabot, Ranking Member Velazquez, 
members of the Committee, thank you for the opportunity to 
appear before you today to discuss NIST's cybersecurity efforts 
as they relate to small businesses.
    The IT security challenge for small businesses looms larger 
than ever. Since nearly 99 percent of all U.S. businesses are 
small- or medium-sized, a vulnerability common to a large 
percentage of these organizations could pose a significant 
threat to the Nation's economy and overall security.
    NIST has worked with Federal agencies, industry, and 
academia in cybersecurity since 1972. NIST's role to research, 
develop, and deploy information security standards and 
technology to protect the Federal Government's information 
systems against threats to the confidentiality, integrity, and 
availability of information and services, was reaffirmed in the 
Federal Information Security Modernization Act of 2014.
    In 2016, NIST released a major revision to the popular 
report, ``Small Business Information Security: The 
Fundamentals.'' The report is designed for small business 
owners with little cybersecurity expertise and provides basic 
steps needed to help protect their information systems.
    NIST's framework for improving critical infrastructure 
cybersecurity, or the framework, was released 3 years ago. The 
framework's voluntary, risk-based, prioritized, flexible, 
repeatable, and cost-effective approach was developed for use 
by organizations, including small businesses, to help manage 
cybersecurity-related risk. Key to the continuing success of 
the framework is that it is voluntarily implemented by industry 
and voluntarily adopted by infrastructure sectors.
    In addition to the cybersecurity framework, NIST has 
developed over the past decade an extensive set of security 
standards and guidelines, including a risk management framework 
that can be customized for small businesses and voluntarily 
implemented to help protect intellectual property and 
organizational assets.
    Building on the success of the cybersecurity framework and 
the Baldridge Performance Excellence Program, NIST released the 
draft Baldridge Cybersecurity Excellence Builder, a self-
assessment tool, to help organizations of all sizes better 
understand the effectiveness of their cybersecurity risk 
management efforts. Using the Builder, organizations of all 
sizes can determine cybersecurity-related activities that are 
important to business strategy and the delivery of critical 
services, and prioritize investments in managing cybersecurity 
risk.
    Since 2001, NIST has partnered with the Small Business 
Administration and the Federal Bureau of Investigation's 
InfraGard program to sponsor regional computer security 
workshops and provide online support for small businesses. The 
workshops feature security experts who explain information 
security threats and vulnerabilities, and describe protective 
tools and techniques that can be used to address potential 
security problems. In 2016, NIST partnered with the SBA, the 
Federal Trade Commission--I am grateful that we are here 
together--and the Department of Energy, to provide 
cybersecurity training webinars to hundreds of small 
businesses.
    The National Initiative for Cybersecurity Education, or 
NICE, led by NIST, released the draft NICE Cybersecurity 
Workforce Framework in 2016, to help our Nation more 
effectively identify, recruit, develop, and maintain its 
cybersecurity talent.
    NIST is also piloting the establishment of alliances to 
coordinate regional activities addressing the cybersecurity 
workforce shortage.
    The NIST National Cybersecurity Center of Excellence, or 
NCCoE, collaborates with experts from industry, academia, and 
government to create and promote standards-based solutions to 
real world cybersecurity problems using commercially available 
products in the form of technical practice guides that can be 
used by organizations, including small- and medium-sized 
businesses.
    The NCCoE project on mobile device security, for example, 
provides guidance on the implementation of capabilities to 
secure sensitive business data residing in the cloud and being 
accessed by employees on mobile devices.
    Small businesses are more innovative, agile, and productive 
than ever, thanks to the capabilities delivered by information 
technology, but the IT security challenge looms larger than 
ever. The NIST programs described today demonstrate that NIST 
cybersecurity portfolio is applicable to a wide variety of 
users, including small businesses.
    NIST is fiercely proud of its role in establishing and 
improving the comprehensive set of cybersecurity technical 
solutions, standards, guidelines, and best practices, and of 
the robust collaborations enjoyed with its Federal Government 
partners, private sector collaborators, and international 
colleagues.
    Thank you for the opportunity to present NIST's views 
regarding security challenges facing small businesses. I will 
be pleased to answer any questions that you may have.
    Chairman CHABOT. Thank you very much, Doctor.
    Mr. Rowe, you are recognized for 5 minutes.

                   STATEMENT OF CHARLES ROWE

    Mr. ROWE. Chairman Chabot, Ranking Member Velazquez, 
members of the Committee. Thank you for inviting me to testify 
on behalf of America's SBDCs.
    SBDCs operate in all 50 States and D.C., Puerto Rico, the 
Virgin Islands, American Samoa, and Guam. Every year, SBDCs 
assist over 200,000 small businesses, and last year we helped 
those clients gain nearly $7 billion in sales.
    But that statistic comes with a hidden peril, cybercrime. 
More of our clients do business online, and every one of them 
is vulnerable. They want to do more business online, but they 
have weaker online security, and they can be a gateway to 
clients, partners, and contractors. And those secondary attacks 
are now a regular problem for our small business clients.
    And not all hacking is for financial gain. Two years ago, 
websites were plastered with Islamic State logos; among them, 
Montauk Manor in New York and El Dora Speedway in Ohio. No 
financial information was stolen, but they had to rebuild their 
sites and restore client confidence.
    SBDCs are working to spread awareness of these threats and 
build training programs at SBDCs all across the country. Around 
the Nation, we are developing programs to build capacity and 
our training skills. In Florida, our network is working with 
former DHS Secretary Tom Ridge to develop a series of training 
videos. The New York SBDC published a cybersecurity planning 
guide, which I think all of you have in front of you, which we 
are disseminating to other States to help them build their 
capacity.
    We began developing these resources because advising 
clients on the Internet as a business engine also requires 
education on the dangers of cybercrime.
    Under the 2017 NDAA, SBDCs are now working with Homeland 
Security and SBA to leverage our resources and provide enhanced 
training and assistance. We want to develop cost-effective, 
high-quality tools for small business and a network to share 
information and threat analysis with those small businesses.
    I want to thank the members of this Committee for working 
on that language and getting it into the NDAA. The timing could 
not be more critical.
    While SBDCs are training small business on the first line 
of their cybersecurity needs, the internal focus of basic 
security practices, threats and weaknesses, ways to help them 
protect their customers and themselves, we are looking at a 
bigger effort, and that is the external demands of 
cybersecurity.
    On the commercial side, large businesses are going to place 
growing demands on their small business suppliers. What 
certifications are they going to ask for? What kind of systems? 
And who is going to supply those certifications? And more 
important, who is setting the standards?
    Last year, the FCC stepped in and declared ISPs to be 
common carriers. Now they have pulled back in favor of 
harmonization, but small businesses are left wondering who is 
actually making rules? And while Verizon and Comcast are 
batting Google and Facebook over this, what regulations will 
end up being placed on small business?
    We know small businesses can be a back door. Does that mean 
the rules will be set by the biggest firms at the expense of 
the small firms?
    Google already declared certain websites to be unsafe if 
they do not have what Google considers adequate security. Now, 
http versus https is serious, but how many small businesses 
know this? And how much business will they lose because eBay 
was not http-compliant and Google users could not find them, or 
would not go to them.
    And then there is the government side. The previous 
administration was proud of meeting small business goals. Will 
that last? They also put out a lot of cybersecurity 
regulations. The DOD and the FAR Council issued cybersecurity 
amendments to their acquisition regulations, and Homeland 
Security recently released three more proposed regulations for 
their acquisition regs. How are all of these regulations going 
to operate, and how will the agencies harmonize them with FSMA 
and the FTC? And will the standards be set at the convenience 
of the largest contractors? And what about the subcontractors? 
If you have a cybersecurity protocol for large prime 
contractors that flows down, it can easily freeze out small 
subcontractors.
    That is why SBDCs are glad we are working with DHS and SBA 
now, because we want to head off this confusion. A lot of our 
members work with PTACs and do a lot of procurement assistance 
with small businesses, as well as regular business assistance, 
and we want to ensure that opportunity is not sacrificed for 
cybersecurity.
    Thank you again for the opportunity to testify. I look 
forward to your questions.
    Chairman CHABOT. Thank you very much.
    Mr. Mooney, you are recognized for 5 minutes.

