b"<html>\n<title> - FEDERAL GOVERNMENT AND SMALL BUSINESSES: PROMOTING GREATER INFORMATION SHARING FOR STRONGER CYBERSECURITY</title>\n<body><pre>[House Hearing, 115 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n \nFEDERAL GOVERNMENT AND SMALL BUSINESSES: PROMOTING GREATER INFORMATION \n                   SHARING FOR STRONGER CYBERSECURITY\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                      COMMITTEE ON SMALL BUSINESS\n                             UNITED STATES\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED FIFTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                              HEARING HELD\n                           NOVEMBER 15, 2017\n\n                               __________\n\n [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]                             \n                               \n\n            Small Business Committee Document Number 115-048\n              Available via the GPO Website: www.fdsys.gov\n              \n              \n              \n              \n                            _________ \n\n                U.S. GOVERNMENT PUBLISHING OFFICE\n                   \n 27-719                   WASHINGTON : 2018       \n____________________________________________________________________\n For sale by the Superintendent of Documents, U.S. Government Publishing Office,\nInternet:bookstore.gpo.gov. Phone:toll free (866)512-1800;DC area (202)512-1800\n  Fax:(202) 512-2104 Mail:Stop IDCC,Washington,DC 20402-001                   \n              \n              \n              \n              \n              \n              \n              \n              \n                   HOUSE COMMITTEE ON SMALL BUSINESS\n\n                      STEVE CHABOT, Ohio, Chairman\n                            STEVE KING, Iowa\n                      BLAINE LUETKEMEYER, Missouri\n                          DAVE BRAT, Virginia\n             AUMUA AMATA COLEMAN RADEWAGEN, American Samoa\n                        STEVE KNIGHT, California\n                        TRENT KELLY, Mississippi\n                             ROD BLUM, Iowa\n                         JAMES COMER, Kentucky\n                 JENNIFFER GONZALEZ-COLON, Puerto Rico\n                          DON BACON, Nebraska\n                    BRIAN FITZPATRICK, Pennsylvania\n                         ROGER MARSHALL, Kansas\n                      RALPH NORMAN, South Carolina\n               NYDIA VELAZQUEZ, New York, Ranking Member\n                       DWIGHT EVANS, Pennsylvania\n                       STEPHANIE MURPHY, Florida\n                        AL LAWSON, JR., Florida\n                         YVETTE CLARK, New York\n                          JUDY CHU, California\n                       ALMA ADAMS, North Carolina\n                      ADRIANO ESPAILLAT, New York\n                        BRAD SCHNEIDER, Illinois\n                                 VACANT\n\n               Kevin Fitzpatrick, Majority Staff Director\n      Jan Oliver, Majority Deputy Staff Director and Chief Counsel\n                     Adam Minehardt, Staff Director\n                     \n                            C O N T E N T S\n\n                           OPENING STATEMENTS\n\n                                                                   Page\nHon. Steve Chabot................................................     1\nHon. Nydia Velazquez.............................................     2\n\n                               WITNESSES\n\nMr. Rob Arnold, Founder & Chief Executive Officer, Threat Sketch, \n  LLC, Winston-Salem, NC.........................................     4\nMs. Ola Sage, Chief Executive Officer, e-Management, Silver \n  Spring, MD.....................................................     5\nMr. Morgan Reed, President, ACT/The App Association, Washington, \n  DC.............................................................     7\nMr. Thomas Gann, Chief Public Policy Officer, McAfee, LLC, \n  Reston, VA.....................................................     9\n\n                                APPENDIX\n\nPrepared Statements:\n    Mr. Rob Arnold, Founder & Chief Executive Officer, Threat \n      Sketch, LLC, Winston-Salem, NC.............................    22\n    Ms. Ola Sage, Chief Executive Officer, e-Management, Silver \n      Spring, MD.................................................    30\n    Mr. Morgan Reed, President, ACT/The App Association, \n      Washington, DC.............................................    38\n    Mr. Thomas Gann, Chief Public Policy Officer, McAfee, LLC, \n      Reston, VA.................................................    46\nQuestions for the Record:\n    None.\nAnswers for the Record:\n    None.\nAdditional Material for the Record:\n    None.\n\n\n                     FEDERAL GOVERNMENT AND SMALL \n                     BUSINESSES: PROMOTING GREATER \n             INFORMATION SHARING FOR STRONGER CYBERSECURITY\n\n                              ----------                              \n\n\n                      WEDNESDAY, NOVEMBER 15, 2017\n\n                  House of Representatives,\n               Committee on Small Business,\n                                                    Washington, DC.\n    The Committee met, pursuant to call, at 11:00 a.m., in Room \n2360, Rayburn House Office Building. Hon. Steve Chabot \n[chairman of the Committee] presiding.\n    Present: Representatives Chabot, Brat, Radewagen, Kelly, \nBlum, Marshall, Velazquez, Evans, Murphy, Lawson, Adams, \nEspaillat, and Schneider.\n    Chairman CHABOT. The Committee will come to order.\n    I want to thank everyone for being here this morning.\n    This Committee has made cybersecurity a top priority in \nrecent years and with good reason. It has become one of the \nmost serious challenges for small businesses and major \ncorporations and the Federal Government itself. We have heard \nfrom cybersecurity experts, government officials and small \nbusiness owners on numerous occasions and the message is clear, \ncyber threats remain a top concern for America's small business \ncommunity.\n    Advances in information technology, IT, have helped small \nbusinesses rapidly increase their productivity, enter new \nmarkets that were once out of reach, and offer consumers new \nand innovative services and products. However, IT has advanced \nso quickly that it has been difficult to keep pace with the \never-growing cyber threats. Cybercriminals and foreign bad \nactors have more opportunities than ever to steal intellectual \nproperty, consumer data, and hold small business IT systems \nhostage for financial gain.\n    In 2016 alone, the United States Department of Justice \nrecorded nearly 300,000 cybersecurity complaints. Our \nCommittee's examinations of these increasing concerns have \nrevealed that federal agencies are making a serious effort to \nbetter coordinate and distribute cybersecurity resources \ndirectly to small businesses. However, there are still \nchallenges to ensuring that small businesses are as protected \nas possible from cyber attacks. One of the major hurdles \ncontinues to be the lack of information sharing between public \nand private sectors. Information sharing is a fundamental \ncomponent for a strong and effective cybersecurity defense, not \njust for small businesses, but for America's network as a \nwhole. The federal government must make every effort possible \nto ensure that small businesses have both the resources and the \nconfidence they need to actively engage with the federal \nagencies tasked with protecting our critical infrastructure.\n    Today, we will hear from several members of the small \nbusiness community about what steps we can take to encourage \ngreater information sharing. We will examine how Federal \nagencies can provide assistance and resources more quickly to \nsmall businesses suffering from a cyber attack.\n    Earlier this year we learned that the federal government \nhas become increasingly active in protecting our nation's \ncritical infrastructure and IT systems, and has gone to great \nlengths to develop an overall framework for cybersecurity \nprotocols to incentivize information-sharing practices with \nbusinesses. However, it has also become abundantly clear that \nthe development of this framework is not enough. Last Congress, \nthe President signed into law legislation aimed at increasing \ninformation-sharing practices through the Cybersecurity of \nInformation Sharing Act, CISA. This legislation provided some \nimportant liability protections to small businesses to give \nthem trust and confidence in their federal partners.\n    Yet many businesses continue to be slow to adopt these \npractices. That is why this Committee has been working on \nlegislation to provide small businesses with greater assistance \nin their cybersecurity needs. In July, my colleague \nRepresentative Dwight Evans and I introduced H.R. 3170, the \nSmall Business Development Center Cyber Training Act of 2017, \nperhaps the longest name for a bill in congressional history. \nThis bill will direct SBDCs to establish a program for \ncertifying some of their employees to provide cybersecurity \nplanning assistance to small businesses. It is my hope that \nthrough this program we will be able to encourage even more \nsmall businesses to start partaking in information-sharing \nactivities and create a comprehensive cybersecurity defense for \nall Americans.\n    I would now like to yield to the Ranking Member for the \npurpose of her making her opening statement.\n    Ms. VELAZQUEZ. Thank you, Mr. Chairman.\n    The frequent recurrence of cyber attacks reminds us just \nhow fundamental it is for individuals, businesses, and \ngovernments to guard against unwanted foreign interception. \nFrom hackers orchestrating the Equifax breach to Russia's \nattack on our democratic institutions, cybersecurity merits our \nattention more than ever before. The truth is, online commerce \nhas facilitated business opportunities and growth for mom-and-\npop shops across America, but few small businesses make \ninvestments in security solutions to protect the data they \nhold. Many entrepreneurs do not even view themselves as \ntargets. Criminals, on the other hand, view them as \nparticularly attractive. The combination of customer data and \nthe lax implementation of cybersecurity make them much more \nappealing to cybercriminals.\n    While it is widely known that cyber attacks often result in \npersonal and business losses, small firms often do not \nrecognize their exposure until it is too late. Given that small \nfirms make up over 99 percent of businesses, the small business \ncommunity plays a critical role in ensuring the nation's \ninternet infrastructure is secure. And preventing the harsh \nfinancial consequences that cyber intrusions have is critical \nfor their survival because criminals will continuously seek to \nprofit by stealing data from both their government and the \nprivate sector.\n    Cyber incidents are not diminishing in the near future. \nThat is why we all must take the appropriate steps to \nstrengthen cybersecurity.