b"<html>\n<title> - SMALL BUSINESS CYBERSECURITY: FEDERAL RESOURCES AND COORDINATION</title>\n<body><pre>[House Hearing, 115 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n\n\n    SMALL BUSINESS CYBERSECURITY: FEDERAL RESOURCES AND COORDINATION\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                      COMMITTEE ON SMALL BUSINESS\n                             UNITED STATES\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED FIFTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                              HEARING HELD\n                             MARCH 8, 2017\n\n                               __________\n\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n            Small Business Committee Document Number 115-007\n              Available via the GPO Website: www.fdsys.gov\n\n\n\n\n                                   ______\n\n                         U.S. GOVERNMENT PUBLISHING OFFICE \n\n24-421                         WASHINGTON : 2017 \n-----------------------------------------------------------------------\n  For sale by the Superintendent of Documents, U.S. Government Publishing \n  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; \n         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, \n                          Washington, DC 20402-0001\n  \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n                   HOUSE COMMITTEE ON SMALL BUSINESS\n\n                      STEVE CHABOT, Ohio, Chairman\n                            STEVE KING, Iowa\n                      BLAINE LUETKEMEYER, Missouri\n                          DAVE BRAT, Virginia\n             AUMUA AMATA COLEMAN RADEWAGEN, American Samoa\n                        STEVE KNIGHT, California\n                        TRENT KELLY, Mississippi\n                             ROD BLUM, Iowa\n                         JAMES COMER, Kentucky\n                 JENNIFFER GONZALEZ-COLON, Puerto Rico\n                          DON BACON, Nebraska\n                    BRIAN FITZPATRICK, Pennsylvania\n                         ROGER MARSHALL, Kansas\n                                 VACANT\n               NYDIA VELAZQUEZ, New York, Ranking Member\n                       DWIGHT EVANS, Pennsylvania\n                       STEPHANIE MURPHY, Florida\n                        AL LAWSON, JR., Florida\n                         YVETTE CLARK, New York\n                          JUDY CHU, California\n                       ALMA ADAMS, North Carolina\n                      ADRIANO ESPAILLAT, New York\n                        BRAD SCHNEIDER, Illinois\n                                 VACANT\n\n               Kevin Fitzpatrick, Majority Staff Director\n      Jan Oliver, Majority Deputy Staff Director and Chief Counsel\n                     Adam Minehardt, Staff Director\n                     \n                     \n                     \n                     \n                     \n                     \n                     \n                     \n                     \n                     \n                     \n                     \n                     \n                     \n                     \n                     \n                     \n                     \n                     \n                     \n                     \n                     \n                     \n                     \n                     \n                            C O N T E N T S\n\n                           OPENING STATEMENTS\n\n                                                                   Page\nHon. Steve Chabot................................................     1\nHon. Nydia Velazquez.............................................     2\n\n                               WITNESSES\n\nThe Honorable Maureen K. Ohlhausen, Acting Chairman, Federal \n  Trade Commission, Washington, DC...............................     4\nChuck Romine, Ph.D., Director, Information Technology Lab, \n  National Institute of Standards and Technology, Gaithersburg, \n  MD.............................................................     6\nMr. Charles Rowe, President & CEO, America's Small Business \n  Development Centers, Arlington, VA.............................     7\nMr. Jim Mooney, President and CEO, Chevron Federal Credit Union, \n  Cybersecurity Committee Chair, National Association of \n  Federally-Insured Credit Unions, Arlington, VA, testifying on \n  behalf of the National Association of Federally-Insured Credit \n  Unions.........................................................     9\n\n                                APPENDIX\n\nPrepared Statements:\n    The Honorable Maureen K. Ohlhausen, Acting Chairman, Federal \n      Trade Commission, Washington, DC...........................    22\n    Chuck Romine, Ph.D., Director, Information Technology Lab, \n      National Institute of Standards and Technology, \n      Gaithersburg, MD...........................................    34\n    Mr. Charles Rowe, President & CEO, America's Small Business \n      Development Centers, Arlington, VA.........................    42\n    Mr. Jim Mooney, President and CEO, Chevron Federal Credit \n      Union, Cybersecurity Committee Chair, National Association \n      of Federally-Insured Credit Unions, Arlington, VA, \n      testifying on behalf of the National Association of \n      Federally-Insured Credit Unions............................    48\nQuestions for the Record:\n    Questions and Responses from Hon. Adriano Espaillat to Hon. \n      Maureen K. Ohlhausen.......................................    77\n    Questions and Responses from Hon. Adriano Espaillat to Chuck \n      Romine, Ph.D...............................................    79\n    Questions and Responses from Hon. Adriano Espaillat to \n      Charles Rowe...............................................    82\n    Questions and Responses from Hon. Adriano Espaillat to Jim \n      Mooney.....................................................    85\nAdditional Material for the Record:\n    ICBA - Independent Community Bankers of America..............    87\n\n \n    SMALL BUSINESS CYBERSECURITY: FEDERAL RESOURCES AND COORDINATION\n\n                              ----------                              \n\n\n                        WEDNESDAY, MARCH 8, 2017\n\n                  House of Representatives,\n               Committee on Small Business,\n                                                    Washington, DC.\n    The Committee met, pursuant to call, at 11:00 a.m., in Room \n2360, Rayburn House Office Building, Hon. Steve Chabot \n[chairman of the Committee] presiding.\n    Present: Representatives Chabot, Luetkemeyer, Knight, \nKelly, Blum, Comer, Bacon, Fitzpatrick, Velazquez, Evans, \nMurphy, Lawson, Clarke, Espaillat, and Schneider.\n    Chairman CHABOT. Good morning. I will call the Committee to \norder now. And we want to thank everyone for coming today.\n    Over the past year, this Committee has turned its attention \nto an issue that is increasingly serious for small business, \nand that is cybersecurity. In past hearings, we heard firsthand \naccounts from small business owners who have been victims of \ncyberattacks.\n    We have also heard dire warnings from cybersecurity experts \nabout the new and varied cyber threats facing America's 28 \nmillion small businesses.\n    There is no question that advances in information \ntechnology have helped small businesses to increase their \nproductivity, become more efficient, and ultimately more \nsuccessful.\n    However, the same tools and resources that have given small \nbusiness owners a greater role in the marketplace have also \nprovided cyber criminals and foreign bad actors with more \nopportunities to steal sensitive and valuable information that \nsmall businesses rely on to remain competitive.\n    In 2015 alone, the United States Department of Justice \nrecorded nearly 300,000 cybersecurity complaints.\n    We have also learned that a cyber attack can have serious \nconsequences, not only for small businesses, but also their \ncustomers and their employees and business partners. Sixty \npercent of small businesses that fall victim to a cyberattack \nclose up shop within 6 months. Sixty percent. A 2014 survey \nfrom the National Small Business Association estimated the \naverage cost of cyber attacks on a small business to be over \n$32,000.\n    In our Committee's efforts to spotlight these serious and \ngrowing threats, it has been abundantly clear that the Federal \nGovernment needs to step up its game when it comes to \nprotecting the cybersecurity of small businesses and \nindividuals. And, to some extent, Federal agencies have begun \noffering resources directly to small businesses in recent \nyears.\n    Today we will hear from some of the Federal agencies that \nare already providing cybersecurity resources to small \nbusinesses. We will examine how these tools can be more easily \naccessed by small business owners and ensure that they are \neffective.\n    Since the late 1990s, the Federal Government has become \nincreasingly active in protecting our Nation's critical \ninfrastructure and information technology, IT, systems. It has \ngone to great lengths to coordinate these efforts with State \nand local governments, as well as the private sector. However, \nit was not until recently that the Federal Government was \nencouraged to engage in greater information-sharing practices \nwith businesses through the development of an overall framework \nfor cybersecurity protocols. The framework would enable \nbusinesses of all sizes to implement a set of best practices \nfor assessing cyber threats and reinforce their cybersecurity \nsystems.\n    Just last year, the House passed the Improving Small \nBusiness Cybersecurity Act, a bill that helps small businesses \nfacing cyber threats by providing access to additional tools \nand resources through existing Federal cyber resources. The \nbill became law as part of the National Defense Authorization \nAct of 2017. The Department of Homeland Security, DHS, and \nother Federal agencies have been permitted to work through the \nSmall Business Development Centers, SBDCs, to streamline cyber \nsupport and resources for small businesses.\n    While I believe this is a very good start, I think it is \nglaringly obvious that Federal agencies tasked with providing \ncybersecurity resources to small businesses can be better \ncoordinated. They should drive down duplicative resources and \nprocesses and ensure that small businesses are equipped to deal \nwith the growing cyber threats.