                    STATEMENT OF JIM MOONEY

    Mr. MOONEY. Chairman Chabot, Ranking Member Velazquez, 
members of the Committee, thank you for inviting me here for 
this meeting today on behalf of NAFCU.
    As you know, cyber and data crime have reached epic 
proportions in nearly all sectors of the economy. As the 
ranking member mentioned in her opening statement, 65 percent 
of all targeted attacks last year were struck at small- and 
medium-sized companies.
    Now, credit unions and other financial institutions are 
required to protect data consistent with provisions of the 
Gramm-Leach-Bliley Act. Unfortunately, for other entities that 
handle sensitive, personal, and financial data, there is no 
comprehensive regulatory structure comparable or similar to 
GLBA. It is with this in mind that NAFCU supports comprehensive 
data and cybersecurity measures to create a national standard 
to protect consumers' personal information.
    From the perspective of the financial services industry, 
cybersecurity and data security are inherently linked. Securing 
consumers' personal information and financial accounts requires 
the entire payments ecosystem to take an active role in 
addressing emerging threats.
    Since 1999, GLBA and its regulations have proven to be 
effective in limiting data breaches and protecting valuable 
information among financial institutions. Regulators have 
developed robust guidance to help institutions create 
information security programs and enterprise risk management 
policies to address data and cybersecurity needs.
    In addition, they oversee financial institution 
cybersecurity through periodic examinations designed to assess 
the risk associated with IT environments of various sizes and 
complexity.
    The Federal Financial Institutions Examination Council has 
adopted the guidance of our friends from NIST in creating a 
cybersecurity assessment tool, or CAT. The CAT is a voluntary 
tool that credit unions and banks can use to gauge their 
cybersecurity readiness in advance of regulatory examinations.
    Credit unions and banks have also benefitted from the 
availability of government initiatives aimed at coordinating 
information sharing, identifying emerging threats, and 
providing greater cybersecurity expertise.
    A recent NAFCU survey found that credit unions use a range 
of government resources to maintain an awareness of emerging 
data security threats and to develop stronger cybersecurity 
standards. NAFCU has also engaged Treasury's Office of Critical 
Infrastructure Protection to suggest areas of improvement and 
future opportunities for public-private collaboration.
    Information sharing is a key weapon in credit unions' 
arsenal against cybercrime. To that end, NAFCU has recently 
collaborated with the industry-led Financial Services 
Information Sharing and Analysis Center to promote awareness of 
a new information sharing initiative specific to credit unions.
    Now, financial institutions are not the only targets of 
cyberattacks. Cybercriminals are realizing that merchants and 
retailers are often the weak link in the payment system. 
Retailers are an attractive target because they are not 
currently subject to any Federal laws on data security or 
breach notification.
    Data breaches at retailers can have a significant cost to 
financial institutions. From 2013 to 2016, data breaches have 
cost my credit union an estimated $833,000 just in member 
notification and card-reissue expenses. This does not even 
account for the actual fraud losses. These costs are almost 
double what Chevron Federal Credit Union pays annually for 
information security systems and services.
    Unfortunately, credit unions are rarely reimbursed for the 
costs associated with the majority of data breaches. As member-
owned, not-for-profit cooperatives, it is our members who 
ultimately bear the burden. These concerns have led NAFCU to 
urge Congress to create a national standard for data security. 
I outlined the key principles of this in my written testimony.
    In conclusion, cyber and data security are the 
responsibility of every participant in the payments chain. 
Credit unions and their 106 million members across the country 
are looking to Congress to advance meaningful and robust data 
security legislation. It is time to level the playing field and 
create a national data and cybersecurity standard for everyone 
in the payments ecosystem.
    Thank you for the opportunity to appear before this 
Committee, and I welcome your questions.
    Chairman CHABOT. Thank you very much. And we thank all the 
witnesses for their testimony this morning. And I will begin 
the 5-minute questioning by each of us. I recognize myself.
    I will begin with you, Ms. Ohlhausen. You thoroughly 
outlined the differences and the different resources that the 
FTC offers to small businesses, from guides on best practices 
to blog posts encouraging businesses to use email 
authentication and how to identify ransomware. And this is 
precisely the kind of information that small businesses need. 
No question about that.
    However, I have concern that we are just not reaching small 
business owners quickly enough or comprehensively enough; that 
there are a lot of them out there that just do not know about 
these offerings that are there for them. Do you have metrics on 
how many small businesses you are impacting? And what efforts 
are being made at the FTC to disseminate information more 
broadly? And finally, do you have any suggestions on how the 
Federal Government as a whole can provide a broader audience 
with cybersecurity resources?
    Ms. OHLHAUSEN. Thank you for your question, Chairman.
    First, starting with metrics, we do try to keep track of 
how frequently people access our materials, our guides, our 
videos, websites, things like that, and just one small measure 
is we actually have disseminated field orders for 500,000 
printed copies of some of our business education. It is 
available on our website. We do try to reach out to let people, 
small business know about it, and we work with our Federal 
partners. We are always happy also to work with members of 
Congress if you would like to put this on your website or brand 
it on a website. We also work with other organizations, 
community organizations, and we are happy to go out and do 
events around the country to bring this to small business. I 
have actually personally participated in several of those.
    Chairman CHABOT. Thank you very much.
    Dr. Romine, in your testimony you mentioned this 
partnership with the Small Business Administration and the FBI, 
as well as your cooperation with the SBDCs. Have these 
partnerships been effective in reaching small businesses? And 
if so, do you think they could serve as models for future 
interagency collaborations to assist small businesses 
developing cybersecurity systems?
    Dr. ROMINE. I would say, Mr. Chairman, yes, they have been 
highly effective. The extent of penetration we do not have 
statistics for, but I think small businesses have definitely 
benefitted from the partnership and from our campaign in 
partnership with both the InfraGard program with the FBI and 
also the SBA. I think it has been highly effective.
    Chairman CHABOT. Thank you.
    Mr. Rowe, do you think it would be beneficial to have a 
single entity to coordinate cybersecurity resources across 
Federal agencies, and if so, what would be the architecture of 
such? And today, are there any existing agencies or government 