\n    For nearly two decades, the federal government has actively \ncreated a policy framework that seeks to prevent cyber attacks \nby incentivizing data sharing and collaboration between federal \nand private actors. Doing so is just one step to enhance \nreadiness against external threats. Encouraging businesses to \nshare information regarding cyber intrusions could help federal \nagencies design solutions before problems occur. If the private \nsector and the government collaborate to identify \nvulnerabilities, both small businesses and the government will \nbe better prepared.\n    Mr. Chairman, over the last year we have seen \ncybercriminals prey on one of the largest credit rating \nagencies. We have witnessed hackers publicly releasing tools \nstolen from the National Security Agency, and most disturbing, \nas we all know, our democratic institutions were remarkably \nvulnerable to Russia's cyber meddling, potentially impacting \nthe outcome of our elections. This event make clear \ncybersecurity issues will become more prominent every day in \nall aspects of our society.\n    In that regard, I look forward to learning how we can \nbetter maximize the flow of information between small \nbusinesses and the federal government to help improve the \nresiliency of our cyber infrastructure.\n    Thank you all for being here today and offering your \ninsights.\n    I yield back, Mr. Chairman.\n    Chairman CHABOT. Thank you very much. The gentlelady yields \nback. And if Committee members have opening statements prepared \nwe ask that they be submitted for the record.\n    And I would now like to take just a moment to explain our \nlighting system and rules. You get 5 minutes basically. The \ngreen light will be on for 4 minutes. The yellow light will \ncome on to let you know you have a minute to wrap up, and then \nthe red light will let you come on and let you know you are \nsupposed to stop. We will give you a little bit of leeway \nthere, but do not take advantage of it.\n    And I would now like to introduce our very distinguished \npanel here this morning. Our first witness is Rob Arnold. Mr. \nArnold has worked in internet security of over 20 years and is \nthe Founder and Chief Executive Officer of Threat Sketch, LLC. \nThreat Sketch provides risk management tools and education to \nsmall businesses to help them prevent cyber attacks. We \nappreciate you being here with us today.\n    Our second witness is Ms. Ola Sage. Ms. Sage is the CEO of \ne-Management in Silver Spring, Maryland, where she oversees e-\nManagement's information technology and cybersecurity services. \nIn addition to her role as CEO, Ms. Sage chairs the Executive \nCommittee of the National IT Sector Coordinating Council and \nserves on the board of the George Mason University Women in \nBusiness Initiative. And we welcome you here as well this \nmorning.\n    Our third witness will be Mr. Morgan Reed. Mr. Reed serves \nas the President of ACT/The App Association. The App \nAssociation represents more than 5,000 app companies and \ninformation technology firms in the mobile economy. Mr. Reed \nhas previously appeared before the Small Business Committee \nlast year, and we welcome him back here today.\n    And I would now like to yield to the Ranking Member for the \nintroduction of our fourth witness.\n    Ms. VELAZQUEZ. Thank you, Mr. Chairman.\n    It is my pleasure to introduce Mr. Tom Gann, the chief \npublic policy officer for McAfee, a computer security software \ncompany. Mr. Gann has over 20 years of experience in the \ntechnology industry, 12 of which have been focused on \ncybersecurity issues. Mr. Gann holds a bachelor's degree from \nStanford University in political science and a master's degree \nfrom the London Business School. Welcome and thank you for \nbeing here today.\n    Chairman CHABOT. Thank you very much.\n    Mr. Arnold, you are recognized for 5 minutes.\n\n STATEMENTS OF ROB ARNOLD, FOUNDER & CHIEF EXECUTIVE OFFICER, \n   THREAT SKETCH, LLC; OLA SAGE, CHIEF EXECUTIVE OFFICER, E-\n MANAGEMENT; MORGAN REED, PRESIDENT, ACT/THE APP ASSOCIATION; \n     THOMAS GANN, CHIEF PUBLIC POLICY OFFICER, MCAFEE, LLC\n\n                    STATEMENT OF ROB ARNOLD\n\n    Mr. ARNOLD. I would like to thank the chair, ranking \nmember, and the entire Committee for the opportunity to testify \ntoday. It is truly an honor.\n    My company, Threat Sketch, makes extensive use of shared \ninformation to educate small businesses and guide their \ninvestments in cybersecurity. We are a small business \nourselves, thus I truly understand the needs and challenges \naround sharing cybersecurity information.\n    The most fundamental problem in accessing data right now is \nfragmentation. The DHS, FBI, NIST, and the NSA are just a few \nof the agencies collecting cyber information. Each has multiple \nrepositories and programs. Some are well advertised, while some \nare part of work groups and not widely available. Others are \nhidden by classification. Simply having a list of all the data-\nsharing initiatives available would help us tremendously.\n    Another problem with sharing information is the overuse of \nclassification. There is a myriad of rules governing the \ndeclassification of information, but declaring valuable \ninformation as secret is almost effortless. It takes no more \nthan two words uttered with a grave tone to play keep away with \nvital information. ``That is classified,'' and just like that, \nour cyber equivalence of neighborhood crime statistics and sex \noffender registries are taken away in the name of national \nsecurity. While secrets definitely have their place, we have a \nright to know what is going on around us, and every data point \nthat gets classified degrades our ability to make good \ndecisions.\n    But there is a more pressing issue which I need to draw \nyour attention to, and it is the byproduct of two distinct \ndisadvantages that small businesses face.\n    First, as these larger companies armor up, attackers are \nturning to less protected small businesses.\n    Number two, small businesses cannot afford to compete with \nbig companies for the cybersecurity talent and solutions they \nneed to protect themselves. These are circular issues with one \nbegetting the other. In their wake, the demand for affordable \nsolutions will rise dramatically, creating yet another threat. \nSmall businesses, desperate to meet the cybersecurity demands \nof larger clients, government regulations, insurance carriers, \nand lending institutions, are going to become victims once \nagain. Adversaries will use this opportunity to sell cheap \nsoftware and services that are subsidized by selling data and \nsecrets out the backdoor, while giving them a toehold into the \nsupply chain of larger organizations.\n    My written testimony offers one possible solution, which is \nto deputize small businesses that commit to providing services \nthat are all-American in origin. In addition to tapping our \nSBDCs, I believe the government has two resources that can help \nin the collection and dissemination of cybersecurity \ninformation. Our Bureau of Labor Statistics is very good at \naggregating, summarizing, and making data available in easy to \ndigest forms. Meanwhile, the IRS is the one agency to which \nevery small business owner is happy to report some losses.\n    In summary, small businesses need local solutions that can \ntap into a national network of trusted solution providers. The \nSBDCs have proven effective in helping small businesses \nnavigate a myriad of State, Federal, and local resources, and \nwith training, I think they can rise to this challenge as well.\n    Thank you for allowing me to testify before you today. I \nlook forward to answering your questions after we hear from my \nfellow witnesses.\n    Chairman CHABOT. Thank you very much.\n    And Ms. Sage, am I pronouncing it correctly?\n    Ms. SAGE. You are, Chairman. Thank you.\n    Chairman CHABOT. Okay. Very good. You are recognized for 5 \nminutes. Thank you.\n\n                     STATEMENT OF OLGA SAGE\n\n    Ms. SAGE. Good morning, Chairman Chabot, Ranking Member \nVelazquez, and the distinguished members of the Committee. \nThank you for the opportunity to testify today as a small \nbusiness CEO.\n    In the last 12 months, 61 percent of small businesses have \nreported that their companies have experienced a cyber attack, \nand a stunning 71 percent of small businesses are not prepared \nto address cybersecurity threats to their organizations. \nSolving this problem requires greater information-sharing \nbetween the Federal Government and the small business community \nto help our companies better identify threats, protect our \ninfrastructure, detect anomalies, respond to and recover from \nsignificant cyber events.\n    The Cybersecurity Information Sharing Act, which I will \nrefer to as CISA, can help, but small businesses do not know \nabout it. While significant progress has been made in \nimplementing the law in general, several challenges still \npersist for small businesses.\n    First, small business are still unaware of CISA or how it \nhelps them. The government has the opportunity to increase the \nvisibility of the law through its existing outreach and \nawareness programs to the small business community and to \nhighlight the law's protections, particularly in the area of \nliability protections. Small businesses are still confused by \nthe myriad of information-sharing initiatives. A small business \nguide for cybersecurity information sharing would be a useful \ntool to help companies better understand the value these \nvarious public and private information-sharing options provide.\n    Third, cybersecurity information can be costly. While data \nprovided by the government may be free, many small businesses \ndo not have adequate resources to make the best use of this \ndata. For some, signing up with a commercial information-\nsharing organization may be the best option. However, many of \nthe options available today cost thousands of dollars per year \nputting them out of reach for many.\n    Let me now turn to some ideas for incentives that Congress \nmight consider to encourage greater information sharing and \ncyber threat reporting between small businesses and the Federal \nGovernment.\n    First, expand CISA to add additional protections for small \nbusinesses. CISA does not currently shield companies from \npotential liability in the event of a data breach or cyber \nattack. Congress might consider providing a positive incentive \nby extending liability protection up to a maximum threshold to \nsmall businesses that exhibit a measurable commitment to \nvoluntary information sharing. This could be through \ndemonstrated use of the NIST cybersecurity framework, voluntary \nparticipation in one or more public or private information-\nsharing forums, and maintaining active cybersecurity insurance.\n    Second, introduce tax incentives. Congress might consider \nintroducing incentives that could include deductions and \ncredits for cybersecurity and information-sharing related \ncapital investments and personnel among others.