\n    I look forward to hearing from our witnesses and their \npoints of view on how we can more efficiently disseminate \nFederal cybersecurity resources to all of America's small \nbusinesses, and I would now like to yield to the ranking member \nfor her opening statement.\n    Ms. VELAZQUEZ. Thank you, Mr. Chairman.\n    Developing new innovations is fundamental to our nation's \nprosperity in the 21st century. But these technologies can only \nbe beneficial if small businesses can adopt them without fear \nof malicious cyberattacks. Cybercrimes are becoming more \ncommonplace and more sophisticated. And no matter what form \nthey take, they can be devastating to business owners and their \ncustomers. A single attack can wipe out a small business, \nmaking cybercrime a severe problem for small entities.\n    While businesses of all sizes must increasingly monitor \ncyber threats, small firms must prepare for these problems with \nfar fewer resources than their larger counterparts. Because of \nthe complexity and cost associated with implementing a security \nplan, only 31 percent of small firms take active measures to \nguard against such attacks.\n    More than 80 percent of the time, the owner handles \ncybersecurity personally, making small firms more vulnerable \nthan a competitor with a dedicated IT security consultant or \nstaff member. In fact, last year, 60 percent of all targeted \nattacks struck small- and medium-sized entities.\n    These actions have costly implications for the small \ncompanies. The average cost of a data breach is nearly \n$200,000, and leads to 60 percent of targeted small businesses \nclosing their doors within 6 months of being attacked.\n    Because small firms stand to lose so much without data \nprotection, it is imperative that they have the resources of \nthe federal government at their disposal. The federal \ngovernment has a duty to secure federal information systems and \nassist in protecting private systems.\n    All agencies have their own duty to protect their systems, \nbut due to rapid changes in cyberspace, agency roles are \ncomplex. The presence of over 50 relevant statutes addressing \nvarious aspects of federal cybersecurity responsibilities adds \nyet more confusion. And because agencies are busy navigating \nthe rules pertaining to their own systems, efforts to help \nsmall firms have generally been neglected.\n    However, the Department of Defense and Homeland Security, \nand the National Institute of Standards and Technology, have \nall recently embarked on efforts to assist businesses with \ncybersecurity needs.\n    Additionally, federal spending on cybersecurity is expected \nto rise above $20 billion over the next several years. \nImplementation of the Cybersecurity Information Sharing Act of \n2015 continues moving ahead. Despite this progress, \ncollaboration between agencies and small firms is lacking, \nwhich affects us all.\n    We must improve our efforts to help small businesses \novercome these challenges. I was pleased, for example, that the \nNational Defense Authorization Act includes a provision \ninstructing SBA to coordinate with DHS to develop a small \nbusiness cyber strategy.\n    Most importantly, it leverages the SBA's vast network of \nSmall Business Development Centers, which have a proven record \nof helping entrepreneurs all over the country.\n    Although this is a step in the right direction, we must do \nmore to encourage small firms to protect themselves and their \ncustomers from cyber threats. Today's hearing will give us an \nopportunity to review federal investment in cybersecurity and \nhow we can facilitate collaboration with the small business \ncommunity. We cannot accept the bare minimum as our nation \nseeks to end continued data breaches.\n    With that, I want to thank all the witnesses for being here \ntoday, for your participation and insights into this important \ntopic.\n    I yield back, Mr. Chairman.\n    Chairman CHABOT. Thank you very much. The gentlelady yields \nback.\n    And if Committee members have opening statements prepared, \nwe would ask that they be submitted for the record.\n    And I will now take just a moment to explain our lighting \nsystem. It is really pretty simple. Each of you get 5 minutes. \nWe all get 5 minutes. And the lights will assist you in kind of \nkeeping within that. The green light will stay on for the first \n4 minutes. The yellow light will come on to let you know you \nhave got about a minute to wrap up. And then the red light will \ncome on, and, hopefully, you are finished by that time or will \nbe shortly thereafter. So if you could stay within those, we \nwould greatly appreciate it.\n    And I would like to introduce our very distinguished panel \nhere this morning. I will begin with our first witness.\n    Maureen Ohlhausen, who is acting chairman of the FTC, \nFederal Trade Commission. She was sworn in as the commissioner \nback in 2012. She also served as director of the Office of \nPolicy Planning from 2004 to 2008, where she led the FTC's \nInternet Taskforce. And we welcome you this morning.\n    Our second witness will be Chuck Romine, director of the \nInformation Technology Lab at the National Institute of \nStandards and Technology. Dr. Romine oversees a program that \npromotes U.S. innovation and industrial competiveness by \ndeveloping standards and guidelines for Federal agencies and \nU.S. industry, and we welcome you here, Doctor.\n    And our third witness will be Tee Rowe, who is the \npresident and CEO of America's Small Business Development \nCenters. He is also the chairman of the Small Business \nLegislative Council and a member of the U.S. Chamber of \nCommerce's Council on Small Business. Mr. Rowe also served the \nSmall Business Committee for 10 years as counsel. So welcome \nback.\n    And I would now like to yield to the ranking member to \nintroduce our fourth witness.\n    Ms. VELAZQUEZ. Thank you, Mr. Chairman.\n    It is my pleasure to introduce Mr. James Mooney, President \nand CEO of Chevron Federal Credit Union, located in California, \nand serving members since 1935. Mr. Mooney is also the \nCybersecurity Committee Chair for the National Association of \nFederally-Insured Credit Unions, NAFCU. He is testifying on \nbehalf of NAFCU, which is the only national organization \nexclusively representing the nation's federally-insured credit \nunions. Welcome. Thank you for being here.\n    Chairman CHABOT. Thank you very much.\n    And now we will hear from our distinguished panel. And Ms. \nOhlhausen, you are recognized for 5 minutes.\n\n   STATEMENTS OF THE HONORABLE MAUREEN K. OHLHAUSEN, ACTING \n   CHAIRMAN, FEDERAL TRADE COMMISSION; CHUCK ROMINE, PH.D., \n  DIRECTOR, INFORMATION TECHNOLOGY LAB, NATIONAL INSTITUTE OF \n  STANDARDS AND TECHNOLOGY; CHARLES ROWE, PRESIDENT AND CEO, \n   AMERICA'S SMALL BUSINESS DEVELOPMENT CENTERS; JIM MOONEY, \nPRESIDENT AND CEO, CHEVRON FEDERAL CREDIT UNION, CYBERSECURITY \n  COMMITTEE CHAIR, NATIONAL ASSOCIATION OF FEDERALLY-INSURED \n                         CREDIT UNIONS\n\n               STATEMENT OF MAUREEN K. OHLHAUSEN\n\n    Ms. OHLHAUSEN. Chairman Chabot, Ranking Member Velazquez, \nand members of the Committee, I am Maureen Ohlhausen, the \nActing Chairman of the Federal Trade Commission. And I \nappreciate the opportunity to present the Commission's \ntestimony on data security and, in particular, our efforts to \ncoordinate with our partners at NIST, who I am pleased to be \nwith here today, and the SBA, to educate small business.\n    Data breaches are commonplace, and in the case of small \nbusiness, a data breach can be devastating. While they may \nnever make headlines, the majority of attacks target small- and \nmidsized companies. And as you already mentioned, according to \nthe National Cybersecurity Alliance, some 60 percent of all \nsmall businesses shutter their doors within 6 months of a \nbreach.\n    The Federal Trade Commission is a small, independent agency \nwith a large role to play when it comes to data security, and \nwe are committed to protecting consumer privacy and promoting \ndata security in the private sector through enforcement and \neducation.\n    The Commission enforces several statutes and rules that \nplace data security requirements on companies: the Gramm-Leach-\nBliley Act, which covers certain financial institutions; the \nChildren's Online Privacy Protection Act covering children's \ninformation; and the Fair Credit Reporting Act covering credit \nreport information. The Commission also enforces the FTC Act, \nwhich applies to a broad range of companies.\n    The core requirement under each of these laws is that \ncompanies must maintain reasonable security. None of the laws \ncontain prescriptive, detailed legal requirements; rather, \ntheir requirement of reasonable security is a flexible one that \nis scalable for small companies. A company's data security \nmeasures must be reasonable in light of the sensitivity of \nconsumer information it holds, the size and complexity of its \ndata operations, and the cost of available tools to improve \nsecurity and reduce vulnerabilities.\n    Since 2001, the Commission has used its authority to take \naction against approximately 60 companies that it charged with \nfailing to provide reasonable protections for consumers' \npersonal information. In each of these cases, the data security \nfailures were not merely isolated mistakes. Instead, the \nCommission challenged alleged data security failures that were \nmultiple and systemic. The Commission has made clear that it \ndoes not require perfect security, that there is no ``one size \nfits all'' data security program, and that the mere fact that a \nbreach occurred does not mean that a company has violated the \nlaw.\n    In addition to law enforcement, the FTC offers guidance to \nhelp businesses of all sizes improve their data security \npractices. In November, we released an update to ``Protecting \nPersonal Information: A Guide for Business,'' a guide we first \npublished in 2007. Last fall, the FTC released guidance \ndescribing immediate steps companies should take when they \nexperience a data breach. And in 2015, the FTC launched its \nStart with Security initiative, which includes a guide for \nbusiness that summarizes the lessons learned from the FTC's \ndata security cases. As part of this initiative, the FTC hosted \nevents across the country, bringing business owners together \nwith industry experts to discuss practical tips and strategies \nfor implementing effective data security. Last year, staff \npresented our Start with Security materials to thousands of \nsmall business owners on six cybersecurity webinars sponsored \nby NIST and the SBA.