entities that would be positioned to take on such a role?
    Mr. ROWE. Well, I am almost kind of loath to suggest 
creating more government, but I do think, at least on the 
procurement side, the FAR Council is there for a reason. And 
the FAR Council should be, frankly, focusing better on making 
sure that everyone in the Federal procurement arena is informed 
and has adequate resources. Now, that is just a specialized 
area.
    On the commercial side of it, I think we have got a lot of 
resources here, and as you said, I think the biggest problem we 
have is they are not coordinated. I mean, we have 1,000 centers 
and we are working like crazy to try and keep people informed 
and give them the best possible resources. The biggest problem 
you have is the average small business owner is, well, we like 
to call it trapped in the whirlwind. They have got 5,000 things 
to worry about and sometimes this is not the wolf closest to 
the sled. I believe we need to coordinate much the same way we 
have an interagency trade promotion coordinating committee. 
There should be a cybersecurity coordinating committee between 
the agencies.
    Chairman CHABOT. Okay. Thank you very much.
    Mr. Mooney, with the remaining time, I would like to move 
to you. I know that there have been these distributed denial of 
service attacks going on and ransom, et cetera, and it has been 
hitting the big folks, but it has been hitting small business 
folks as well. It seems like a 21st century bank heist where 
the robber basically says give me your money or I will shut 
down your website, in essence. Could you comment on that? What 
is being done about that? How can people protect themselves 
from that type of thing when they literally grab a hold of 
everything and want ransom in order to give you back your 
computer system?
    Mr. MOONEY. Mr. Chairman----
    Chairman CHABOT. If you could turn on the mic. Sorry.
    Mr. MOONEY. Mr. Chairman, the key is to have a security 
system that is multifaceted and multilayered. And in our case, 
we have built in for as many of those kinds of contingencies 
and attacks as we may face, as well as we can predict. And so 
what we find again is that there is no one answer to any 
security problem. You have to attack it in multiple ways, and 
that is what we tend to do.
    Chairman CHABOT. Thank you very much. My time is expired. 
The ranking member is recognized for 5 minutes.
    Ms. VELAZQUEZ. Thank you, Mr. Chairman.
    You have testified about ways the FTC has provided 
resources to consumers and businesses to improve data security. 
You mentioned today that you hope to centralize information for 
small businesses. The number one consumer request for 13 years 
running has been an annual report on ID theft and data 
security. So has the FTC considered such a report that includes 
information on the latest threats and how we can mitigate those 
efforts?
    Ms. OHLHAUSEN. Thank you for your question. The FTC does 
collect information about what the biggest consumer threats 
are. We have a system called Consumer Sentinel. ID theft, you 
are absolutely right, has been very much a top concern. We have 
tried to counter that on several fronts. One is giving advice 
to businesses about how they can secure their data. Another is 
we have an identifytheft.gov tool on our website that helps 
victims of identity theft create a personalized plan to get 
their good credit and name back. I think that in addition to 
those things, we also bring, you know, enforcement actions 
where necessary if a company has not taken appropriate steps.
    Ms. VELAZQUEZ. And why is it that difficult for the FTC to 
produce a report geared to small businesses that provides a 
comprehensive view of all the threats and how they can mitigate 
them?
    Ms. OHLHAUSEN. Well, we could certainly consider doing a 
report. We do have our Start with Security brochure that gives 
a step-by-step approach for small business on how to take steps 
to protect data, and then if there is a breach, how they can 
remedy that breach. And if a report that is tied to current 
threats would be of additional interest to businesses, we can 
certainly consider that.
    Ms. VELAZQUEZ. Thank you.
    Mr. Mooney, despite the widespread nature of cybercrime, 
there remains a great deal of confusion in the legal system as 
to when individuals and businesses should bear losses and when 
financial institutions should be held responsible. Do you think 
that legislation is required to address this issue on a 
national basis?
    Mr. MOONEY. I believe it can. And the reason I say that is, 
as you noted, it is very ambiguous right now. And what I think 
really would clarify matters tremendously is if we had a 
national standard related to security practices, one that goes 
beyond what we have today. Today, Gramm-Leach-Bliley, as I 
mentioned before, provides that kind of clarity for banks, 
credit unions, and other financial institutions. Outside of 
that, there is really no clarity at all. And what we recommend 
is that there be a national standard along the lines of GLBA 
that provides the kind of flexibility, scalability, and risk-
based assessments that will add to the clarity and allow 
everybody to step up to the plate in the payment system.
    Ms. VELAZQUEZ. Okay. Thank you.
    Tee, would you like to comment on that?
    Mr. ROWE. Well----
    Ms. VELAZQUEZ. I know that you do not like legislation.
    Mr. ROWE. Well, I cannot say that. I made my living off of 
legislation. But I think you raised a good point. We have so 
many small business clients who are surprised to find out that 
when their account got drained there is no recourse. They are 
not like a consumer who is--I think it is Regulation E that 
protects them. They are under the Uniform Commercial Code. So 
basically, it defaults to that reasonableness standard. And the 
whole problem with the reasonableness standard is what is 
reasonable is shifting all the time. And it is hard to tell if 
you are a small business where the bar has moved to.
    Ms. VELAZQUEZ. Okay. I know that it has not been long since 
we passed the NDAA, it was signed into law, but in terms of the 
SBDCs, working on implementing and disseminating cyber 
strategy, what type of progress has there been so far?
    Mr. ROWE. Well, we always run into the problem in the 
transition, but, you know, we have been talking with SBA. Jack 
Bienko at SBA has been very helpful, and Holly Jackson from 
Homeland Security, who is in their cybersecurity and 
stakeholder engagement, which I never knew you had that in 
cybersecurity, which is great. So we are getting started. As I 
said, we have already organically begun our own efforts. The 
larger concern for us is going to be what you talked about, how 
do we develop--you talked about the report, but how do we 
develop basically a threat analysis and information network for 
small business? An annual report, well, that tells you what 
happened over the last year. It does not tell you what is going 
on now.
    Ms. VELAZQUEZ. Thank you.
    Chairman CHABOT. The gentlelady's time is expired.
    Ms. VELAZQUEZ. Thank you, Mr. Chairman.
    Chairman CHABOT. Thank you.
    The gentleman from Missouri, Mr. Luetkemeyer, who is the 
vice chairman of this Committee, is recognized for 5 minutes.
    Mr. LUETKEMEYER. Thank you, Mr. Chairman.
    Mr. Rowe, in your testimony, or in your written testimony I 
should say, you have some statistics there that are 
mindboggling. Cybercrime costs the global economy $445 billion 