\n    Third, include participation in a public or private \ninformation-sharing program as a selection criteria for \ngovernment procurements. The government has and continues to \nuse preferential consideration in the procurement process to \npromote or influence desired behavior. These include \nconsiderations for minority groups, quality and process \nimprovement standards, and research priorities. The GSA Alliant \nSmall Business Governmentwide Acquisition Contract provides one \nexample for quality standards.\n    Four, recognize small businesses that commit to \ncybersecurity information sharing. Voluntary programs, such as \nEnergy Star, which is a joint program of the Environmental \nProtection Agency and the Department of Energy, can serve as a \nblueprint to design a public recognition program for small \nbusinesses participating in voluntary information-sharing \nprograms.\n    Lastly, simplify the entry point for cyber threat reporting \nfor small businesses. Most small businesses either do not know \nwho to call or are overwhelmed by the choices and, therefore, \nwill not bother reporting. Last year, the Critical \nInfrastructure Partnership Advisory Council, CIPAC, formed a \nworking group with the DHS Office of Infrastructure Protection \nto investigate how to get a national tip line started that \nwould serve as a single point of contact for reporting \nemergency cybersecurity information. Using this example, one \ncould envision a scenario where a small business calls a \nnational emergency response number, and based on information \nprovided, is immediately connected to the appropriate resource \nor resources.\n    In conclusion, CISA is still early in its life cycle, but I \nbelieve holds tremendous promise for the small business \ncommunity as more companies become aware of the law and how it \ncan help them. Thank you again for the opportunity to testify \nand I look forward to your questions.\n    Chairman CHABOT. Thank you very much.\n    Mr. Reed, you are recognized for 5 minutes.\n\n                    STATEMENT OF MORGAN REED\n\n    Mr. REED. Chairman Chabot, Ranking Member Velazquez, and \ndistinguished members of the Committee, my name is Morgan Reed, \nand I am the president of ACT/The App Association. I thank you \nfor holding this important hearing.\n    I represent more than 5,000 companies who make the apps you \nlove in the devices you depend on. We are the driving force \nbehind a nearly $150 billion industry and we continue to grow \nand create American jobs in every congressional district. And \nour members are building the tools that underpin this jump from \nthe desktop world to our new world of mobile plus cloud. But \nfor small businesses trying to create new products and sales \nopportunities, cybersecurity threats seem incomprehensibly vast \nand inevitable. In 2014, 71 percent of companies admitted they \nfell victim to a cyber attack. Moreover, the amount of data \nonline is expected to increase fiftyfold by 2020, adding new \nattack vectors and, frankly, sweetening the pot for potential \ncybercriminals. And we have not even mentioned the new world of \nIOT and self-driving everything that is right around the \ncorner.\n    At The App Association, we sit at the crossroads of this \ntopic. We have dozens of members who are key players in \ncybersecurity, like PhishLabs, Alchemy Studios, and Citara, and \non the frontlines of anti-phishing, anti-botnet, and DDOS \nattacks. But we also have members who build all the amazing \napps you use every day, that you rely on to do your banking, to \nmonitor your child's homework, buy a house, and communicate \nwith your doctor. With a foot firmly in both sides of the \nindustry, we know policymakers must remain mindful of the fact \nthat large companies have budgets and staff available. For our \nmembers, chief security officer may be just one of five hats \nthat they wear.\n    Small- and medium-size tech companies, like our members, \nexist to solve problems. Take Canned Spinach, for example. It \nis a company in your district, Mr. Chabot. Canned Spinach, led \nby Andrew Savitz, built a product called Speak Easy. It allows \nfor people inside of a company to distribute coupons and secret \ndeals that their family members might want. The problem he ran \ninto is based on phishing attacks and other cybersecurity \nattacks. Users were unsure where they were getting this from, \nwho provided it, and so he had to essentially design the \nproduct from the ground up to deal with the cybersecurity \nthreats so that people could get good deals from their friends \ninside of companies. And our clicks-and-mortar businesses have \nthis problem as well. For Chairman Velazquez, she knows Etsy \nquite well, headquartered in her district. They have \nrequirements for strong data security methods to handle the \nconsumer data on their platform.\n    And I should point out that Mr. Brat and Mr. Schneider, you \nboth have health companies in your district that deal with \nthousands of patient records. For you, Mr. Kelly, there is a \ncompany in your district that does home restorations. They go \ninto a house, take pictures of the damage. But think about what \nthey now know about that person. They know their address. They \nhave photos of their valuables, and it is all stored on their \ncloud service. It is a great product, but what do they do about \ncybersecurity?\n    And so when you think of it from their perspective, of \nproblem-solving, and then thinking about it on how do they \nenter the space, you can see how government information sharing \nis really not meeting the challenge that we have today.\n    The first thing that we do in private sector is we rely on \nour private sector platform partners. We use products like \nMicrosoft cloud services and Azure for cloud, Apple Health Kit \nfor health, the latest Intel Sawtooth chip for making block \nchain more practical and efficient. But that symbiotic \nrelationship only takes us so far. We need Congress to do some \nmajor changes to how we do info sharing.\n    First, we need to improve the sharing activities. The \nFederal Government should make the cybersecurity threat \ninformation it shares timely, more accessible, and, frankly, \nmore useful to SMEs. When a business is hit with a cyber \nattack, with whom do they share it? Do they call the attack \nwhile the attack is occurring as opposed to after the fact? Do \nthey call somebody at Endkick? Do they even know what Endkick \nis? Somebody at their local fusion center or their ISAC? And \nwhere are these entities located and how do companies share the \ninformation with them?\n    Second, the Federal Government should take steps to make \ncybersecurity frameworks and best practices more workable for \nSMEs. Helping SMEs to improve their understanding, whether it \nis through Lunch and Learns at SBDCs or other activities, we \nneed to see developed, widely published, targeted, and user-\nfriendly best practices and guidance built on the NIST \nframework.\n    And third, the Federal Government needs to ensure a legal \nand policy environment that enhances SME's ability to manage \nthe dynamic cybersecurity risks, and this part falls squarely \non Congress. Congress must take steps to provide legal and \npolicy certainty that SMEs can rely on. Specifically, Congress \nshould pass the International Communications Privacy Act, known \nas ICPA--for this year's Congress it is H.R. 3718--to clarify \nSME's legal liability and data requests especially with data \nabroad, and they need to maintain this legal environment to \nhelp support our investment in cybersecurity.\n    And I would like to take a moment to thank Chairman Chabot \nand Ranking Member Velazquez for cosponsorship of this \nlegislation in the last Congress, and I ask all of you to join \nwith them in support for it in the 115th.\n    Thank you very much, and I look forward to an engaging \nconversation on this topic.\n    Chairman CHABOT. Thank you very much. That was very \ninteresting.\n    Mr. Gann, you are recognized for 5 minutes.\n\n                    STATEMENT OF THOMAS GANN\n\n    Mr. GANN. Good morning. Thanks for the opportunity to \ntestify today. I am Tom Gann, the chief public policy officer \nfrom McAfee. McAfee is one of the largest cybersecurity \ncompanies in the world. Indeed, we take great pride in \nprotecting consumers and businesses and organizations of all \nsizes.\n    As the Committee has ably pointed out in the past, small \nbusinesses face many of the same cybersecurity risks as large \nones. Some cyber attack methods, such as malware and those that \nbegin with spear phishing are particularly well suited for \nsmall businesses who might be an easy target because of their \nlack of cybersecurity resources. Small businesses store \ninformation, implement operational requirements, and own \nvaluable intellectual property just as large enterprises do, so \nthey need to have strong cybersecurity protections.\n    Investing in more than just very basic cybersecurity tools \nrequires time, money, and other resources, like an IT staff, \nthat too often small businesses just do not have. We have to \nacknowledge the fact that for most small businesses, \ncybersecurity is an expense that they do not want to incur when \nthey are simply trying to make payroll and be profitable.\n    So what is the solution? Should small businesses \nparticipate in DHS's cyber threat information-sharing program \nthat was mandated by CISA? This is a question worth exploring. \nIn talking with our customers, it is clear that many small \nbusinesses are unaware of CISA. They often do not understand \nhow the law can help them and they are confused by the many \ninformation-sharing initiatives that are out there. However, I \ndo believe that we should consider how information-sharing \nefforts, such as those mandated by CISA, can benefit businesses \nof all sizes.\n    The DHS initiative, known as the Automated Indicator \nSharing Program is open to small businesses, but many small \nbusinesses do not have the resources or an educated IT staff to \nmake use of it or benefit from it. Any information-sharing \ncapabilities require time, money, and people that small \nbusinesses sometimes are stretched to staff.\n    This does not mean that small businesses do not need or \ncannot benefit from cyber threat intelligence. They certainly \ncan, but perhaps we would focus our discussion more on \ninformation sharing of a different kind, information that is \ninformative and educational right off the bat.\n    According to the Better Business Bureau, when asked to \njudge 10 cyber statements as to being true or false, the \naverage small business owner's score was around 60 percent. \nThis means that for many small business owners there is really \na lack of understanding of the cyber challenge at all. The \nFederal Government should help develop and fund the standup of \na nonprofit, information-sharing, and analysis organization for \nsmall businesses. Such an entity could provide education such \nas basic cyber hygiene and more advanced topics, like \nincorporating the NIST cybersecurity framework into members' \nprograms. It could share best practices, lessons learned, \ntemplates, and processes for addressing threats and assist in \nunderstanding problems. Additionally, this organization could \nserve as a hub in the event of a breach and the first point of \ncontact in determining whether or not to reach out to law \nenforcement. It could assist the business in addressing the \nincident and communicate the situation to other members.