\n    We are especially sensitive to the needs of small business. \nSole proprietors and companies with just a few employees \ngenerally do not have full-time information technology or human \nresources staff, and that is why I have directed FTC staff to \ncreate a one-stop shop on our website with materials \nspecifically for small business. And in the coming months, we \nwill expand our business outreach on data security issues with \na focus on helping very small companies identify risks and \ndevelop data security plans.\n    So thank you for the opportunity to provide the \nCommission's views, and we look forward to continuing to work \nwith the Committee and Congress on this critical issue.\n    Chairman CHABOT. Thank you very much.\n    Dr. Romine, you are recognized for 5 minutes.\n\n                   STATEMENT OF CHUCK ROMINE\n\n    Dr. ROMINE. Chairman Chabot, Ranking Member Velazquez, \nmembers of the Committee, thank you for the opportunity to \nappear before you today to discuss NIST's cybersecurity efforts \nas they relate to small businesses.\n    The IT security challenge for small businesses looms larger \nthan ever. Since nearly 99 percent of all U.S. businesses are \nsmall- or medium-sized, a vulnerability common to a large \npercentage of these organizations could pose a significant \nthreat to the Nation's economy and overall security.\n    NIST has worked with Federal agencies, industry, and \nacademia in cybersecurity since 1972. NIST's role to research, \ndevelop, and deploy information security standards and \ntechnology to protect the Federal Government's information \nsystems against threats to the confidentiality, integrity, and \navailability of information and services, was reaffirmed in the \nFederal Information Security Modernization Act of 2014.\n    In 2016, NIST released a major revision to the popular \nreport, ``Small Business Information Security: The \nFundamentals.'' The report is designed for small business \nowners with little cybersecurity expertise and provides basic \nsteps needed to help protect their information systems.\n    NIST's framework for improving critical infrastructure \ncybersecurity, or the framework, was released 3 years ago. The \nframework's voluntary, risk-based, prioritized, flexible, \nrepeatable, and cost-effective approach was developed for use \nby organizations, including small businesses, to help manage \ncybersecurity-related risk. Key to the continuing success of \nthe framework is that it is voluntarily implemented by industry \nand voluntarily adopted by infrastructure sectors.\n    In addition to the cybersecurity framework, NIST has \ndeveloped over the past decade an extensive set of security \nstandards and guidelines, including a risk management framework \nthat can be customized for small businesses and voluntarily \nimplemented to help protect intellectual property and \norganizational assets.\n    Building on the success of the cybersecurity framework and \nthe Baldridge Performance Excellence Program, NIST released the \ndraft Baldridge Cybersecurity Excellence Builder, a self-\nassessment tool, to help organizations of all sizes better \nunderstand the effectiveness of their cybersecurity risk \nmanagement efforts. Using the Builder, organizations of all \nsizes can determine cybersecurity-related activities that are \nimportant to business strategy and the delivery of critical \nservices, and prioritize investments in managing cybersecurity \nrisk.\n    Since 2001, NIST has partnered with the Small Business \nAdministration and the Federal Bureau of Investigation's \nInfraGard program to sponsor regional computer security \nworkshops and provide online support for small businesses. The \nworkshops feature security experts who explain information \nsecurity threats and vulnerabilities, and describe protective \ntools and techniques that can be used to address potential \nsecurity problems. In 2016, NIST partnered with the SBA, the \nFederal Trade Commission--I am grateful that we are here \ntogether--and the Department of Energy, to provide \ncybersecurity training webinars to hundreds of small \nbusinesses.\n    The National Initiative for Cybersecurity Education, or \nNICE, led by NIST, released the draft NICE Cybersecurity \nWorkforce Framework in 2016, to help our Nation more \neffectively identify, recruit, develop, and maintain its \ncybersecurity talent.\n    NIST is also piloting the establishment of alliances to \ncoordinate regional activities addressing the cybersecurity \nworkforce shortage.\n    The NIST National Cybersecurity Center of Excellence, or \nNCCoE, collaborates with experts from industry, academia, and \ngovernment to create and promote standards-based solutions to \nreal world cybersecurity problems using commercially available \nproducts in the form of technical practice guides that can be \nused by organizations, including small- and medium-sized \nbusinesses.\n    The NCCoE project on mobile device security, for example, \nprovides guidance on the implementation of capabilities to \nsecure sensitive business data residing in the cloud and being \naccessed by employees on mobile devices.\n    Small businesses are more innovative, agile, and productive \nthan ever, thanks to the capabilities delivered by information \ntechnology, but the IT security challenge looms larger than \never. The NIST programs described today demonstrate that NIST \ncybersecurity portfolio is applicable to a wide variety of \nusers, including small businesses.\n    NIST is fiercely proud of its role in establishing and \nimproving the comprehensive set of cybersecurity technical \nsolutions, standards, guidelines, and best practices, and of \nthe robust collaborations enjoyed with its Federal Government \npartners, private sector collaborators, and international \ncolleagues.\n    Thank you for the opportunity to present NIST's views \nregarding security challenges facing small businesses. I will \nbe pleased to answer any questions that you may have.\n    Chairman CHABOT. Thank you very much, Doctor.\n    Mr. Rowe, you are recognized for 5 minutes.\n\n                   STATEMENT OF CHARLES ROWE\n\n    Mr. ROWE. Chairman Chabot, Ranking Member Velazquez, \nmembers of the Committee. Thank you for inviting me to testify \non behalf of America's SBDCs.\n    SBDCs operate in all 50 States and D.C., Puerto Rico, the \nVirgin Islands, American Samoa, and Guam. Every year, SBDCs \nassist over 200,000 small businesses, and last year we helped \nthose clients gain nearly $7 billion in sales.\n    But that statistic comes with a hidden peril, cybercrime. \nMore of our clients do business online, and every one of them \nis vulnerable. They want to do more business online, but they \nhave weaker online security, and they can be a gateway to \nclients, partners, and contractors. And those secondary attacks \nare now a regular problem for our small business clients.\n    And not all hacking is for financial gain. Two years ago, \nwebsites were plastered with Islamic State logos; among them, \nMontauk Manor in New York and El Dora Speedway in Ohio. No \nfinancial information was stolen, but they had to rebuild their \nsites and restore client confidence.\n    SBDCs are working to spread awareness of these threats and \nbuild training programs at SBDCs all across the country. Around \nthe Nation, we are developing programs to build capacity and \nour training skills. In Florida, our network is working with \nformer DHS Secretary Tom Ridge to develop a series of training \nvideos. The New York SBDC published a cybersecurity planning \nguide, which I think all of you have in front of you, which we \nare disseminating to other States to help them build their \ncapacity.\n    We began developing these resources because advising \nclients on the Internet as a business engine also requires \neducation on the dangers of cybercrime.\n    Under the 2017 NDAA, SBDCs are now working with Homeland \nSecurity and SBA to leverage our resources and provide enhanced \ntraining and assistance. We want to develop cost-effective, \nhigh-quality tools for small business and a network to share \ninformation and threat analysis with those small businesses.\n    I want to thank the members of this Committee for working \non that language and getting it into the NDAA. The timing could \nnot be more critical.\n    While SBDCs are training small business on the first line \nof their cybersecurity needs, the internal focus of basic \nsecurity practices, threats and weaknesses, ways to help them \nprotect their customers and themselves, we are looking at a \nbigger effort, and that is the external demands of \ncybersecurity.\n    On the commercial side, large businesses are going to place \ngrowing demands on their small business suppliers. What \ncertifications are they going to ask for? What kind of systems? \nAnd who is going to supply those certifications? And more \nimportant, who is setting the standards?\n    Last year, the FCC stepped in and declared ISPs to be \ncommon carriers. Now they have pulled back in favor of \nharmonization, but small businesses are left wondering who is \nactually making rules? And while Verizon and Comcast are \nbatting Google and Facebook over this, what regulations will \nend up being placed on small business?\n    We know small businesses can be a back door. Does that mean \nthe rules will be set by the biggest firms at the expense of \nthe small firms?\n    Google already declared certain websites to be unsafe if \nthey do not have what Google considers adequate security. Now, \nhttp versus https is serious, but how many small businesses \nknow this? And how much business will they lose because eBay \nwas not http-compliant and Google users could not find them, or \nwould not go to them.\n    And then there is the government side. The previous \nadministration was proud of meeting small business goals. Will \nthat last? They also put out a lot of cybersecurity \nregulations. The DOD and the FAR Council issued cybersecurity \namendments to their acquisition regulations, and Homeland \nSecurity recently released three more proposed regulations for \ntheir acquisition regs. How are all of these regulations going \nto operate, and how will the agencies harmonize them with FSMA \nand the FTC? And will the standards be set at the convenience \nof the largest contractors? And what about the subcontractors? \nIf you have a cybersecurity protocol for large prime \ncontractors that flows down, it can easily freeze out small \nsubcontractors.