every year with the damage to business from theft of 
intellectual property exceeding $160 billion loss to 
individuals. So you are looking at $600 billion of loss total 
there. Fifty percent of the businesses as you say, I mean, 
small businesses, have been victims of cyberattacks, and over 
60 percent of those will go out of business.
    My question to you is did they go out of business or will 
they go out of business because of the liability exposure that 
they have there? Or did they go out of business because of the 
money that is stolen from them or because of the reputational 
problems that they have had to be able to stay in business? A 
combination of all those? Can you answer that?
    Mr. ROWE. Sir, I would say it is a combination of all of 
those. I would say that the financial loss is generally the 
hardest hit for a small business. As you and the members of the 
Committee know, small business, they live off of cash flow. 
They live off of their capital. And a hard hit to that is 
something that is very difficult to overcome.
    Mr. LUETKEMEYER. Now, with regard to the small businesses, 
though, do you see any of them being sued for the lack of 
adequate cyber protection?
    Mr. ROWE. Well, that goes to what Ms. Ohlhausen was talking 
about. What is reasonable? If a small business has got decent 
cyber protection, is that a reasonable amount? I honestly do 
not know. The problem is that that bar keeps shifting as 
technology changes. We are working on things now that, frankly, 
block chain technology is going to change massively.
    Mr. LUETKEMEYER. Ms. Ohlhausen, would you like to comment 
on that?
    Ms. OHLHAUSEN. I think there are probably a variety of 
reasons that a company, a small business, may go out of 
business after a data security breach, including the financial 
implications that Mr. Rowe mentioned, as well as that small 
businesses are close to their customers. Right? If they lose 
customer trust, then I think that could also be a problem.
    Mr. LUETKEMEYER. Okay. So my concern is we know we are 
being attacked. How do we protect the business' viability 
against that attack? Have you seen some businesses go out of 
business because they are being sued because of lack of data 
security protections?
    Ms. OHLHAUSEN. I am aware that some businesses have----
    Mr. LUETKEMEYER. Because I can tell you from the financial 
side, if I am a financial services regulator and I go into a 
financial services credit union, bank, whatever, and I see I 
have got a small business there that is highly leveraged and 
they deal with lots of personal data, there is an exposure 
there that I am very concerned about that if they have a data 
breach, is the viability of that business going to be affected? 
And so how does that small business protect themselves against 
that liability exposure? What kind of safe harbor can we put 
together?
    Where I am going with the question is can we find a way to 
provide a safe harbor? Or is the safe harbor something like an 
insurance policy that is put in place to protect a small 
business which does not have the resources of a Target or a 
Home Depot when they have some data breaches? I mean, I had a 
large supermarket in my area that had its own debit card got 
breached and cost several hundred thousand dollars. It was 
dispersed, but it was significant. So how do we come up with a 
safe harbor for these small businesses? Is it an insurance 
policy that you go down this road to be able to help them or 
are they just exposed?
    Mr. ROWE. Honestly, you are right. They are just exposed 
right now. There is a fledging industry on cybersecurity 
insurance, but, frankly, even if you are insured, I wonder how 
the actuarial effort would work. You can go now and you can get 
your car insured, if you have LoJack sometimes you will get a 
rebate on your insurance. Sometimes you will not.
    Mr. LUETKEMEYER. Well, my concern is if we have got some 
exposure, how do we protect the small businesses against that? 
And while Dr. Romine was very specific about some of the 
guidelines and principles that he is recommending here, that is 
fine. But if it does not provide the safe harbor, and if I am 
looking at the viability of the business, to me an insurance 
company is a whole lot more nimble and flexible to be able to 
come out and tell the small business we found a new way, 
especially with the Fintech industry today continuing to evolve 
and continuing to have all sorts of--I do not want to say the 
word ``exotic,'' but there are certainly interesting products 
out there that help integrate all these different businesses 
and the payment systems. To me, you only have to figure out a 
way to have some sort of--I think the private sector is a 
better way to go about this, provide that kind of coverage and 
safe harbor.
    Mr. ROWE. Well, I would agree with you because I think in 
general the private sector is much more nimble. Rather than 
insurance, I would think about it from the financial sector 
point of view. There is a lot of money invested, whether it is 
through lenders like credit unions or 7(a) lenders or you name 
it, Fintech, who all have a stake because if the small business 
gets hacked and goes under, they are not going to get repaid. 
So they have a stake in trying to build that up.
    Mr. LUETKEMEYER. Thank you.
    Chairman CHABOT. The gentleman's time is expired.
    It is my understanding that the gentleman from Missouri 
wants to make a unanimous----
    Mr. LUETKEMEYER. Yes, ICBA has a letter to the Committee 
and I would like to put it into the record.
    Chairman CHABOT. Without objection, so ordered.
    Mr. LUETKEMEYER. Thank you.
    Chairman CHABOT. And the gentleman from Illinois, Mr. 
Schneider, who is the ranking member of the Subcommittee on 
Agriculture, Energy, and Trade, is recognized for 5 minutes.
    Mr. SCHNEIDER. Thank you, Chairman. And again, thank you to 
the witnesses for making time to not just be here, but to 
prepare. I know how much work goes into this, so thank you for 
sharing your expertise and insight.
    The issue of cybersecurity, the issue of dealing with these 
challenges for small businesses are complex, confusing, and 
constantly changing. That is one of the problems we face and 
the risks keep growing.
    Mr. Mooney, you talked about the idea of trying to 
establish a national standard. I would imagine one of the 
challenges we face in doing that, that once we get consensus, 
it is going to be out of date. So opening this up to the whole 
panel, how in partnership, private sector-government, might we 
best work to address the dynamism, if you will, of the threat?
    Mr. MOONEY. Well, if I might take the first shot at that 
question, Congressman, I think the experience that we have had 
in the financial services industry suggests that there is a way 
to not be locked into any particular perspective or way of 
doing things. The way that Gramm-Leach-Bliley works is it 
provides a great deal of flexibility. It is risk-based. It is 
scalable so that it addresses the concerns as they exist at the 
time. And in suggesting that we would want to have some sort of 
national application of that, we would recommend that it has 
and follows those same principles.
    Mr. SCHNEIDER. Mr. Rowe?
    Mr. ROWE. Well, you are absolutely right. The shifting 
nature of the problem is sort of what militates against a 
national standard unless that standard is based on 
responsibility. And it then becomes a question of who is going 