\n    Further, we recommend outsourcing IT to a cloud provider \nthat would be responsible for security. That is a real \nadvantage for small businesses. The cloud provider would \nbenefit from an ever-growing network effect of more and more \nthreat data, improving the very cybersecurity capabilities and \nprotections they deliver to their customers' small businesses.\n    Both infrastructure as a service and security as a service \ncan be economical ways to provide efficiencies and security so \nthat small businesses really can benefit from an ecosystem of \ninformation sharing that is bidirectional with the government \nand the private sector.\n    Small business owners, however, cannot contract all of \ntheir security obligations out, particularly in the area of \nstrong blocking and tackling, making sure that passwords are \nupdated and information is backed up on a regular basis. Small \nbusinesses would also benefit from more cyber insurance. The \ngovernment could act as a reinsurer for the cybersecurity \nmarket that really in many cases is in early stages. Indeed, \nthe idea of providing tax benefits and credits to small \nbusinesses so they can purchase cyber insurance is a very good \nidea and would help pump prime what is today still an emerging \nmarket.\n    Finally, the government should devote additional resources \nto fighting cybercrime. Too often it is our small businesses \nthat are impacted by ransomware attacks, and small businesses \nneed all the help they can get. Investing in additional \nFederal, State, and local crime-fighting capabilities to help \ntake down the bad guys to protect our small businesses, well, \nthose are good investments that should be made.\n    In conclusion, I would like to thank you for inviting us to \ntestify. It is very kind. We take very seriously our small \nbusiness customers, and I welcome the opportunity to answer any \nquestions you may have.\n    Chairman CHABOT. Thank you very much. I would like to thank \nall the witnesses for their really excellent testimony here.\n    And Mr. Arnold, I will begin with you. I recognize myself \nfor 5 minutes.\n    You noted that the large number of data-sharing initiatives \noffered by the federal government in nongovernmental \npartnerships can be pretty overwhelming for a small business. \nDo you believe it would be beneficial if there was a single \nportal for small businesses to engage federal agencies to begin \nthe information-sharing process? And if so, could you identify \nany particular agency or entity that would be best suited for \nthat task, specifically for handling requests from small \nbusinesses?\n    Mr. ARNOLD. Sure. So I do think at a base level we need \njust a simple directory. What information is out there and for \neach of these? What kind of information is being consumed by \nthat sharing initiative? What kind are they making available \nand what are the membership requirements? And I think that the \nSBDCs actually are well positioned for that because they \nalready do this with so many other government programs and \ninitiatives. They seem like a logical fit.\n    Chairman CHABOT. Okay. Thank you very much.\n    Ms. Sage, I will turn to you next. In your testimony, you \nmentioned that one reason small businesses are reluctant to \nshare cybersecurity information is the perception that shared \ninformation gets lost or goes into a black hole causing \ncompanies to worry about the security or uses of their data. \nCan you please elaborate on that concern, and do you have any \nsuggestions for how information-sharing portals could be more \ntransparent in their receipt and use of shared data?\n    Ms. SAGE. Thank you, Chairman, for that question.\n    I think that is the reality for a lot of small businesses. \nIt is sometimes referred to as the Black Hole. You know, \ninformation is sent in and not exactly sure what happens to it. \nAnd it certainly has not helped with some of the recent \ncompromises that have occurred where information has been \nbreached and released. So I think that on the other hand, there \nhave been efforts to really try and address that concern.\n    I was presenting that comment in the context of cyber \ninformation sharing so that if there are general concerns about \ninformation sharing, regardless of whether it is cyber or not, \nmy goal was to really highlight the fact that cyber just adds \nanother element of concern because that is even more \npotentially damaging to an organization. And I think that some \nof these protections that I mention in my recommendations can \nhelp with that. If companies feel like there are protections \nfor them if their information is breached, and they are the \nvictim of this situation, they are not necessarily responsible \nfor also addressing it.\n    Chairman CHABOT. Thank you very much.\n    Mr. Reed, can you provide any example of how small business \ndata or shared information practices might invite unwanted \nregulations for small businesses, particularly in the tech \nindustry? What steps can we, policymakers, take to ensure that \nsmall businesses' personal information and IT data is protected \nfrom regulatory action?\n    Mr. REED. Well, I think one of the key elements to start \nwith for this Committee and for Congress in general is our \ncatchphrase at ACT, which is nobody wants technology at the \nspeed of government. And so when you think about where we stand \non the regulatory framework, I think you start off on the right \nfoot and ask the question of if we increase the methodologies \nand reporting requirements and the pathways forward for \ncompanies and how they have to engage, then we know what will \nhappen. Either we will not innovate new products at all or the \nproducts you see on the shelf will be incredibly limited, or \nworse, really expensive.\n    And really quickly, to go to an example that Ms. Sage hit, \nwe took a staff down to South Carolina and we met with a \ncompany, PhishLabs. And PhishLabs is one of the leading anti-\nspear phishing companies out there. And I worry about this talk \nabout regulatory bodies and new agencies. The CEO of PhishLabs, \nin this room full of staff, including DHS, said, by the way, \nguys, I want to show you something. Clicked over to US-CERT. So \nthe Anti-Phishing Working Group has this email where you send \ndata if you have a phishing attack. I am a leading phishing \nexpert. I have no idea how to get that data. I have spent \nmonths in contact with DHS. They will not provide it. I do not \nknow what is going on, and yet here is this government agency \ncollecting data on phishing. And to Mr. Arnold's point, how is \nthat not something that gets in?\n    So to your question, Mr. Chabot, I think we see that there \nis often a gap between the regulatory intention of Congress and \nhow it gets played out. And, therefore, I would look to caution \nadditional regulations that could harm small business.\n    Chairman CHABOT. Thank you very much. And unfortunately, \nMr. Gann, I ran out of time before I got to you. I had a pretty \ngood question, but my time is expired.\n    And I will now recognize the gentleman from Illinois, the \nRanking Member of Subcommittee on Agriculture, Energy, and \nTrade, Mr. Schneider.\n    Mr. SCHNEIDER. Thank you, Chairman Chabot. And again, thank \nyou to the witnesses for joining us today and sharing your \ninsights.\n    Cybersecurity for a small business, it is not a one-time \ntransaction. It is not a decision you make at a point. It is \nnot an action you take just once like rent or buy. It is not an \ninvestment you make one time. It is a business constant, no \ndifferent than sales, marketing, or finance. And to be \neffective, I think it has to start with, as you guys have \ntouched on, it starts with design. It includes implementation. \nIt requires ongoing vigilance. And then if something happens \nyou have event management and ultimately recovery and a \nresponse and recovery. For a small business, just the thought \nof that can be overwhelming. A small business, oftentimes the \nfounder is going to be the chief marketing officer, the chief \nfinance officer, and the chief bottle washer. That is the \nproblem. Those small businesses are going to look to outside \nresources.\n    So my question for the panel is, as many small businesses \nlook at the need for cybersecurity understand it, but that the \ninvestment and ongoing maintenance of that is somewhat \noverwhelming, what resources are available for them? What role, \nMr. Gann, does insurance play? I know it has changed since the \nlast time we were here. And how do we make sure that we go from \nnot just information sharing, which is important, to helping \nthese businesses have solutions?\n    Mr. GANN. Well, a couple big recommendations I think can \nmake a difference. The first one is for most small businesses, \ntheir priority first and foremost is to make payroll, grow the \nbusiness, and hopefully become an even larger, more successful \nbusiness over time. Toward that end, we recommend outsourcing \nto IT data centers, cloud providers. By doing that it can be \ncheaper, better, faster. Those large institutions can help with \nsecurity.\n    That said, small business owners are still responsible for \ntheir endpoints. And so getting basic education in place, \nputting in place basic blocking and tackling of passwords, \nreally important. Those things can add a lot of value rapidly.\n    The last point I would make--I did not include it in my \ntestimony, but it is vitally important for all IT organizations \nthat are developing new products to bake security and privacy \ninto their products in the first instance. By doing that first \noff it can reduce the burden on all businesses and really bring \nforward the benefits of a much easier look and feel to \ntechnology that is secure such that small businesses and all \nbusinesses can focus on what they really need to do, and that \nis growing their businesses and satisfying the needs of their \ncustomers.\n    Mr. SCHNEIDER. Mr. Reed?\n    Mr. REED. I think one of the key elements that we learned \nis that we have to divide it between small businesses that are \ninvolved in solving cybersecurity problems and small \nbusinesses, who, as Mr. Gann pointed out, are busy moving a \ndifferent product. And I think that platforms play a critical \nrole, but I also think given this Committee's jurisdiction, \nthere is more that can be done out of SBA and SBDCs to provide \na Lunch and Learn opportunity.