\n    That is why SBDCs are glad we are working with DHS and SBA \nnow, because we want to head off this confusion. A lot of our \nmembers work with PTACs and do a lot of procurement assistance \nwith small businesses, as well as regular business assistance, \nand we want to ensure that opportunity is not sacrificed for \ncybersecurity.\n    Thank you again for the opportunity to testify. I look \nforward to your questions.\n    Chairman CHABOT. Thank you very much.\n    Mr. Mooney, you are recognized for 5 minutes.\n\n                    STATEMENT OF JIM MOONEY\n\n    Mr. MOONEY. Chairman Chabot, Ranking Member Velazquez, \nmembers of the Committee, thank you for inviting me here for \nthis meeting today on behalf of NAFCU.\n    As you know, cyber and data crime have reached epic \nproportions in nearly all sectors of the economy. As the \nranking member mentioned in her opening statement, 65 percent \nof all targeted attacks last year were struck at small- and \nmedium-sized companies.\n    Now, credit unions and other financial institutions are \nrequired to protect data consistent with provisions of the \nGramm-Leach-Bliley Act. Unfortunately, for other entities that \nhandle sensitive, personal, and financial data, there is no \ncomprehensive regulatory structure comparable or similar to \nGLBA. It is with this in mind that NAFCU supports comprehensive \ndata and cybersecurity measures to create a national standard \nto protect consumers' personal information.\n    From the perspective of the financial services industry, \ncybersecurity and data security are inherently linked. Securing \nconsumers' personal information and financial accounts requires \nthe entire payments ecosystem to take an active role in \naddressing emerging threats.\n    Since 1999, GLBA and its regulations have proven to be \neffective in limiting data breaches and protecting valuable \ninformation among financial institutions. Regulators have \ndeveloped robust guidance to help institutions create \ninformation security programs and enterprise risk management \npolicies to address data and cybersecurity needs.\n    In addition, they oversee financial institution \ncybersecurity through periodic examinations designed to assess \nthe risk associated with IT environments of various sizes and \ncomplexity.\n    The Federal Financial Institutions Examination Council has \nadopted the guidance of our friends from NIST in creating a \ncybersecurity assessment tool, or CAT. The CAT is a voluntary \ntool that credit unions and banks can use to gauge their \ncybersecurity readiness in advance of regulatory examinations.\n    Credit unions and banks have also benefitted from the \navailability of government initiatives aimed at coordinating \ninformation sharing, identifying emerging threats, and \nproviding greater cybersecurity expertise.\n    A recent NAFCU survey found that credit unions use a range \nof government resources to maintain an awareness of emerging \ndata security threats and to develop stronger cybersecurity \nstandards. NAFCU has also engaged Treasury's Office of Critical \nInfrastructure Protection to suggest areas of improvement and \nfuture opportunities for public-private collaboration.\n    Information sharing is a key weapon in credit unions' \narsenal against cybercrime. To that end, NAFCU has recently \ncollaborated with the industry-led Financial Services \nInformation Sharing and Analysis Center to promote awareness of \na new information sharing initiative specific to credit unions.\n    Now, financial institutions are not the only targets of \ncyberattacks. Cybercriminals are realizing that merchants and \nretailers are often the weak link in the payment system. \nRetailers are an attractive target because they are not \ncurrently subject to any Federal laws on data security or \nbreach notification.\n    Data breaches at retailers can have a significant cost to \nfinancial institutions. From 2013 to 2016, data breaches have \ncost my credit union an estimated $833,000 just in member \nnotification and card-reissue expenses. This does not even \naccount for the actual fraud losses. These costs are almost \ndouble what Chevron Federal Credit Union pays annually for \ninformation security systems and services.\n    Unfortunately, credit unions are rarely reimbursed for the \ncosts associated with the majority of data breaches. As member-\nowned, not-for-profit cooperatives, it is our members who \nultimately bear the burden. These concerns have led NAFCU to \nurge Congress to create a national standard for data security. \nI outlined the key principles of this in my written testimony.\n    In conclusion, cyber and data security are the \nresponsibility of every participant in the payments chain. \nCredit unions and their 106 million members across the country \nare looking to Congress to advance meaningful and robust data \nsecurity legislation. It is time to level the playing field and \ncreate a national data and cybersecurity standard for everyone \nin the payments ecosystem.\n    Thank you for the opportunity to appear before this \nCommittee, and I welcome your questions.\n    Chairman CHABOT. Thank you very much. And we thank all the \nwitnesses for their testimony this morning. And I will begin \nthe 5-minute questioning by each of us. I recognize myself.\n    I will begin with you, Ms. Ohlhausen. You thoroughly \noutlined the differences and the different resources that the \nFTC offers to small businesses, from guides on best practices \nto blog posts encouraging businesses to use email \nauthentication and how to identify ransomware. And this is \nprecisely the kind of information that small businesses need. \nNo question about that.\n    However, I have concern that we are just not reaching small \nbusiness owners quickly enough or comprehensively enough; that \nthere are a lot of them out there that just do not know about \nthese offerings that are there for them. Do you have metrics on \nhow many small businesses you are impacting? And what efforts \nare being made at the FTC to disseminate information more \nbroadly? And finally, do you have any suggestions on how the \nFederal Government as a whole can provide a broader audience \nwith cybersecurity resources?\n    Ms. OHLHAUSEN. Thank you for your question, Chairman.\n    First, starting with metrics, we do try to keep track of \nhow frequently people access our materials, our guides, our \nvideos, websites, things like that, and just one small measure \nis we actually have disseminated field orders for 500,000 \nprinted copies of some of our business education. It is \navailable on our website. We do try to reach out to let people, \nsmall business know about it, and we work with our Federal \npartners. We are always happy also to work with members of \nCongress if you would like to put this on your website or brand \nit on a website. We also work with other organizations, \ncommunity organizations, and we are happy to go out and do \nevents around the country to bring this to small business. I \nhave actually personally participated in several of those.\n    Chairman CHABOT. Thank you very much.\n    Dr. Romine, in your testimony you mentioned this \npartnership with the Small Business Administration and the FBI, \nas well as your cooperation with the SBDCs. Have these \npartnerships been effective in reaching small businesses? And \nif so, do you think they could serve as models for future \ninteragency collaborations to assist small businesses \ndeveloping cybersecurity systems?\n    Dr. ROMINE. I would say, Mr. Chairman, yes, they have been \nhighly effective. The extent of penetration we do not have \nstatistics for, but I think small businesses have definitely \nbenefitted from the partnership and from our campaign in \npartnership with both the InfraGard program with the FBI and \nalso the SBA. I think it has been highly effective.\n    Chairman CHABOT. Thank you.\n    Mr. Rowe, do you think it would be beneficial to have a \nsingle entity to coordinate cybersecurity resources across \nFederal agencies, and if so, what would be the architecture of \nsuch? And today, are there any existing agencies or government \nentities that would be positioned to take on such a role?\n    Mr. ROWE. Well, I am almost kind of loath to suggest \ncreating more government, but I do think, at least on the \nprocurement side, the FAR Council is there for a reason. And \nthe FAR Council should be, frankly, focusing better on making \nsure that everyone in the Federal procurement arena is informed \nand has adequate resources. Now, that is just a specialized \narea.\n    On the commercial side of it, I think we have got a lot of \nresources here, and as you said, I think the biggest problem we \nhave is they are not coordinated. I mean, we have 1,000 centers \nand we are working like crazy to try and keep people informed \nand give them the best possible resources. The biggest problem \nyou have is the average small business owner is, well, we like \nto call it trapped in the whirlwind. They have got 5,000 things \nto worry about and sometimes this is not the wolf closest to \nthe sled. I believe we need to coordinate much the same way we \nhave an interagency trade promotion coordinating committee. \nThere should be a cybersecurity coordinating committee between \nthe agencies.\n    Chairman CHABOT. Okay. Thank you very much.\n    Mr. Mooney, with the remaining time, I would like to move \nto you. I know that there have been these distributed denial of \nservice attacks going on and ransom, et cetera, and it has been \nhitting the big folks, but it has been hitting small business \nfolks as well. It seems like a 21st century bank heist where \nthe robber basically says give me your money or I will shut \ndown your website, in essence. Could you comment on that? What \nis being done about that? How can people protect themselves \nfrom that type of thing when they literally grab a hold of \neverything and want ransom in order to give you back your \ncomputer system?\n    Mr. MOONEY. Mr. Chairman----\n    Chairman CHABOT. If you could turn on the mic. Sorry.\n    Mr. MOONEY. Mr. Chairman, the key is to have a security \nsystem that is multifaceted and multilayered. And in our case, \nwe have built in for as many of those kinds of contingencies \nand attacks as we may face, as well as we can predict. And so \nwhat we find again is that there is no one answer to any \nsecurity problem. You have to attack it in multiple ways, and \nthat is what we tend to do.