to be responsible? I would say in so many areas, whether it is 
a small medical practice that is dealing with HIPAA information 
or a small business that may have a fair amount of financial 
information--a small insurance agency or an investment 
advisor--you have got to begin to follow the money.
    And you have also got to place responsibility on the 
merchant services corporations who you are dealing with. Amazon 
and eBay make a fair amount of money supporting small 
businesses who are selling. It might be an interesting idea to 
say they bear some responsibility in helping to educate the 
people who work with them.
    Mr. SCHNEIDER. You talk about a small insurance agency. I 
had the privilege of running a small insurance agency. There 
were two producers and we had a staff of eight. None of the 10 
of us were the technology expert. Now, this was in 1997 to 
2003, an entirely different environment than what we are facing 
today. And as I think through this problem, I know the time we 
spent on technology, on handling a lot of classified personal 
information and making sure that it was always safe and always 
protected. That just keeps getting increasingly hard. Are there 
ways, whether it is the work you do, things that we can do to 
help small businesses continue to stay ahead of the curve?
    Mr. ROWE. And that is the whole key to what we are trying 
to accomplish here is build the resources and get the resources 
out so that small businesses can stay ahead of the game.
    Mr. SCHNEIDER. Yeah, and I will add, as you talked about in 
your testimony, large corporations have resources and the 
people to do this. It falls oftentimes to the smaller 
companies, especially, for example, the ones trying to do 
business through Amazon and eBay and other opportunities that 
are there.
    I appreciate that. I am nearly out of time. I will yield 
back the balance of my time to keep us on schedule.
    Chairman CHABOT. Thank you very much. The gentleman yields 
back.
    The gentleman from Kansas, Mr. Marshall, is recognized for 
5 minutes.
    Mr. MARSHALL. Thank you, Mr. Chairman.
    My first question is for Dr. Romine. You may know I am a 
physician and help run a hospital as well, and health care 
seems to be particularly vulnerable to cyberattacks. Does NIST 
have any ideas on how to ensure the safety of healthcare data 
from cyberattacks? Are there any best practices? And especially 
I am thinking of smaller community hospitals, that type of 
thing.
    Dr. ROMINE. Thank you for your question. We have projects 
going on through our National Cybersecurity Center of 
Excellence having to do with specifically that. We have a 
program in protection of health care and healthcare 
information. We also have, as part of that program, the 
protection of medical devices. So, for example, we have a 
program on trying to secure wireless infusion pumps in 
hospitals and trying to understand the threat that they present 
to the patient, as well as to the enterprise of the hospital, 
as an entry point for getting into other parts of the system.
    With regard to the relation to small business, one of the 
things that we are looking at now and have completed recently 
for publication is trying to understand how to secure patient 
information or protected information when a physician is using 
a mobile device, to access that patient information. 
Anecdotally we hear, for example, the physician really just 
wants to do the best for the patient. Some of the rules 
regarding the transfer of that patient information can get in 
the way of providing that, and so we are trying to find ways 
that we can secure that communications mechanism to make it 
both more efficient for patient care, as well as more secure.
    Mr. MARSHALL. As a physician, I am more concerned about 
patient confidentiality today than I was 10 years ago. The 
worst thing I had 10 years ago was someone could come in and 
steal a chart, but now if they crack the code they have access 
to thousands of charts. So it is almost like this has backfired 
on us.
    I am into solutions. One of the biggest concerns I hear 
from the banking institutes, credit associations, is when they 
have a breach, there are significant fines. Small businesses, I 
am thinking of convenience stores where they are just doing 
thousands of transactions a day with a credit card, if they 
have a data breach, it still falls back on the banking 
institute. And I am looking for solutions. How can we help both 
sides here? What is the solution that anyone would have to that 
problem so it does not always fall just on the banking 
institutes or the credit cards?
    Mr. MOONEY. May I take that?
    Mr. MARSHALL. Please. Yeah.
    Mr. MOONEY. Well, Congressman, I think our approach here 
and the suggestions that we are making regarding some sort of 
consistent level of standards for all players in the payment 
system we think is vital to accomplishing what you were just 
talking about. Under Gramm-Leach-Bliley, we are really given 
the duty to make data security our responsibility and our 
focus. And what we think is for the payment system to be 
viable, everybody has to be playing at the same level. Now, 
again, we talk about small businesses and big businesses. As 
GLBA has functioned, it is scalable. So the risks that a large 
multinational financial institution has is going to be much 
greater than a small credit union, and the risk assessments 
accordingly are much different and the responsibilities are 
much different, but everybody is on the same page in terms of 
the responsibilities of protecting consumer, financial, and 
personal data.
    Mr. MARSHALL. Okay. Anybody else have a comment?
    Ms. OHLHAUSEN. The Federal Trade Commission has in previous 
Congresses supported on a bipartisan basis Federal data 
security and breach notification legislation that would give a 
clearer standard, a process-based standard, to businesses and 
also have a Federal requirement that if there is a breach, 
under certain conditions they have to notify consumers about 
it. So they can also take steps to protect themselves.
    Mr. MARSHALL. Okay.
    Mr. MOONEY. And if I may, just to add to that, and that is 
the environment that financial institutions operate under 
today. And so you are suggesting just broadening, which is what 
we think makes a lot of sense.
    Mr. MARSHALL. Thank you, Mr. Chairman. I yield back.
    Chairman CHABOT. Thank you very much. The gentleman yields 
back.
    The gentlelady from Florida, Ms. Murphy, is recognized for 
5 minutes. And she is the ranking member of the Subcommittee on 
Contracting and Work Force.
    Ms. MURPHY. Thank you to our witnesses for testifying 
today.
    As was just mentioned, I serve as the ranking member on 
Contracting and Workforce. And you have discussed at length 
today in your testimony the great number of challenges that 
small businesses face in complying or dealing with 
cybersecurity. But I am specifically interested in honing in on 
the challenges that face small businesses in the contracting 
community and how these issues will affect the ability of small 
firms to compete for and win Federal contracts.
    As you may know, it is becoming an increasingly common 
prerequisite for small businesses to be able to meet 
regulations that demonstrate their ability to maintain safe and 
secure networks before they can even participate in the 
competitive contracting process. My concern is that over time 
this may lead to more small firms losing bids or it may even 