\n    The number one thing in having started some businesses \nmyself that you run into is that feeling of alone. I do not \nknow what to do. I am not sure who to turn to. And frankly, as \nyou point out, when these things happen you are underwater, so \nyou need to have a friendship circle, so to speak, a circle of \ntrust that you can go to. And I think SBDCs can provide some of \nthat because I think at a certain point the main thing a small \nbusiness needs from an incident report, and as you say, baking \nit in early, is to know who to call, how to react, and how to \nclean up. And so I think there is more that can be done.\n    Mr. SCHNEIDER. Ms. Sage?\n    Ms. SAGE. Thank you, Mr. Schneider. I actually agree with \nMr. Reed on the point of the different categories of small \nbusinesses because a lot of it depends on what kind of business \nyou are.\n    I would just say, I think incentives are great motivators \nfor small businesses. Fundamentally, what we care about is can \nwe get a new customer? Can we keep our existing customers? And \ncan we stay in business? And so whether it is cybersecurity or, \npotential lawsuits or sales and marketing, anything that is not \ngoing to help us advance one of those three objectives is \nsomething that we are less likely to do.\n    And so to the extent that Congress can provide incentives \nfor us to want to do better in the area of cybersecurity, I \nthink that would help.\n    Mr. SCHNEIDER. Mr. Arnold?\n    Mr. ARNOLD. I think one of the best things that the \ngovernment can do is simply be as transparent as possible with \ninformation, allow it to come down to us, and give the small \nbusiness community an opportunity to wrought solutions for \nthemselves from that raw data. This a role that both myself and \nOlga Sage play in this, is taking that data and making it \naccessible.\n    Mr. SCHNEIDER. Great. Thank you. My time is expired. I \nyield back.\n    Chairman CHABOT. Thank you very much. The gentleman's time \nhas expired.\n    The gentlelady from American Samoa, Mrs. Radewagen, who is \nChairwoman of the Subcommittee on Health and Technology, is \nrecognized for 5 minutes.\n    Mrs. RADEWAGEN. Talofa. Good morning. I want to thank you, \nMr. Chairman, for holding this important hearing today, and I \nwant to thank you all for testifying. All of you can answer my \ntwo brief questions.\n    Do you believe the government's responsibilities and small \nbusiness owners' responsibilities in protecting businesses are \nbalanced?\n    And as a follow up, what educational outreach efforts \nshould the Federal Government be making to inform small \nbusiness owners about cybersecurity information-sharing \npractices?\n    Mr. Arnold?\n    Mr. ARNOLD. Yes. So, I think the question of balance, it is \nvery hard to balance the desire to keep information secret in \nthe name of national security, yet also make it available to \nthe people that need it. And I would encourage the government \nto err on the side of making it available. Unfortunately, \nsecurity by obscurity does not work and I think the best policy \nthe government can take is one of transparency.\n    And then with regard to education, I think we need to \nbroaden the topic of cybersecurity to include legal, insurance, \nand even marketing, because there is a need to reestablish a \ntarnished image after an attack.\n    And I will yield to the other witnesses.\n    Mrs. RADEWAGEN. Ms. Sage?\n    Ms. SAGE. Thank you, Mrs. Radewagen.\n    On the question of balance, I think that is something that \nwe are constantly trying to, for lack of a better word, \nbalance. I think to Mr. Arnold's point in the whole area of \nclassification, one of the things we see is that information \nmay be classified when it comes to sources and methods, but the \nactual issues or concerns are not necessarily classified. The \nchallenges that perhaps with all of the information overload \nthat we all have, sometimes it is not apparent which of these \nunclassified areas or topics or issues really need to be paid \nthe most attention to. So I think that is an opportunity for \nour government partners as they are putting out this \ninformation, even in an unclassified format, to be able to \nprovide some level, I do not know if it is a ranking or scoring \nor some level of identification to help companies understand \nwhile everything is bad, you know, but here are the things that \nwe want you to pay particular attention to.\n    When it comes to education awareness, I actually think that \nseveral agencies are really doing their best to really get the \nword out there. It is a big issue. It is a big topic. So \nwhether it is SBA or DHS with their CQ program, NIST, Federal \nTrade Commission has some really good products, I think this is \ngoing to be a whole-of-government effort. I do not necessarily \nthink that just one agency will be able to address all of the \neducational awareness needs.\n    Mrs. RADEWAGEN. Mr. Reed?\n    Mr. REED. I want to agree with Mr. Arnold and Ms. Sage \nabout the issues about classification. And let me put a fine \npoint on it. You ask about balance. If an agent decides to \nclassify something, what happens to him if he is wrong? \nNothing. If a small business does not have that information, \nthey go out of business, and worse, their consumers and their \ncustomers, and frankly, your constituents, are harmed. And so \nwhen you ask the question about balance, I think that we do not \nhave a good balance on it because ultimately, the small \nbusiness goes away and people are harmed and the government's \nimpact of making the more cautionary decision is nothing. So I \nthink we have to remember what the impact of not sharing \nequals.\n    On the education side, I would say that it is important to \nnot undervalue the platforms. Most of us are looking to build \nsome cool, interesting product on top of other technologies. \nAnd whether it is a cloud provider or another security company \nor anyone else in the space, look at ways that you can do \npublic-private partnership with platforms to push that \neducation to their customers. And if it is meaningful for them \nin an economic sense, it will be meaningful for us as small \nbusinesses.\n    Mrs. RADEWAGEN. Mr. Gann?\n    Mr. GANN. So on the question of balance in the area of \ninformation sharing, the big thing that one needs to remember \nis that small businesses are part of a much larger information-\nsharing ecosystem, whether they are interacting with a cloud \nprovider, whether they are interacting with an endpoint \nsecurity provider, making sure the government is doing a very \ngood job of managing equities in terms of what data to release, \nwhat data not to release in the cyber domain is absolutely \ncritical to the health of that entire ecosystem. We always \nencourage the government to be prudent in what it classifies. \nIf you are at the NSA or one of those organizations, you may be \nseeing 3 or 5 percent of the threats that are truly----\n    Mrs. RADEWAGEN. I am out of time, Mr. Gann.\n    Mr. GANN. Oh, sorry. That are truly driven from sources and \nmethods. Those need to be held back. The other types of data \nthat are more mundane should be shared.\n    Chairman CHABOT. Thank you very much.\n    Mrs. RADEWAGEN. Thank you, Mr. Chairman.\n    Chairman CHABOT. Thank you. The gentlelady's time has \nexpired.\n    The gentleman from Florida, Mr. Lawson, the Ranking Member \nof the Subcommittee on Health and Technology, is recognized for \n5 minutes.\n    Mr. LAWSON. Thank you, Mr. Chairman. And welcome to the \nCommittee.\n    This discussion underscores the dilemma that small firms \nhave in protecting their companies' and their clients' data, \nwhile also sharing information not only with each other, but \nwith the Federal Government. And I want you to know I am from \nthe government and I am here to help you.\n    Can the panel please explain what a good balance looks like \nfor companies to have adequate protection while also working \ncooperatively with various agencies and authorities to share \ndata?\n    Mr. ARNOLD. Thank you for the question.\n    So how do you achieve this balance? I think that, again, \nerring on the side of transparency first, one of the things I \nsuggested in my written testimony is that maybe we let the \nfrontline responders classify everything initially, but then \nhave some central clearinghouse like DHS that can go through \nwith the specific objective of declassifying everything to the \npoint where it gets good information out without undermining \nthe needs of the Nation state security.\n    Mr. LAWSON. Anyone else care to respond?\n    Ms. SAGE. Thank you, Mr. Lawson.\n    Actually, in my testimony I really kind of focused on the \narea of liability protection and explicitly asked for your \nconsideration of expanding that liability protection to small \nbusinesses in the event of a data breach or attack, because I \nthink part of the concern, and it kind of speaks to part of my \nearlier written testimony, where I talked about some of the \nconcerns small businesses have with providing information, \nparticularly negative information to the government, that in \nsome way it can either be lost or misused, et cetera.\n    And so I think that that combination of the worry of \nproviding information that may someday come back to haunt you, \nand God forbid you actually have an event, I think that would \nhelp small businesses to feel more comfortable sharing.\n    Now, in my written testimony I do not say, well, just give \nus liability protection. I do say that there has to be some \nmeasurable commitment by these small businesses to cyber \nhygiene and cyber readiness. And so I think it is a formula of \nboth requiring or asking or incentivizing small businesses to \nshare information, but also providing protections in the event \nthat there is a breach.\n    Mr. REED. I think most of everything has been covered, but \nin thinking about it, I think part of it is also how do people \nassemble what they view as valuable information? In your \ndistrict there is a company that is called Tech for Vets that \nworks with a lot of veterans' information. As you can imagine, \nthey do great work for the veterans community, but that also \nmeans they have access to an enormous amount of very sensitive \ndata. And so when considering what that balance looks like and \nhow do we engage, we agree with Ms. Sage that I think liability \nprotection is absolutely essential, but it also, it reflects \nthe fact that when you have that data and it is breached, your \nreaction is going to be, oh, my goodness, how do I staunch the \nbleeding? How do I stop the pain? And oftentimes your first \nreaction is not to tell everybody how you are in pain.\n    And so finding a way that removes that liability or creates \nother frameworks where you can say I tried my best, I did not \nmake it, help me next time. And so whether it is through \nincentives or liability protection, I think you have to \nunderstand the emotional state of somebody when they are going \nthrough an incident because I think it helps inform how you do \na better job the next time.