\n    Chairman CHABOT. Thank you very much. My time is expired. \nThe ranking member is recognized for 5 minutes.\n    Ms. VELAZQUEZ. Thank you, Mr. Chairman.\n    You have testified about ways the FTC has provided \nresources to consumers and businesses to improve data security. \nYou mentioned today that you hope to centralize information for \nsmall businesses. The number one consumer request for 13 years \nrunning has been an annual report on ID theft and data \nsecurity. So has the FTC considered such a report that includes \ninformation on the latest threats and how we can mitigate those \nefforts?\n    Ms. OHLHAUSEN. Thank you for your question. The FTC does \ncollect information about what the biggest consumer threats \nare. We have a system called Consumer Sentinel. ID theft, you \nare absolutely right, has been very much a top concern. We have \ntried to counter that on several fronts. One is giving advice \nto businesses about how they can secure their data. Another is \nwe have an identifytheft.gov tool on our website that helps \nvictims of identity theft create a personalized plan to get \ntheir good credit and name back. I think that in addition to \nthose things, we also bring, you know, enforcement actions \nwhere necessary if a company has not taken appropriate steps.\n    Ms. VELAZQUEZ. And why is it that difficult for the FTC to \nproduce a report geared to small businesses that provides a \ncomprehensive view of all the threats and how they can mitigate \nthem?\n    Ms. OHLHAUSEN. Well, we could certainly consider doing a \nreport. We do have our Start with Security brochure that gives \na step-by-step approach for small business on how to take steps \nto protect data, and then if there is a breach, how they can \nremedy that breach. And if a report that is tied to current \nthreats would be of additional interest to businesses, we can \ncertainly consider that.\n    Ms. VELAZQUEZ. Thank you.\n    Mr. Mooney, despite the widespread nature of cybercrime, \nthere remains a great deal of confusion in the legal system as \nto when individuals and businesses should bear losses and when \nfinancial institutions should be held responsible. Do you think \nthat legislation is required to address this issue on a \nnational basis?\n    Mr. MOONEY. I believe it can. And the reason I say that is, \nas you noted, it is very ambiguous right now. And what I think \nreally would clarify matters tremendously is if we had a \nnational standard related to security practices, one that goes \nbeyond what we have today. Today, Gramm-Leach-Bliley, as I \nmentioned before, provides that kind of clarity for banks, \ncredit unions, and other financial institutions. Outside of \nthat, there is really no clarity at all. And what we recommend \nis that there be a national standard along the lines of GLBA \nthat provides the kind of flexibility, scalability, and risk-\nbased assessments that will add to the clarity and allow \neverybody to step up to the plate in the payment system.\n    Ms. VELAZQUEZ. Okay. Thank you.\n    Tee, would you like to comment on that?\n    Mr. ROWE. Well----\n    Ms. VELAZQUEZ. I know that you do not like legislation.\n    Mr. ROWE. Well, I cannot say that. I made my living off of \nlegislation. But I think you raised a good point. We have so \nmany small business clients who are surprised to find out that \nwhen their account got drained there is no recourse. They are \nnot like a consumer who is--I think it is Regulation E that \nprotects them. They are under the Uniform Commercial Code. So \nbasically, it defaults to that reasonableness standard. And the \nwhole problem with the reasonableness standard is what is \nreasonable is shifting all the time. And it is hard to tell if \nyou are a small business where the bar has moved to.\n    Ms. VELAZQUEZ. Okay. I know that it has not been long since \nwe passed the NDAA, it was signed into law, but in terms of the \nSBDCs, working on implementing and disseminating cyber \nstrategy, what type of progress has there been so far?\n    Mr. ROWE. Well, we always run into the problem in the \ntransition, but, you know, we have been talking with SBA. Jack \nBienko at SBA has been very helpful, and Holly Jackson from \nHomeland Security, who is in their cybersecurity and \nstakeholder engagement, which I never knew you had that in \ncybersecurity, which is great. So we are getting started. As I \nsaid, we have already organically begun our own efforts. The \nlarger concern for us is going to be what you talked about, how \ndo we develop--you talked about the report, but how do we \ndevelop basically a threat analysis and information network for \nsmall business? An annual report, well, that tells you what \nhappened over the last year. It does not tell you what is going \non now.\n    Ms. VELAZQUEZ. Thank you.\n    Chairman CHABOT. The gentlelady's time is expired.\n    Ms. VELAZQUEZ. Thank you, Mr. Chairman.\n    Chairman CHABOT. Thank you.\n    The gentleman from Missouri, Mr. Luetkemeyer, who is the \nvice chairman of this Committee, is recognized for 5 minutes.\n    Mr. LUETKEMEYER. Thank you, Mr. Chairman.\n    Mr. Rowe, in your testimony, or in your written testimony I \nshould say, you have some statistics there that are \nmindboggling. Cybercrime costs the global economy $445 billion \nevery year with the damage to business from theft of \nintellectual property exceeding $160 billion loss to \nindividuals. So you are looking at $600 billion of loss total \nthere. Fifty percent of the businesses as you say, I mean, \nsmall businesses, have been victims of cyberattacks, and over \n60 percent of those will go out of business.\n    My question to you is did they go out of business or will \nthey go out of business because of the liability exposure that \nthey have there? Or did they go out of business because of the \nmoney that is stolen from them or because of the reputational \nproblems that they have had to be able to stay in business? A \ncombination of all those? Can you answer that?\n    Mr. ROWE. Sir, I would say it is a combination of all of \nthose. I would say that the financial loss is generally the \nhardest hit for a small business. As you and the members of the \nCommittee know, small business, they live off of cash flow. \nThey live off of their capital. And a hard hit to that is \nsomething that is very difficult to overcome.\n    Mr. LUETKEMEYER. Now, with regard to the small businesses, \nthough, do you see any of them being sued for the lack of \nadequate cyber protection?\n    Mr. ROWE. Well, that goes to what Ms. Ohlhausen was talking \nabout. What is reasonable? If a small business has got decent \ncyber protection, is that a reasonable amount? I honestly do \nnot know. The problem is that that bar keeps shifting as \ntechnology changes. We are working on things now that, frankly, \nblock chain technology is going to change massively.\n    Mr. LUETKEMEYER. Ms. Ohlhausen, would you like to comment \non that?\n    Ms. OHLHAUSEN. I think there are probably a variety of \nreasons that a company, a small business, may go out of \nbusiness after a data security breach, including the financial \nimplications that Mr. Rowe mentioned, as well as that small \nbusinesses are close to their customers. Right? If they lose \ncustomer trust, then I think that could also be a problem.\n    Mr. LUETKEMEYER. Okay. So my concern is we know we are \nbeing attacked. How do we protect the business' viability \nagainst that attack? Have you seen some businesses go out of \nbusiness because they are being sued because of lack of data \nsecurity protections?\n    Ms. OHLHAUSEN. I am aware that some businesses have----\n    Mr. LUETKEMEYER. Because I can tell you from the financial \nside, if I am a financial services regulator and I go into a \nfinancial services credit union, bank, whatever, and I see I \nhave got a small business there that is highly leveraged and \nthey deal with lots of personal data, there is an exposure \nthere that I am very concerned about that if they have a data \nbreach, is the viability of that business going to be affected? \nAnd so how does that small business protect themselves against \nthat liability exposure? What kind of safe harbor can we put \ntogether?\n    Where I am going with the question is can we find a way to \nprovide a safe harbor? Or is the safe harbor something like an \ninsurance policy that is put in place to protect a small \nbusiness which does not have the resources of a Target or a \nHome Depot when they have some data breaches? I mean, I had a \nlarge supermarket in my area that had its own debit card got \nbreached and cost several hundred thousand dollars. It was \ndispersed, but it was significant. So how do we come up with a \nsafe harbor for these small businesses? Is it an insurance \npolicy that you go down this road to be able to help them or \nare they just exposed?\n    Mr. ROWE. Honestly, you are right. They are just exposed \nright now. There is a fledging industry on cybersecurity \ninsurance, but, frankly, even if you are insured, I wonder how \nthe actuarial effort would work. You can go now and you can get \nyour car insured, if you have LoJack sometimes you will get a \nrebate on your insurance. Sometimes you will not.\n    Mr. LUETKEMEYER. Well, my concern is if we have got some \nexposure, how do we protect the small businesses against that? \nAnd while Dr. Romine was very specific about some of the \nguidelines and principles that he is recommending here, that is \nfine. But if it does not provide the safe harbor, and if I am \nlooking at the viability of the business, to me an insurance \ncompany is a whole lot more nimble and flexible to be able to \ncome out and tell the small business we found a new way, \nespecially with the Fintech industry today continuing to evolve \nand continuing to have all sorts of--I do not want to say the \nword ``exotic,'' but there are certainly interesting products \nout there that help integrate all these different businesses \nand the payment systems. To me, you only have to figure out a \nway to have some sort of--I think the private sector is a \nbetter way to go about this, provide that kind of coverage and \nsafe harbor.