discourage them from engaging in the bidding process at all 
because they simply cannot compete with larger companies that, 
unlike them, have the resources to hire and retain dedicated 
cybersecurity and IT personnel.
    So Mr. Rowe, in your experience, how has the sheer 
complexity of these regulations so far affected the small 
business contractors that you have worked with? And what do you 
advise them as they face uncertain regulations and prohibitive 
compliance costs?
    Mr. ROWE. Well, the hardest thing any of them have facing 
them is just knowledge of the Federal Register. I would be 
willing to bet half of them have no idea that the Department of 
Homeland Security just put out a proposed regulation on, what 
do they call it, confidential unclassified information. Now, I 
am not even sure what that is. But in all of these situations--
and these are all operating from the best of intentions, all of 
these agencies. They are trying to protect sensitive 
information on everything from weapon systems to medical 
equipment. But there is that tendency to go with the 
sledgehammer to kill a gnat.
    And small businesses are left behind in all of these 
regulatory efforts because they have got to know what the 
Federal Register is, comment in the Federal Register, have that 
comment taken seriously, while, frankly, Lockheed and Boeing 
and SAIC have guys like me that they pay lots of money to do 
that for them.
    To date, it has not really become horrible. My concern is 
if you have got a defense acquisition regulation system, a 
Federal acquisition regulation system, a Department of Homeland 
acquisition regulation system, all of which have cybersecurity 
regulations which may not all be exactly the same, and then you 
are requiring security protocols for a small business that may 
be working three or four agencies and trying to get their 
security to match up with the security systems in four 
different computer systems, we all know that at a certain point 
it just does not work. And that is the biggest concern that we 
have is getting enough flexibility so that the small business 
can protect the data without having to do all their work in 
triplicate.
    Ms. MURPHY. Do you have any suggestions on how that 
regulatory process can be streamlined or rationalized in a way 
that would avoid the scenario that you just laid out?
    Mr. ROWE. Yes. Again, it goes back to what I said to the 
chairman. I think there needs to be an interagency coordinating 
committee on cybersecurity so that when the FAR Council, which 
is really just DOD, GSA, and the Office of Management and 
Budget, make a decision, there has been input from all the 
other agencies and from small business.
    Ms. MURPHY. Great. Thank you. And I will yield back the 
remainder of my time.
    Chairman CHABOT. Thank you very much. The gentlelady yields 
back.
    The gentleman from Pennsylvania, Mr. Fitzpatrick, is 
recognized for 5 minutes.
    Mr. FITZPATRICK. Thank you, Mr. Chairman. Thanks to 
everyone on the panel for your time today.
    I want to ask specifically about law enforcement 
corroboration and collaboration. Department of Homeland 
Security, Department of Justice, particularly the FBI, are the 
two main law enforcement organizations responsible for 
investigating cyber-related crimes and national security-
related cyberattacks. Dr. Romine mentioned the InfraGard 
program. That is one of several programs that exist.
    My question, not only from the small business standpoint, 
but also I am on the Cyber Subcommittee of Homeland Security, 
what is the collaboration currently? How has it been going in 
both directions?
    Because not only is it important that law enforcement 
receive this information to track digital fingerprints and 
patterns of cyberattacks; it is equally important for the small 
business community that there be a good relationship that the 
Bureau and Department of Homeland Security can share tips on 
the private side on how to best protect small businesses form 
cyberattacks. So if any one of you could just comment on what 
the status of relationships is with those two Federal agencies, 
what works and what has not worked.
    Dr. ROMINE. Thank you for the question.
    I am happy to reiterate the importance that we accord to 
the partnership with FBI's InfraGard program and the SBA as a 
mechanism for outreach to provide the kind of information that 
you just discussed, to the private sector broadly, but 
particularly to small- and medium-sized businesses. I think 
that has been very effective and it is a strong relationship.
    Mr. FITZPATRICK. Department of Homeland Security. Has there 
been any relationship or outreach with them?
    Dr. ROMINE. We have ongoing relationships with the 
Department of Homeland Security. They were vigorous 
participants during the development of the cybersecurity 
framework, for example. They spent a lot of time generating a 
voluntary program that they used in concert with, and using the 
cybersecurity framework as it emerged, to provide that kind of 
outreach. We had a lot of strong input from them and provided 
them a lot of useful information that they could then use in 
their voluntary program for people to adopt the framework or to 
get assistance in using the framework.
    We have partnerships with the FBI in other areas such as 
biometrics technologies, for example. That is a slightly 
different topic, but with the understanding of trying to 
improve the accuracy of biometrics. That partnership goes back 
to 1963 with the FBI, so we consider that a pretty strong 
relationship.
    Mr. FITZPATRICK. Has there been any frustrations that you 
have heard from the small business community with regard to law 
enforcement not taking certain cases because they do not fall 
within the threshold that would allow for an investigative 
activity?
    Dr. ROMINE. NIST would not hear something like that.
    Mr. FITZPATRICK. Okay.
    Dr. ROMINE. I think that is not the kind of information 
that they would share with us. We do ensure that we have 
outreach to small businesses so that we can ensure that our 
work products, our cybersecurity guidance is scalable and 
digestible at all levels. We are working much harder on that to 
ensure that it is useful across the spectrum, all the way from 
small to very large enterprises.
    Mr. FITZPATRICK. Thank you. I yield back.
    Chairman CHABOT. Thank you. The gentleman from Pennsylvania 
yields back.
    That concludes our questions to the panel. We want to thank 
the very distinguished panel for their testimony here today. It 
has been very helpful. I think once things clear, and that is 
the people up here, the members on both sides of the aisle want 
to do everything we possibly can to ensure that small 
businesses have the best possible cybersecurity resources 
available to them.
    And along those lines, we, being the Committee, are going 
to be putting this up online today. These are easy-to-
understand security packets that will be available to small 
businesses. They are kind of step-by-step guides on how to 
protect themselves, small business folks, from cyberattacks. 
And these will be up on the Small Business Committee's website 
today. So I just wanted to mention that.
    And I would remind folks that members would have 5 
legislative days to submit statements and supporting materials 
for the record.
    And if there is no further business to come before the 
Committee, we are adjourned. Thank you very much.
    [Whereupon, at 12:11 p.m., the Committee was adjourned.]
    