\n    Mr. GANN. So the single best thing that policymakers can do \nin the area of cybersecurity is continue to keep the issue very \nbipartisan. If you go back 10 to 15 years and move forward from \nwhere we have started to where we are today, an awful lot of \nprogress has, in fact, been made. CISA was passed. We have \nstood up authorities in the civil government domain, putting \nDHS in the first chair on cyber. We have increased information \nsharing. We have broadly educated the population, large \nbusiness, small business to some degree on the cyber threats. \nKeep that work up and continue to update laws. Continue to \nupdate CISA. Allow more robust sharing of information beyond \nsimple indicators of compromise. Look at creative ways to put \nin place the right incentives to increase security. Keep the \nwork up and I think we will make a lot more additional \nprogress.\n    Mr. LAWSON. My time is about to run out, but one other \nthing after hearing the testimony from Mr. Reed, I was trying \nto equate how small--and you do not have to answer because my \ntime has run out--how small of businesses are concerned with \ncybersecurity? And that is the ones that are 45 and stuff \nbefore we get into the level that you are talking about. Maybe \nat some point in time, Mr. Chairman, he might be able to \nanswer.\n    Mr. REED. Can I give a really short answer? Companies of \none person can have records of hundreds of thousands of people.\n    Mr. LAWSON. Wow. I yield back, Mr. Chairman.\n    Chairman CHABOT. Thank you very much. The gentleman yields \nback.\n    The gentleman from Kansas, Dr. Marshall, is recognized for \n5 minutes.\n    Mr. MARSHALL. Good morning, everybody.\n    Mr. Reed spoke of fusion centers. Are the other witnesses \nfamiliar with fusion centers as well? Okay. When I visited our \nfusion center in Kansas, terrific facility, it is more of a \nregional facility I would describe it, the private sector \ninteraction were several big utilities as I can recall, maybe a \nbig bank. How are small businesses accessed? Ms. Sage, are you \nfamiliar with the small business access to the fusion centers?\n    Ms. SAGE. It is a challenge because, first of all, a lot of \nthese fusion centers are used for briefings at the classified \nlevel, et cetera. And so if you do not have those credentials \nto get in, you are not even in----\n    Mr. MARSHALL. Right. Getting the top secret clearance.\n    Ms. SAGE. Exactly.\n    Mr. MARSHALL. And you cannot participate with them unless \nyou have--you cannot say here is our problem without them \ndivulging stuff to you in any way.\n    Mr. Reed, you mentioned----\n    Mr. REED. Right. I think that gets to the education. And \nhaving recently been in your wonderful district and talked to \nsome of your small businesses there, I think there is a huge \neducation gap on how those fusion centers can play a role. And \nso I think that the questions we have to ask is, is there \nsomething that can be done to give them the credentialing and \nthe entry point? Because as you point out right now it is \nprimarily critical infrastructure that understands how they fit \ninto this equation, but as we have talked about here, literally \nhundreds of thousands of small companies have the information \nthat could compromise critical infrastructure if we are not \ncareful. So yes, we need to do a better job with getting access \nto those fusion centers.\n    Mr. MARSHALL. My next question centers around it seems like \nwe are always on defense when it comes to this rather than \ngoing on offense. It is almost like someone is trying to rob \nthe bank 10 times a day, 20 times a day, and it seems like we \nhave accepted that is okay and we do not go after those people \nhard enough and we are not going on the offense with them. We \nare not releasing these hunt viruses back at them and trying to \nbe more aggressive. Maybe I am wrong. But who is out there \ndoing a great job saying we are not going to take this anymore? \nWe are not going to sit there and just get attacked. I will sit \nthere and watch 20 or 30 attacks on some of my companies back \nhome in the matter of an hour when I am there.\n    Anybody have a comment about who is doing a good job on \noffense? Mr. Arnold does.\n    Mr. ARNOLD. Well, actually, I was going to say that I do \nnot think the small businesses are actually equipped to do \noffense at that level because they are going to invite a \ncounterattack by going on the offensive.\n    Mr. MARSHALL. So we need to empower them. Who is trying to \nsay here is the software to go on the offensive?\n    Mr. Gann?\n    Mr. GANN. So let me take that one on. It depends on how you \ndefine offensive activity. We actually have to be careful with \noverbroad rules that allow unqualified people to hack back \nbecause you never quite know who the attacker is and you can \nget subsidiary effects.\n    That said, there is a lot of innovative work being done in \nthe cybersecurity sector on machine learning, on analytics, on \ndoing a much better job of understanding threats as they are \nstarting to occur and starting to react early on to zero day \nattacks that have not been seen before. The science is really \nmoving much beyond the traditional blacklisting anti-virus \nmodel.\n    So that innovation is occurring in large companies and you \nare seeing a lot of small players doing a lot of innovating, \nand you have seen a massive increase in the amount of venture \ncapital money flowing through the cybersecurity sector. \nBillions of dollars, in fact. And so I think the trend lines \noverall are pretty good, but we still have some rough spots.\n    Mr. MARSHALL. I need to move on to my next question.\n    My opinion is most companies are afraid to report. They are \nafraid if they report it shows a weakness. Their customers \nmight find out how vulnerable they are. How do we overcome \nthat?\n    Mr. ARNOLD. We need to help them plan ahead for the \neventuality of that happening. Small businesses do not even do \nthe normal tabletop exercises that larger organizations do that \ngenerally put larger organizations in a better spot to respond \nto an adverse event, even just from a marketing and PR \nstandpoint. So helping educate small businesses on how to do \nthat would be very helpful.\n    Mr. MARSHALL. Any other?\n    Mr. REED. And I think it ties back to your previous \nquestion, which is where do you find the consultants and others \nin the space that can help you build ahead? I think you work \nthrough platforms that exist, larger platforms, but also you \nlook at some of the consultancies that exist out there and find \nways to do, as you said, table-topping, but remembering always \nthe primary goal of the business. So I think it is about \ninforming the IT professionals that set up that web presence or \nthat customer store or your database and saying to them, how \nare we prepared? And I think that goes to Ms. Sage's point, \nwhich is we have got to change the incentive structure.\n    Ms. SAGE. I agree with both gentlemen. And I would just \nlike to add, Dr. Marshall, that the cybersecurity framework \nthat was developed by NIST in industry I think really provides \na good model to help both large and small because it addresses \nthat specific area of how do we respond to and recover from \nsome of these cyber events?\n    Mr. MARSHALL. Thank you. I yield back.\n    Chairman CHABOT. Thank you. The gentleman yields back. \nThose are some excellent questions, really, and the answers \nwere good, too. Thank you.\n    The gentlelady from North Carolina, Ms. Adams, who is the \nRanking Member of the Subcommittee on Investigations, \nOversight, and Regulations, is recognized for 5 minutes.\n    Ms. ADAMS. Thank you, Mr. Chairman. Thank you all very much \nfor your testimony. I have learned a lot just listening.\n    Let me ask Mr. Gann this question. Why should it be a \npriority for the Federal Government to pay attention to the \nvulnerabilities that small businesses face against cybercrimes?\n    Mr. GANN. Well, it is a great question. Indeed, we have \ngotten so many great questions. It has been really a very fine \nhearing.\n    Small businesses, it is worth remembering, oftentimes can \nbe part of the most innovative pieces of the economy. Small \nbusinesses, whether in tech, biotech, machining, any number of \nareas, are oftentimes there because their founders left big \ncompanies because they wanted to do something new that maybe a \nlarge organization did not allow them to innovate on. So \nprotecting those assets, those pieces of intellectual property \nthat are really the seed corn of the future of our economy, \nthat is absolutely essential. That is, I think, number one. \nBeyond that the issue of PII that so many small businesses own \ntoday, that is number two. But small business is absolutely a \npiece of the challenge that needs to be addressed.\n    Ms. ADAMS. Thank you.\n    Mr. Arnold, how can small business development centers help \nwith the collection and the dissemination of cybersecurity \ninformation?\n    Mr. ARNOLD. Well, let's talk about first the collection \nthereof. When events happen, some of them have grave economic \nimpact. Some of them maybe do not have horrible economic \nimpact, but they have some technical issues and indicators that \nall need to get reported. And so the SBDC has kind of become a \ntriaging place so the small business can say, hey, I have had \nthis kind of attack. Who do I need to report this to? And they \ncan give a list of the agencies that are best suited to gather \nthat data.\n    And then likewise, on the back side of disseminating the \ninformation back out, as Ms. Sage has pointed out a couple of \ndifferent times, each small business is very unique in its \nneeds and there are a lot of different programs out there and \nthere is a need for that diversity, but we also need to have a \nphonebook, if you will, a directory of, okay, well, these are \nthe information programs that are out there. These are the \neducational pieces that are out there, and the SBDCs could \nconnect the small businesses to those.\n    Ms. ADAMS. Thank you. And anybody who wants to answer this \nquestion.\n    Based on your experience as a small business working with \nother small businesses, why is it that most small firms do not \nunderstand the full scope of their risk to cyber threats? And \ndo you believe we need more outreach, more education? Anybody \ncan respond to that. I would appreciate it.\n    Mr. REED. So having been a founder of a couple of small \nbusinesses, what makes you motivated to build a small business \nis to solve a problem, whether it is to sell food on the street \ncorner or to build the next great social media application. \nYour focus is on delivering a product and solving a problem as \nyou see it. And that is what burns inside of you. That is what \ntakes the risk. That is what gets you to borrow money from your \nmom's house to put it out there. And so the problem starts with \nif cybersecurity is not something that you are in the business \nof, and it is not the problem you are trying to solve, you are \npouring every amount of your heart and soul into solving that \nspecific problem.