\n    Mr. ROWE. Well, I would agree with you because I think in \ngeneral the private sector is much more nimble. Rather than \ninsurance, I would think about it from the financial sector \npoint of view. There is a lot of money invested, whether it is \nthrough lenders like credit unions or 7(a) lenders or you name \nit, Fintech, who all have a stake because if the small business \ngets hacked and goes under, they are not going to get repaid. \nSo they have a stake in trying to build that up.\n    Mr. LUETKEMEYER. Thank you.\n    Chairman CHABOT. The gentleman's time is expired.\n    It is my understanding that the gentleman from Missouri \nwants to make a unanimous----\n    Mr. LUETKEMEYER. Yes, ICBA has a letter to the Committee \nand I would like to put it into the record.\n    Chairman CHABOT. Without objection, so ordered.\n    Mr. LUETKEMEYER. Thank you.\n    Chairman CHABOT. And the gentleman from Illinois, Mr. \nSchneider, who is the ranking member of the Subcommittee on \nAgriculture, Energy, and Trade, is recognized for 5 minutes.\n    Mr. SCHNEIDER. Thank you, Chairman. And again, thank you to \nthe witnesses for making time to not just be here, but to \nprepare. I know how much work goes into this, so thank you for \nsharing your expertise and insight.\n    The issue of cybersecurity, the issue of dealing with these \nchallenges for small businesses are complex, confusing, and \nconstantly changing. That is one of the problems we face and \nthe risks keep growing.\n    Mr. Mooney, you talked about the idea of trying to \nestablish a national standard. I would imagine one of the \nchallenges we face in doing that, that once we get consensus, \nit is going to be out of date. So opening this up to the whole \npanel, how in partnership, private sector-government, might we \nbest work to address the dynamism, if you will, of the threat?\n    Mr. MOONEY. Well, if I might take the first shot at that \nquestion, Congressman, I think the experience that we have had \nin the financial services industry suggests that there is a way \nto not be locked into any particular perspective or way of \ndoing things. The way that Gramm-Leach-Bliley works is it \nprovides a great deal of flexibility. It is risk-based. It is \nscalable so that it addresses the concerns as they exist at the \ntime. And in suggesting that we would want to have some sort of \nnational application of that, we would recommend that it has \nand follows those same principles.\n    Mr. SCHNEIDER. Mr. Rowe?\n    Mr. ROWE. Well, you are absolutely right. The shifting \nnature of the problem is sort of what militates against a \nnational standard unless that standard is based on \nresponsibility. And it then becomes a question of who is going \nto be responsible? I would say in so many areas, whether it is \na small medical practice that is dealing with HIPAA information \nor a small business that may have a fair amount of financial \ninformation--a small insurance agency or an investment \nadvisor--you have got to begin to follow the money.\n    And you have also got to place responsibility on the \nmerchant services corporations who you are dealing with. Amazon \nand eBay make a fair amount of money supporting small \nbusinesses who are selling. It might be an interesting idea to \nsay they bear some responsibility in helping to educate the \npeople who work with them.\n    Mr. SCHNEIDER. You talk about a small insurance agency. I \nhad the privilege of running a small insurance agency. There \nwere two producers and we had a staff of eight. None of the 10 \nof us were the technology expert. Now, this was in 1997 to \n2003, an entirely different environment than what we are facing \ntoday. And as I think through this problem, I know the time we \nspent on technology, on handling a lot of classified personal \ninformation and making sure that it was always safe and always \nprotected. That just keeps getting increasingly hard. Are there \nways, whether it is the work you do, things that we can do to \nhelp small businesses continue to stay ahead of the curve?\n    Mr. ROWE. And that is the whole key to what we are trying \nto accomplish here is build the resources and get the resources \nout so that small businesses can stay ahead of the game.\n    Mr. SCHNEIDER. Yeah, and I will add, as you talked about in \nyour testimony, large corporations have resources and the \npeople to do this. It falls oftentimes to the smaller \ncompanies, especially, for example, the ones trying to do \nbusiness through Amazon and eBay and other opportunities that \nare there.\n    I appreciate that. I am nearly out of time. I will yield \nback the balance of my time to keep us on schedule.\n    Chairman CHABOT. Thank you very much. The gentleman yields \nback.\n    The gentleman from Kansas, Mr. Marshall, is recognized for \n5 minutes.\n    Mr. MARSHALL. Thank you, Mr. Chairman.\n    My first question is for Dr. Romine. You may know I am a \nphysician and help run a hospital as well, and health care \nseems to be particularly vulnerable to cyberattacks. Does NIST \nhave any ideas on how to ensure the safety of healthcare data \nfrom cyberattacks? Are there any best practices? And especially \nI am thinking of smaller community hospitals, that type of \nthing.\n    Dr. ROMINE. Thank you for your question. We have projects \ngoing on through our National Cybersecurity Center of \nExcellence having to do with specifically that. We have a \nprogram in protection of health care and healthcare \ninformation. We also have, as part of that program, the \nprotection of medical devices. So, for example, we have a \nprogram on trying to secure wireless infusion pumps in \nhospitals and trying to understand the threat that they present \nto the patient, as well as to the enterprise of the hospital, \nas an entry point for getting into other parts of the system.\n    With regard to the relation to small business, one of the \nthings that we are looking at now and have completed recently \nfor publication is trying to understand how to secure patient \ninformation or protected information when a physician is using \na mobile device, to access that patient information. \nAnecdotally we hear, for example, the physician really just \nwants to do the best for the patient. Some of the rules \nregarding the transfer of that patient information can get in \nthe way of providing that, and so we are trying to find ways \nthat we can secure that communications mechanism to make it \nboth more efficient for patient care, as well as more secure.\n    Mr. MARSHALL. As a physician, I am more concerned about \npatient confidentiality today than I was 10 years ago. The \nworst thing I had 10 years ago was someone could come in and \nsteal a chart, but now if they crack the code they have access \nto thousands of charts. So it is almost like this has backfired \non us.\n    I am into solutions. One of the biggest concerns I hear \nfrom the banking institutes, credit associations, is when they \nhave a breach, there are significant fines. Small businesses, I \nam thinking of convenience stores where they are just doing \nthousands of transactions a day with a credit card, if they \nhave a data breach, it still falls back on the banking \ninstitute. And I am looking for solutions. How can we help both \nsides here? What is the solution that anyone would have to that \nproblem so it does not always fall just on the banking \ninstitutes or the credit cards?\n    Mr. MOONEY. May I take that?\n    Mr. MARSHALL. Please. Yeah.\n    Mr. MOONEY. Well, Congressman, I think our approach here \nand the suggestions that we are making regarding some sort of \nconsistent level of standards for all players in the payment \nsystem we think is vital to accomplishing what you were just \ntalking about. Under Gramm-Leach-Bliley, we are really given \nthe duty to make data security our responsibility and our \nfocus. And what we think is for the payment system to be \nviable, everybody has to be playing at the same level. Now, \nagain, we talk about small businesses and big businesses. As \nGLBA has functioned, it is scalable. So the risks that a large \nmultinational financial institution has is going to be much \ngreater than a small credit union, and the risk assessments \naccordingly are much different and the responsibilities are \nmuch different, but everybody is on the same page in terms of \nthe responsibilities of protecting consumer, financial, and \npersonal data.\n    Mr. MARSHALL. Okay. Anybody else have a comment?\n    Ms. OHLHAUSEN. The Federal Trade Commission has in previous \nCongresses supported on a bipartisan basis Federal data \nsecurity and breach notification legislation that would give a \nclearer standard, a process-based standard, to businesses and \nalso have a Federal requirement that if there is a breach, \nunder certain conditions they have to notify consumers about \nit. So they can also take steps to protect themselves.\n    Mr. MARSHALL. Okay.\n    Mr. MOONEY. And if I may, just to add to that, and that is \nthe environment that financial institutions operate under \ntoday. And so you are suggesting just broadening, which is what \nwe think makes a lot of sense.\n    Mr. MARSHALL. Thank you, Mr. Chairman. I yield back.\n    Chairman CHABOT. Thank you very much. The gentleman yields \nback.\n    The gentlelady from Florida, Ms. Murphy, is recognized for \n5 minutes. And she is the ranking member of the Subcommittee on \nContracting and Work Force.\n    Ms. MURPHY. Thank you to our witnesses for testifying \ntoday.\n    As was just mentioned, I serve as the ranking member on \nContracting and Workforce. And you have discussed at length \ntoday in your testimony the great number of challenges that \nsmall businesses face in complying or dealing with \ncybersecurity. But I am specifically interested in honing in on \nthe challenges that face small businesses in the contracting \ncommunity and how these issues will affect the ability of small \nfirms to compete for and win Federal contracts.\n    As you may know, it is becoming an increasingly common \nprerequisite for small businesses to be able to meet \nregulations that demonstrate their ability to maintain safe and \nsecure networks before they can even participate in the \ncompetitive contracting process. My concern is that over time \nthis may lead to more small firms losing bids or it may even \ndiscourage them from engaging in the bidding process at all \nbecause they simply cannot compete with larger companies that, \nunlike them, have the resources to hire and retain dedicated \ncybersecurity and IT personnel.\n    So Mr. Rowe, in your experience, how has the sheer \ncomplexity of these regulations so far affected the small \nbusiness contractors that you have worked with? And what do you \nadvise them as they face uncertain regulations and prohibitive \ncompliance costs?