    
    
    
    
    
                            A P P E N D I X



[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]




    Chairman Chabot, Ranking Member Velazquez, members of the 
committee. Thank you for inviting me to testify on behalf of 
America's SBDC, the Association of Small Business Development 
Centers.

    SBDCs operate over 1,000 centers in all fifty states as 
well as the District of Columbia, Puerto Rico, the Virgin 
Islands, American Samoa and Guam. SBDCs provide management and 
technical assistance to over 200,000 small businesses every 
year and training to over 300,000 business owners and their 
employees. All of these small business owners hae the same 
basic question, ``How do I succeed?''. That's not always a 
simple answer but, for almost every business that means 
maximizing sales, and we've been able to aid those clients to 
the tune of nearly 7 billion of new sales every year.

    This is a great statistic, but it contains a not too hidden 
peril, cyber-crime. More and more of our clients do business 
online. Every single one of them is vulnerable, and they may 
not even know it. They may not even have a website but they are 
potential victims. Every time they run a credit card 
transaction, or answer their email they expose themselves and 
their customers to the risk of hacking, phishing and 
ransomware. And the dangers go beyond e-commerce. Any business, 
whether a vendor or a contractor, is at risk if they are 
connected and have personally identifiable information or the 
potential to be an access point to others who do.

    By now I assume everyone is aware of the alarming 
statistics about cyber-crime. Cybercrime costs the global 
economy about $445 billion every year, with the damage to 
business from theft of intellectual property exceeding the $160 
billion loss to individuals. Fifty percent of small businesses 
have been the victims of a cyber-attack and over 60 percent of 
those attacked will go out of business.

    Despite these facts many small businesses continue to 
ignore or avoid the risk. Many of our clients believe, ``I 
don't do business online or I don't have any valuable 
information.'' Of course, the truth is exactly the opposite. 
Every time they take an order, swipe a credit card or send an 
email they put themselves and their customers at risk. Too 
often the concern is for customer privacy but corporate clients 
and vendors are at risk too.

    Small business present cybercriminals with an easy way to 
gain access to customer credit card records and bank accounts, 
supplier networks and employee financial and personal data.

    They want to do more and more business online but they have 
weaker online security. Or they use cloud services that don't 
have strong encryption. As a result, the small business can be 
a gateway to gain access to clients, business partners, and 
contractors and a backdoor into many large organizations. To a 
hacker, that translates into reams of sensitive data behind a 
door with an easy lock to pick. If a small business has any 
Fortune 500 companies as customers, they are an even more 
enticing target. These secondary attacks are now a regular 
problem for small business.

    Small businesses are particularly vulnerable to email 
attacks mimicking their banks or other trusted institutions and 
citing an urgent need for account or some other vital 
information, and often multiple employees have access to that 
information. Further, business accounts do not enjoy the same 
protection against loss as consumer accounts--something many 
small-business owners do not discover until it's too late. 
Consumers are protected by regulations which limit their 
liability. Commercial accounts, however, are covered by the 
Uniform Commercial Code (UCC) and enjoy no such protections. 
Under the UCC banks aren't liable for unauthorized payments if 
their security is considered ``commercially reasonable''. As a 
result, few small businesses that are the victims of cyber 
theft ever recover their funds.

    More than ever, sensitive data, intellectual property and 
personal information of small and medium sized firms are 
targeted by an ever increasing and sophisticated community of 
cybercriminals. Symantec has found that over the last several 
years there has been a steady increase in cyber-attacks 
targeting businesses with less than 250 employees.

    And not all hacking is for financial gain. Two years ago, 
several businesses were simultaneously hacked and their 
websites were taken over by what appeared to be ISIS. Islamic 
State logos and Arabic script was plastered all over the sites 
for Montauk Manor in the Hamptons; Eldora Speedway in New 
Weston, Ohio; Dogwoods Lodge dog kennel in Des Moines, Iowa; 
Sequoia Park Zoo in Eureka, CA; Montgomery Inn in Montgomery, 
Ohio; the Moerlein Lager House in Cincinnati; and Elasticity, a 
vocational charity St. Louis, MO. No financial information was 
stolen but imagine the time, effort and lost business for each 
of these firms. They had to rebuild their sites and try to 
rebuild client confidence. After all, if you knew a hotel had 
been hacked would you give them a credit card to hold a 
reservation?