\n    So I think that what we have to do is early on the \neducation effort has to be if you want to see your dream \nrealized, then you need to make sure that you are taking care \nof business at the very beginning before you see your dream \ndashed because you lost that information. So I think it is \nabout structuring the question that you asked. And I think it \nis a vital question. And you need to turn it back on that small \nbusiness and ask them, I am here to help you get your dream, \nbut what are you doing to make sure it can live for the long \nterm, not just for the short?\n    Ms. ADAMS. Okay. Does anybody want to respond quickly to \nthat?\n    Mr. ARNOLD. I would like to add, too, that small \nbusinesses, well, will frame cybersecurity as an IT program. It \nneeds to be reframed as a business problem, one that the \nbusiness owners have to address, and I think that is critical.\n    Ms. ADAMS. Ms. Sage?\n    Ms. SAGE. I just want to say amen.\n    Ms. ADAMS. Okay.\n    Ms. SAGE. I also think that to the points that have been \nmade earlier, if cybersecurity is not going to help us \nultimately accomplish our business goal, it will go the way of \nevery other issue or concern that small businesses have to deal \nwith, which is we do not deal with them until we have to. So to \nthe extent that we can help, as you rightly pointed out, \neducate business owners, and to Mr. Arnold's point, that this \nis not just a technology problem, educate business owners that \nit is the same like if you do not have an EIN number for doing \nbusiness, you cannot do business. It does not matter what kind \nof service you want to provide. There are certain things you \njust have to have in place. And I think if we can get our small \nbusiness community to understand that this is one of those \nkinds of things, I think we will be in a much better place.\n    Ms. ADAMS. Thank you very much. I am out of time.\n    Chairman CHABOT. Thank you very much. The gentlelady's time \nis expired.\n    We want to thank the panel here for your very insightful \ninformation that you have given us here today. I think you have \nanswered the questions very well and cybersecurity is clearly \none of the principal, one of the greatest issues a lot of small \nbusinesses face today. They know it is important, but they are \nnot quite sure exactly what to do about it. And this Committee \nwants to work to help them to the extent that we can. So thank \nyou for helping us to help them. We appreciate it greatly.\n    I would ask unanimous consent that all members have 5 \nlegislative days to submit statements and supporting materials \nfor the record.\n    Without objection, so ordered.\n    And if there is no further business to come before the \nCommittee, we are adjourned. Thank you very much.\n    [Whereupon, at 12:08, p.m., the Committee was adjourned.]\n    \n         A P P E N D I X\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n    Fragmentation\n\n    The most fundamental problem in accessing this data right \nnow is fragmentation. The DHS, FBI, NIST, and the NSA, are just \na few of the agencies collecting cyber incident and \nintelligence information. Each has multiple repositories and \nprograms. Some are well advertised, while some are part of \nworkgroups and not widely available. Others are hidden by \nclassification. Simply having a list of all the data sharing \ninitiatives available would help tremendously.\n\n    Such a list might start with the various information \nSharing and Analysis Centers (ISAC's) and Information Sharing \nand Analysis Organization Standards Organizations (ISAO's), and \nexpand to include to programs like DHS's Automated Indicator \nSharing (AIS) program. The inventory would include what \ninformation sources they consume, how they make the data \navailable, and the membership criteria for each. The \nintermediate organizations like ISAC's and ISAO's are, in many \ncases, doing a great job of making otherwise inaccessible data \navailable to small businesses \\2\\.\n---------------------------------------------------------------------------\n    \\2\\ See Appendix: How the IT-ISAC makes AIS affordable\n\n    Small businesses are extremely resourceful. Having quality \nincident reporting and cyber intelligence flowing to the small \nbusiness community lets us build solutions for ourselves.\\3\\ \nOur biggest challenge, in that regard, is collecting and \naggregating data from a wide array of sources. In truth, even \nthe largest multi-national companies cannot collect data on the \nbreadth and scale that US government agencies can provide. \nAccess to quality data for companies of all sizes helps level \nthe playing field between large and small businesses and will \nspur economic development alongside novel solutions.\\4\\\n---------------------------------------------------------------------------\n    \\3\\ See Appendix: Email Interview: Douglas M. DePeppe--Cyber \nResilience Institute\n    \\4\\ See Appendix: Economic Trends And How Shared Information Helps\n\n---------------------------------------------------------------------------\n    Overuse of Classification\n\n    Another problem with sharing information is the overuse of \nclassification. There are a myriad of rules governing the \ndeclassification of information, but declaring valuable \ninformation a secret is almost effortless. It takes no more \nthan two words, uttered in a grave tone, to play keep away with \nvital information. ``That's classified.'' And just like that, \nour cyber equivalents of neighborhood crime statistics and sex \noffender registries are taken away in the name of national \nsecurity. While secrets have their place, we have a right to \nknow what is going on around us, and every data point that gets \nclassified degrades our ability to make good decisions \\4\\, \n\\5\\.\n---------------------------------------------------------------------------\n    \\5\\ See Appendix: How Classification Impacted the Wannacry Outbreak \nand Response\n\n    The other problem with classifying information is that it \ncreates another digital divide between the have's and the have \nnot's. Small companies are generally much better at raw \ninnovation. When we cannot get access to the raw material for \nbuilding novel solutions, our security posture will not improve \nand we lose economic opportunities to create jobs around our \n---------------------------------------------------------------------------\ninnovations.\n\n    As you contemplate the role of classification, please keep \nthis in mind: When this country was founded, we were colonists \nliving under the boot of a government that exerted control by \nkeeping secrets and forcing access to information it deemed \nmight be incriminating. Our adversaries would like nothing more \nthan to goad our government into keeping secrets, then unleash \nthose secrets to draw the ire of the citizens and undermine \ntrust. Remaining transparent is the only solution that works in \nthe long run. It is better that we let our enemies know we see \nthem coming and face them head on, then to have us bickering \nwith one another while they steal all our trade secrets \\5\\.\n\n    Pressure to Keep Up Poses Major New Threat\n\n    There is a more pressing issue to which I need to draw your \nattention. It is a byproduct of two distinct disadvantages that \nsmall businesses face:\n\n          1. As big companies armor up, attackers turn to less \n        protected small businesses.\n\n          2. Small businesses cannot afford to compete with big \n        companies for the cybersecurity talent and solutions \n        they need to protect themselves.\\6\\\n---------------------------------------------------------------------------\n    \\6\\ The federal government is also snapping up scarce talent. For \nexample, students can receive scholarships worth up to $60,000 for NSA \naccredited degree programs, but then they are obligated to work for the \ngovernment. Small businesses cannot compete with that kind of \nrecruitment.\n\n    These are circular issues with one begetting the other. In \ntheir wake, the demand for affordable solutions will rise \ndramatically, creating yet another threat. Small businesses \ndesperate to meet the cybersecurity demands of larger clients, \ngovernment regulations, insurance carriers, and lending \ninstitutions are going to become victims once again. \nAdversaries will use this opportunity to sell cheap software \nand services that are subsidized by selling data and secrets \nout the back door and give them a toehold in the supply chain \n---------------------------------------------------------------------------\nof larger organizations.\n\n    The driver here is that cybersecurity is also economic \nwarfare and a geopolitical game of chess that knows no borders. \nThese higher-level battles manifest as foreign and domestic \nespionage, extortion, and economic disruption. They encompass \naspects of both organized crime and the Cold War. A central \nissue that impacts small businesses is the ability to vet \nvendors who may have ties to either the criminal underground or \nnation-state adversaries.\n\n    Deputizing Small Business Cyber Solution Providers\n\n    I believe we can get ahead of this problem with your help. \nFixing the problem with American-made products and services \nwill not only protect the sector, but also stimulate job growth \nand economic development. I suggest that the SBDC's work with \nlocal, state, and federal law enforcement to certify local \nvendors as All-American solution providers, then connect those \nvendors with other SBDC's within their state and across the \nnation.\n\n    Participants would be bound to:\n\n            defend small businesses under a Hippocratic-like \n        oath,\n\n            affirm allegiance to US interests,\n\n            produce software/services domestically (no \n        offshoring data or talent), and\n\n            report cyber intelligence using uniform methods.\n\n    Participants would be subject to steep legal penalties for \nusing offshore solutions, perhaps submitting to spot-check \ninvestigations to ensure compliance. However, so long as they \nrely on American solutions, they (and perhaps their clients) \nwould be protected by good-Samaritan laws much like our first \nresponders. These deputized small businesses would also form a \nsort of national guard embedded directly in our business \ncommunities.\n\n    Improving the Collection and Dissemination of Information\n\n    In addition to tapping our SBDCs, I believe the government \nhas two resources that can help with collection and \ndissemination of cybersecurity information. Our Bureau of Labor \nStatistics (BLS) is very good at aggregating, summarizing, and \nmaking data available in easy to digest forms. Meanwhile, the \nIRS is one agency to which every small business owner is happy \nto report losses.\n\n    Obviously there is potential for abuse in reporting losses \nthat did not occur. To offset this, any loss report would \ntrigger (or could trigger in the case of a lottery system) an \ninvestigation by law enforcement to validate claims. The \ninvestigation would allow for the gathering of valuable \nincident details and cyber intelligence information.