\n    Mr. ROWE. Well, the hardest thing any of them have facing \nthem is just knowledge of the Federal Register. I would be \nwilling to bet half of them have no idea that the Department of \nHomeland Security just put out a proposed regulation on, what \ndo they call it, confidential unclassified information. Now, I \nam not even sure what that is. But in all of these situations--\nand these are all operating from the best of intentions, all of \nthese agencies. They are trying to protect sensitive \ninformation on everything from weapon systems to medical \nequipment. But there is that tendency to go with the \nsledgehammer to kill a gnat.\n    And small businesses are left behind in all of these \nregulatory efforts because they have got to know what the \nFederal Register is, comment in the Federal Register, have that \ncomment taken seriously, while, frankly, Lockheed and Boeing \nand SAIC have guys like me that they pay lots of money to do \nthat for them.\n    To date, it has not really become horrible. My concern is \nif you have got a defense acquisition regulation system, a \nFederal acquisition regulation system, a Department of Homeland \nacquisition regulation system, all of which have cybersecurity \nregulations which may not all be exactly the same, and then you \nare requiring security protocols for a small business that may \nbe working three or four agencies and trying to get their \nsecurity to match up with the security systems in four \ndifferent computer systems, we all know that at a certain point \nit just does not work. And that is the biggest concern that we \nhave is getting enough flexibility so that the small business \ncan protect the data without having to do all their work in \ntriplicate.\n    Ms. MURPHY. Do you have any suggestions on how that \nregulatory process can be streamlined or rationalized in a way \nthat would avoid the scenario that you just laid out?\n    Mr. ROWE. Yes. Again, it goes back to what I said to the \nchairman. I think there needs to be an interagency coordinating \ncommittee on cybersecurity so that when the FAR Council, which \nis really just DOD, GSA, and the Office of Management and \nBudget, make a decision, there has been input from all the \nother agencies and from small business.\n    Ms. MURPHY. Great. Thank you. And I will yield back the \nremainder of my time.\n    Chairman CHABOT. Thank you very much. The gentlelady yields \nback.\n    The gentleman from Pennsylvania, Mr. Fitzpatrick, is \nrecognized for 5 minutes.\n    Mr. FITZPATRICK. Thank you, Mr. Chairman. Thanks to \neveryone on the panel for your time today.\n    I want to ask specifically about law enforcement \ncorroboration and collaboration. Department of Homeland \nSecurity, Department of Justice, particularly the FBI, are the \ntwo main law enforcement organizations responsible for \ninvestigating cyber-related crimes and national security-\nrelated cyberattacks. Dr. Romine mentioned the InfraGard \nprogram. That is one of several programs that exist.\n    My question, not only from the small business standpoint, \nbut also I am on the Cyber Subcommittee of Homeland Security, \nwhat is the collaboration currently? How has it been going in \nboth directions?\n    Because not only is it important that law enforcement \nreceive this information to track digital fingerprints and \npatterns of cyberattacks; it is equally important for the small \nbusiness community that there be a good relationship that the \nBureau and Department of Homeland Security can share tips on \nthe private side on how to best protect small businesses form \ncyberattacks. So if any one of you could just comment on what \nthe status of relationships is with those two Federal agencies, \nwhat works and what has not worked.\n    Dr. ROMINE. Thank you for the question.\n    I am happy to reiterate the importance that we accord to \nthe partnership with FBI's InfraGard program and the SBA as a \nmechanism for outreach to provide the kind of information that \nyou just discussed, to the private sector broadly, but \nparticularly to small- and medium-sized businesses. I think \nthat has been very effective and it is a strong relationship.\n    Mr. FITZPATRICK. Department of Homeland Security. Has there \nbeen any relationship or outreach with them?\n    Dr. ROMINE. We have ongoing relationships with the \nDepartment of Homeland Security. They were vigorous \nparticipants during the development of the cybersecurity \nframework, for example. They spent a lot of time generating a \nvoluntary program that they used in concert with, and using the \ncybersecurity framework as it emerged, to provide that kind of \noutreach. We had a lot of strong input from them and provided \nthem a lot of useful information that they could then use in \ntheir voluntary program for people to adopt the framework or to \nget assistance in using the framework.\n    We have partnerships with the FBI in other areas such as \nbiometrics technologies, for example. That is a slightly \ndifferent topic, but with the understanding of trying to \nimprove the accuracy of biometrics. That partnership goes back \nto 1963 with the FBI, so we consider that a pretty strong \nrelationship.\n    Mr. FITZPATRICK. Has there been any frustrations that you \nhave heard from the small business community with regard to law \nenforcement not taking certain cases because they do not fall \nwithin the threshold that would allow for an investigative \nactivity?\n    Dr. ROMINE. NIST would not hear something like that.\n    Mr. FITZPATRICK. Okay.\n    Dr. ROMINE. I think that is not the kind of information \nthat they would share with us. We do ensure that we have \noutreach to small businesses so that we can ensure that our \nwork products, our cybersecurity guidance is scalable and \ndigestible at all levels. We are working much harder on that to \nensure that it is useful across the spectrum, all the way from \nsmall to very large enterprises.\n    Mr. FITZPATRICK. Thank you. I yield back.\n    Chairman CHABOT. Thank you. The gentleman from Pennsylvania \nyields back.\n    That concludes our questions to the panel. We want to thank \nthe very distinguished panel for their testimony here today. It \nhas been very helpful. I think once things clear, and that is \nthe people up here, the members on both sides of the aisle want \nto do everything we possibly can to ensure that small \nbusinesses have the best possible cybersecurity resources \navailable to them.\n    And along those lines, we, being the Committee, are going \nto be putting this up online today. These are easy-to-\nunderstand security packets that will be available to small \nbusinesses. They are kind of step-by-step guides on how to \nprotect themselves, small business folks, from cyberattacks. \nAnd these will be up on the Small Business Committee's website \ntoday. So I just wanted to mention that.\n    And I would remind folks that members would have 5 \nlegislative days to submit statements and supporting materials \nfor the record.\n    And if there is no further business to come before the \nCommittee, we are adjourned. Thank you very much.\n    [Whereupon, at 12:11 p.m., the Committee was adjourned.]\n    \n    \n    \n    \n    \n    \n                            A P P E N D I X\n\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n\n    Chairman Chabot, Ranking Member Velazquez, members of the \ncommittee. Thank you for inviting me to testify on behalf of \nAmerica's SBDC, the Association of Small Business Development \nCenters.\n\n    SBDCs operate over 1,000 centers in all fifty states as \nwell as the District of Columbia, Puerto Rico, the Virgin \nIslands, American Samoa and Guam. SBDCs provide management and \ntechnical assistance to over 200,000 small businesses every \nyear and training to over 300,000 business owners and their \nemployees. All of these small business owners hae the same \nbasic question, ``How do I succeed?''. That's not always a \nsimple answer but, for almost every business that means \nmaximizing sales, and we've been able to aid those clients to \nthe tune of nearly 7 billion of new sales every year.\n\n    This is a great statistic, but it contains a not too hidden \nperil, cyber-crime. More and more of our clients do business \nonline. Every single one of them is vulnerable, and they may \nnot even know it. They may not even have a website but they are \npotential victims. Every time they run a credit card \ntransaction, or answer their email they expose themselves and \ntheir customers to the risk of hacking, phishing and \nransomware. And the dangers go beyond e-commerce. Any business, \nwhether a vendor or a contractor, is at risk if they are \nconnected and have personally identifiable information or the \npotential to be an access point to others who do.\n\n    By now I assume everyone is aware of the alarming \nstatistics about cyber-crime. Cybercrime costs the global \neconomy about $445 billion every year, with the damage to \nbusiness from theft of intellectual property exceeding the $160 \nbillion loss to individuals. Fifty percent of small businesses \nhave been the victims of a cyber-attack and over 60 percent of \nthose attacked will go out of business.\n\n    Despite these facts many small businesses continue to \nignore or avoid the risk. Many of our clients believe, ``I \ndon't do business online or I don't have any valuable \ninformation.'' Of course, the truth is exactly the opposite. \nEvery time they take an order, swipe a credit card or send an \nemail they put themselves and their customers at risk. Too \noften the concern is for customer privacy but corporate clients \nand vendors are at risk too.\n\n    Small business present cybercriminals with an easy way to \ngain access to customer credit card records and bank accounts, \nsupplier networks and employee financial and personal data.\n\n    They want to do more and more business online but they have \nweaker online security. Or they use cloud services that don't \nhave strong encryption. As a result, the small business can be \na gateway to gain access to clients, business partners, and \ncontractors and a backdoor into many large organizations. To a \nhacker, that translates into reams of sensitive data behind a \ndoor with an easy lock to pick. If a small business has any \nFortune 500 companies as customers, they are an even more \nenticing target. These secondary attacks are now a regular \nproblem for small business.