    At the SBDCs we have been working to spread awareness of 
all these threats to our clients. We offer training programs to 
our clients at most SBDCs and we are working to expand the 
coverage to the entire network. In our centers in New York, 
Delaware, Florida, Texas and others we are developing programs 
to not only advise and inform our clients but spread the 
information and training capacity throughout our networks. In 
Florida, our network is collaborating with Ridge Global, the 
firm founded by former DHS Secretary Tom Ridge, to develop a 
series of training videos on cybersecurity. The New York SBDC 
has developed a cybersecurity planning guide which we are 
working to disseminate to other states to help them build their 
capacity. In Michigan, besides training, our network is 
launching a media campaign day to spread awareness. SBDCs began 
developing these resources on our own over the last few years. 
My members recognized that, while they are advising and 
training their clients on the value of the web as a marketing 
and sales engine, they also needed to educate them on the 
dangers and pitfalls of the web.

    On top of the organic efforts within the SBDC networks we 
are now working at the national level to help develop a 
national small business cyber strategy. Pursuant to section 
1841 of the National Defense Authorization Act for 2017 
America's SBDCs is working with the Department of Homeland 
Security (DHS) and the Small Business Administration (SBA) to 
develop a strategy to leverage the collective resources of DHS, 
SBA and the national network of SBDCs to provide the resources, 
training and assistance small businesses will need.

    We will be working share and improve cyber programs, 
enhance services and raise awareness of the threats. In 
particular, we want to help develop cost-effective, high-
quality tools for small business and a network to share 
information and analysis on threats.

    On behalf of our clients I want to thank the members of 
this committee for their efforts in getting that language 
included in the NDAA. The timing could not be more critical, 
the threats and the awareness of the threats has grown but at 
the same time so has the confusion. What steps do small 
businesses need to take? Do they need security software, a 
cyber specialist, certifications? What tools are effective, 
what certifications are valid?

    SBDCs are developing and training small businesses on that 
first line of their cyber security needs, the internal focus of 
basic security practices. Teaching employees about the threats 
and weaknesses, helping them protect client and customer 
information. They are also working with small businesses to 
help them recognize and develop their own strategies and 
assessments of their needs. My members have developed some 
excellent education and it will grow stronger but the harder 
effort is going to be assisting small businesses in dealing 
with the external demands of cybersecurity.

    Commercial customers and big business will have growing 
demands on the cyber infrastructure of their small business 
suppliers. What certifications will they demand, what hardware? 
Who will supply these certifications, and at what cost? If we 
add federal procurement issues (already a complicated area) how 
will small businesses cope? I want to divide this area of 
concern into two sides--commercial business and government 
business.

    On the commercial side, small business faces a real 
problem. Who is in charge and to whom are they responsible? 
Last year, the Federal Communications Commission (FCC) stepped 
into the world of e-commerce and declared Internet Service 
Providers (ISPs) to be ``common carriers''. Now the FCC has 
decided to hold off on the privacy rule in favor of 
``harmonization''. Small businesses are left to wonder, ``Who 
is responsible, anyone?''

    At America's SBDC we will be working hard to ensure that 
our clients have the best possible, most cost-effective tools. 
At the same time, it would nice to know if anyone further up 
the ``food chain'' is to be held accountable. There is a real 
concern about the trickle down nature of the regulatory 
framework. While titans like Verizon and Comcast battle Google 
and Facebook, what level of regulation will be placed on small 
business?

    We know there is a potential for small business to be a 
back door. Does that mean, in a regulatory framework controlled 
by internet giants, that the rules will be set by the giants at 
the expense of the pygmies? We have already seen Google declare 
that websites without what they consider ``adequate security'' 
will be labeled ``unsafe''. I do not doubt that http vs. https 
is serious, but how many small businesses are either aware of 
this distinction or aware of what they need to do to be Google 
compliant?

    I expect Google aficionados and techies will call me a 
Luddite. They would be wrong. I use Chrome and love it. I know 
what an SSL certificate is. How many small business owners do, 
or know where they can get the help they need? How much 
business will a small business lose because they are on eBay 
and, as of the end of January, eBay wasn't https complaint?

    These are the types of trickle-down, large firm favoring 
regulatory schema about which we should be concerned.

    Now I'd like to comment on the government side. The 
previous administration was proud of their efforts and 
successes at meeting small business contracting and 
subcontracting goals. I'm concerned about how weather that 
success can last. Unfortunately, a lot of the uncertainty we 
face now is because the previous administration also put out 
cybersecurity regulations at the very end of their term before 
anything could really be discussed and tried out. The result is 
the uncertainty and confusion we see now.

    There should be significant concern that federal and state 
agencies will begin to develop conflicting and potentially 
contradictory procurement regulations, derived from the best 
intentions regarding security and privacy, but having a 
negative effect on small business participation. The Department 
of Defense has issued cybersecurity amendments to the Defense 
Acquisition Regulations (DFAR) and the FAR Council issued 
amendments to the Federal Acquisition Regulations (FAR). Just 
recently the Department of Homeland Security released three 
proposed regulations on cybersecurity though they are, I 
believe being held by the current administration. Those 
regulations weren't even for classified information; they were 
for Controlled Unclassified Information (CUI). To date, I have 
seen only two comments in the Federal Register. I doubt any 
small business that contracts with DHS is aware of these 
proposed regulations, and many of our SBDC clients are those 
affected businesses.

    How will all these regulations operate? Can they co-exist? 
Agencies issue the proposed rules and state they will 
``harmonize'' them with FTC and other efforts, how? Who will 
``harmonize'' them? These regulations have the best and most 
laudable goals, protecting government data integrity and 
protecting citizens' privacy. However, the potential costs of 
compliance for any small business involved in, or wishing to be 
involved in government contracting could be crippling. Will the 
standards be set at the convenience of the largest contractors 
with small businesses left to wonder how they'll be able to 
comply?

    In addition, what will happen to subcontractors? Imagine a 
one-size fits all cybersecurity protocol that flows down to 
subcontractors. The potential for small businesses becoming 
frozen out is very real.

    That is why America's SBDCs is glad to be working on this 
strategy with DHS and SBA now. We want to help head off the 
confusion and provide training to ensure opportunity is not 
sacrificed for cybersecurity. At America's SBDC we believe it 
important to be at the front of this effort, to develop a set 
of resources to enable small business participation through 
assistance and training, rather than having to play ``catch 
up'' with small businesses confused by a new regulatory 
framework.

    Thank you again for the opportunity to testify. I look 
forward to your questions.



[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

                                 [all]