\n\n    Small businesses are particularly vulnerable to email \nattacks mimicking their banks or other trusted institutions and \nciting an urgent need for account or some other vital \ninformation, and often multiple employees have access to that \ninformation. Further, business accounts do not enjoy the same \nprotection against loss as consumer accounts--something many \nsmall-business owners do not discover until it's too late. \nConsumers are protected by regulations which limit their \nliability. Commercial accounts, however, are covered by the \nUniform Commercial Code (UCC) and enjoy no such protections. \nUnder the UCC banks aren't liable for unauthorized payments if \ntheir security is considered ``commercially reasonable''. As a \nresult, few small businesses that are the victims of cyber \ntheft ever recover their funds.\n\n    More than ever, sensitive data, intellectual property and \npersonal information of small and medium sized firms are \ntargeted by an ever increasing and sophisticated community of \ncybercriminals. Symantec has found that over the last several \nyears there has been a steady increase in cyber-attacks \ntargeting businesses with less than 250 employees.\n\n    And not all hacking is for financial gain. Two years ago, \nseveral businesses were simultaneously hacked and their \nwebsites were taken over by what appeared to be ISIS. Islamic \nState logos and Arabic script was plastered all over the sites \nfor Montauk Manor in the Hamptons; Eldora Speedway in New \nWeston, Ohio; Dogwoods Lodge dog kennel in Des Moines, Iowa; \nSequoia Park Zoo in Eureka, CA; Montgomery Inn in Montgomery, \nOhio; the Moerlein Lager House in Cincinnati; and Elasticity, a \nvocational charity St. Louis, MO. No financial information was \nstolen but imagine the time, effort and lost business for each \nof these firms. They had to rebuild their sites and try to \nrebuild client confidence. After all, if you knew a hotel had \nbeen hacked would you give them a credit card to hold a \nreservation?\n\n    At the SBDCs we have been working to spread awareness of \nall these threats to our clients. We offer training programs to \nour clients at most SBDCs and we are working to expand the \ncoverage to the entire network. In our centers in New York, \nDelaware, Florida, Texas and others we are developing programs \nto not only advise and inform our clients but spread the \ninformation and training capacity throughout our networks. In \nFlorida, our network is collaborating with Ridge Global, the \nfirm founded by former DHS Secretary Tom Ridge, to develop a \nseries of training videos on cybersecurity. The New York SBDC \nhas developed a cybersecurity planning guide which we are \nworking to disseminate to other states to help them build their \ncapacity. In Michigan, besides training, our network is \nlaunching a media campaign day to spread awareness. SBDCs began \ndeveloping these resources on our own over the last few years. \nMy members recognized that, while they are advising and \ntraining their clients on the value of the web as a marketing \nand sales engine, they also needed to educate them on the \ndangers and pitfalls of the web.\n\n    On top of the organic efforts within the SBDC networks we \nare now working at the national level to help develop a \nnational small business cyber strategy. Pursuant to section \n1841 of the National Defense Authorization Act for 2017 \nAmerica's SBDCs is working with the Department of Homeland \nSecurity (DHS) and the Small Business Administration (SBA) to \ndevelop a strategy to leverage the collective resources of DHS, \nSBA and the national network of SBDCs to provide the resources, \ntraining and assistance small businesses will need.\n\n    We will be working share and improve cyber programs, \nenhance services and raise awareness of the threats. In \nparticular, we want to help develop cost-effective, high-\nquality tools for small business and a network to share \ninformation and analysis on threats.\n\n    On behalf of our clients I want to thank the members of \nthis committee for their efforts in getting that language \nincluded in the NDAA. The timing could not be more critical, \nthe threats and the awareness of the threats has grown but at \nthe same time so has the confusion. What steps do small \nbusinesses need to take? Do they need security software, a \ncyber specialist, certifications? What tools are effective, \nwhat certifications are valid?\n\n    SBDCs are developing and training small businesses on that \nfirst line of their cyber security needs, the internal focus of \nbasic security practices. Teaching employees about the threats \nand weaknesses, helping them protect client and customer \ninformation. They are also working with small businesses to \nhelp them recognize and develop their own strategies and \nassessments of their needs. My members have developed some \nexcellent education and it will grow stronger but the harder \neffort is going to be assisting small businesses in dealing \nwith the external demands of cybersecurity.\n\n    Commercial customers and big business will have growing \ndemands on the cyber infrastructure of their small business \nsuppliers. What certifications will they demand, what hardware? \nWho will supply these certifications, and at what cost? If we \nadd federal procurement issues (already a complicated area) how \nwill small businesses cope? I want to divide this area of \nconcern into two sides--commercial business and government \nbusiness.\n\n    On the commercial side, small business faces a real \nproblem. Who is in charge and to whom are they responsible? \nLast year, the Federal Communications Commission (FCC) stepped \ninto the world of e-commerce and declared Internet Service \nProviders (ISPs) to be ``common carriers''. Now the FCC has \ndecided to hold off on the privacy rule in favor of \n``harmonization''. Small businesses are left to wonder, ``Who \nis responsible, anyone?''\n\n    At America's SBDC we will be working hard to ensure that \nour clients have the best possible, most cost-effective tools. \nAt the same time, it would nice to know if anyone further up \nthe ``food chain'' is to be held accountable. There is a real \nconcern about the trickle down nature of the regulatory \nframework. While titans like Verizon and Comcast battle Google \nand Facebook, what level of regulation will be placed on small \nbusiness?\n\n    We know there is a potential for small business to be a \nback door. Does that mean, in a regulatory framework controlled \nby internet giants, that the rules will be set by the giants at \nthe expense of the pygmies? We have already seen Google declare \nthat websites without what they consider ``adequate security'' \nwill be labeled ``unsafe''. I do not doubt that http vs. https \nis serious, but how many small businesses are either aware of \nthis distinction or aware of what they need to do to be Google \ncompliant?\n\n    I expect Google aficionados and techies will call me a \nLuddite. They would be wrong. I use Chrome and love it. I know \nwhat an SSL certificate is. How many small business owners do, \nor know where they can get the help they need? How much \nbusiness will a small business lose because they are on eBay \nand, as of the end of January, eBay wasn't https complaint?\n\n    These are the types of trickle-down, large firm favoring \nregulatory schema about which we should be concerned.\n\n    Now I'd like to comment on the government side. The \nprevious administration was proud of their efforts and \nsuccesses at meeting small business contracting and \nsubcontracting goals. I'm concerned about how weather that \nsuccess can last. Unfortunately, a lot of the uncertainty we \nface now is because the previous administration also put out \ncybersecurity regulations at the very end of their term before \nanything could really be discussed and tried out. The result is \nthe uncertainty and confusion we see now.\n\n    There should be significant concern that federal and state \nagencies will begin to develop conflicting and potentially \ncontradictory procurement regulations, derived from the best \nintentions regarding security and privacy, but having a \nnegative effect on small business participation. The Department \nof Defense has issued cybersecurity amendments to the Defense \nAcquisition Regulations (DFAR) and the FAR Council issued \namendments to the Federal Acquisition Regulations (FAR). Just \nrecently the Department of Homeland Security released three \nproposed regulations on cybersecurity though they are, I \nbelieve being held by the current administration. Those \nregulations weren't even for classified information; they were \nfor Controlled Unclassified Information (CUI). To date, I have \nseen only two comments in the Federal Register. I doubt any \nsmall business that contracts with DHS is aware of these \nproposed regulations, and many of our SBDC clients are those \naffected businesses.\n\n    How will all these regulations operate? Can they co-exist? \nAgencies issue the proposed rules and state they will \n``harmonize'' them with FTC and other efforts, how? Who will \n``harmonize'' them? These regulations have the best and most \nlaudable goals, protecting government data integrity and \nprotecting citizens' privacy. However, the potential costs of \ncompliance for any small business involved in, or wishing to be \ninvolved in government contracting could be crippling. Will the \nstandards be set at the convenience of the largest contractors \nwith small businesses left to wonder how they'll be able to \ncomply?\n\n    In addition, what will happen to subcontractors? Imagine a \none-size fits all cybersecurity protocol that flows down to \nsubcontractors. The potential for small businesses becoming \nfrozen out is very real.\n\n    That is why America's SBDCs is glad to be working on this \nstrategy with DHS and SBA now. We want to help head off the \nconfusion and provide training to ensure opportunity is not \nsacrificed for cybersecurity. At America's SBDC we believe it \nimportant to be at the front of this effort, to develop a set \nof resources to enable small business participation through \nassistance and training, rather than having to play ``catch \nup'' with small businesses confused by a new regulatory \nframework.\n\n    Thank you again for the opportunity to testify. I look \nforward to your questions.\n\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n                                 [all]\n</pre></body></html>\n"