\n\n    The DHS was established to bring together intelligence and \ndata from multiple agencies. Therefore it makes sense to have \ndata bubble up to them for aggregation and, when absolutely \nnecessary, apply judicious and time-limited classification. \nGathering points for information would include the IRS, as \nmentioned above, but also local/state/federal law enforcement, \nwith SBDC advisors connecting small businesses to them as \nappropriate. In fact, it may be best to classify all data \ninitially at the gathering points and charge the DHS with \ndeclassifying everything, except that which is truly vital to \nnational security or conflicts with privacy. Dong so alleviates \nthe SBDC advisors, law enforcement, and any deputize4d \nbusinesses from making such decisions.\n\n    While DHS has the ability to aggregate and (de)classify \ndata, the Bureau of Labor Statistics (BLS) has the talent, \ninfrastructure, and existing relationships to repackage and \ndeliver it back to the community. Undoubtedly some will insist \nthe data need not be made public. But security by obscurity \nonly builds false hopes.\\7\\ In fact, I would argue that the \nvalue added from the statistical expertise to correctly \ninterpret raw data would far outweigh the idea of keeping \npoorly interpreted data secure.\n---------------------------------------------------------------------------\n    \\7\\ See Appendix: How Classification Impacted the Wannacry Outbreak \nand Response\n\n    An example of poorly interpreted data is the oft-quoted \nstatistic that sixty percent of small businesses fail within \nsix months of a cyber attack. It is so tantalizing, that even \nwe used it at Threat Sketch early on in our marketing \nmaterials. However, we later learned this to be unverified \ninformation and have distanced ourselves from it because our \nclients trust us to deliver accurate data.\\8\\\n---------------------------------------------------------------------------\n    \\8\\ https://www.bankinfosecurity.com/blogs/60-hacked-small-\nbusinesses-fail-how-reliable-that-stat-p-2464\n\n---------------------------------------------------------------------------\n    SBDC Advisor Training\n\n    Small businesses need local solutions that can tap into a \nnational network of trusted solution providers. The SBDCs have \nproven effective in helping small businesses navigate a myraid \nof state, federal, and local resources, and with training. I \nbelieve they can rise to this challenge as well.\n\n    With regard to training, the NSA has been busy establishing \na network of colleges and universities that are Centers of \nAcademic Excellence (CAE) in Cybersecurity. And NIST, through \nits National Initiative for Cybersecurity Education (NICE), is \nhelping standardize the language in our industry, which is much \nneeded. I believe that the NSA-CAE community colleges and \nuniversities are well positioned to cross-train and up-train \nexisting SBDC advisors on the business aspects of \ncybersecurity. Advisors need not become technical experts, but \nrather learn the standardized language developed by NICE and \ndelivered through NSA-CAEs. Doing so will let them help small \nbusinesses locate and connect with appropriate resources.\n                                Appendix\n\n\n    How the IT-ISAC makes AIS affordable\n\n    The DHS has an information sharing program called Automated \nIndicator Sharing (AIS) that gathers and distributes cyber \nintelligence using STIX and TAXII protocols. When I first \nencountered this program through Threat Sketch, the only \ncommercially supported software systems had six-figure price \ntags. Although free, open-source versions exist, they require \nconstant patching and maintenance as well as a secure facility \nto house them. These hidden implementation costs put ``free'' \ninformation well out of the price range of small businesses.\n\n    We were referred by AIS to the IT-ISAC, which already has \ninfrastructure in place to receive AIS information via STIX/\nTAXII and was able to fractionalize the cost among its paid \nmembers. The IT-ISAC has since played a vital role in both \nsupplying data and allowing us to share our own knowledge back \nto the community.\n\n    Email Interview: Douglas M. DePeppe - Cyber Resilience \nInstitute\n\n          Cyber Market Development Project, as well as Sports-\n        ISAO Project Office. Our nonprofit, Cyber Resilience \n        Institute, is the NIPP Challenge awardee (and our \n        project will transition to commercial use under `c-\n        Market' branding and naming). Our model has a CTI and \n        Information Sharing core, based in a community and \n        adopting a PPP sharing and capacity building model.\n\n          That as a quick background, we enter communities \n        through students and a workforce program: c-Watch. And, \n        what we're promoting is the linking together of a \n        network of cyber hunters and analysts--that is, \n        graduates of the workforce program--into the Cyber \n        Threat Intelligence Research Network. What CTIRN \n        represents is a national capability of students--a bit \n        like a CyberCorps or a cyber-ROTC equivalent--engaged \n        in populating a commercial Order of Battle (i.e., \n        adversary profiling), that would be available for the \n        private sector and all levels of government, and \n        without incurring IC classification constraints.\n\n    How Classification Impacted the Wannacry Outbreak and \nResponse\n\n    I participated in the national response to the Wannacry \noutbreak lead by the National Cybersecurity and Communications \nIntegration Center (NCICC; pronounced ``N-KICK''). During one \nof the daily NCICC calls, a large company claimed to have \nsomething they wanted to share, but did not want to make it \npublic. A DHS representative came on the line and declared the \nbriefing TLP-Yellow from that point forward. He then invited \nall companies on the line to share what they knew and there was \nnothing but awkward silence. Even under a veil of secrecy, the \nbig company was unwilling to share what they knew. I wonder to \nthis day what it was and if it could have saved even one \nvictim.\n\n    And let us not forget that the reason the Wannacry outbreak \nwas able to travel so quickly. It did so by leveraging an \nexploit discovered by the NSA and kept secret until exposed in \na WikiLeaks data dump. I understand why the flaw was kept \nsecret, but that decision was not without consequences. The \nentire attack may never had occurred had the flaw been \ndisclosed to the private sector when it was first discovered. \nNot only did that decision lay the groundwork for the \nransomware attack, but it created a rift between the government \nand the private sector. I know of at least one large-scale flaw \nthat was not reported to the government for the reason that \ncybersecurity researchers have lost faith in our government. It \nwill take a long time and many taxpayer dollars to recover from \nthe tarnished image that results from keeping secrets.\n\n    Economic Trends And How Shared Information Helps\n\n    To describe how shared cyber incident and intelligence \ninformation helps small businesses, I need to provide context. \nAt a company level, cybersecurity is a business problem of risk \nmanagement. At a national level, cybersecurity is economic \nwarfare. At a global scale it is a geopolitical game of chess \nthat ignores physical borders.\n\n    At the business level, three trends drive cyber risk in \nsmall businesses. They are:\n\n          1. An increase in incentives for hackers to make \n        money by exploiting stolen data.\n\n          2. A dramatic rise in the liability that comes with \n        handling sensitive data.\n\n          3. The use of automation to attack small businesses \n        on an industrial scale.\\9\\\n---------------------------------------------------------------------------\n    \\9\\ Arnold, Rob (2017). Cybersecurity: A Business Solution. ISBN \n978-0692944158.\n\n    Let's use a familiar example to illustrate how these three \nforces have changed the risk landscape. Consider an employee's \nW-2 form. Ten years ago it was hardly worth the paper it was \nprinted on because there was no mass market for selling \npersonal information. Today, each W-2 is worth $20 or more on \nunderground, black markets. The incentive has gone from nearly \n---------------------------------------------------------------------------\nzero to $20 dollars per victim.\n\n    While the hacker gets $20 for each W-2, the liability to \nthe employer and the employee is substantially higher. In the \nextreme, lawsuits and drained bank accounts can cost the \nbusiness and the employee hundreds of thousands of dollars. And \nmore subtle losses come in the form of lost morale and the \nhassle of dealing with damaged credit, which add to the losses.\n\n    While there is an incentive to steal W-2s en masse from \nlarge companies, the big companies are becoming harder to \nattack. As a result, hackers are using automation to go after \nunprotected, unprepared small businesses by the thousands. Due \nto the volume of attacks, they only need to compromise a small \nfraction of them to make a profit. It is a nefarious business \nmodel that works.\n\n    In the context of trend number one, sharing cyber \nintelligence about black markets and espionage warns small \nbusinesses about emerging incentives for stealing data. To \naddress the second trend, which is victim liability, incident \nreporting is used to understand trends in the risk landscape \nand to determine how different attacks relate to losses. \nFinally, combatting automated attacks means using both types of \ndata to detect large scale operations and respond quickly to \nundermine the nefarious business model.\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n                  STATEMENT FOR THE RECORD OF\n\n     THOMAS GANN, CHIEF PUBLIC POLICY OFFICER, MCAFEE, LLC.\n\n  BEFORE THE U.S. HOUSE OF REPRESENTATIVES COMMITTEE ON SMALL \n                            BUSINESS\n\nON ``FEDERAL GOVERNMENT AND SMALL BUSINESSES: PROMOTING GREATER \n                          INFORMATION\n\n              SHARING FOR STRONGER CYBERSECURITY''\n\n  November 15, 2017, 11:00 AM / RAYBURN HOUSE OFFICE BUILDING \n                           ROOM 2360\n\n    Good morning, Chairman Chabot, Ranking Member Velazquez, \nand distinguished members of the committee. Thank you for the \nopportunity to testify today, I am Tom Gann, Chief Public \nPolicy Officer for McAfee, LLC. I have over 20 years of \nexperience in the IT industry, having run government relations \nand public sector alliances functions for Digimarc, Siebel \nSystems and Sun Microsystems. During the last decade, I have \nfocused on cybersecurity and identity management issues. I hold \ndegrees in business and political science from the London \nBusiness School and Stanford University.\n\n    I am pleased to address the committee on this important \nmatter. My testimony will address the cybersecurity challenges \nsmall businesses face, why sharing technical information is \nparticularly difficult for small businesses, the types of \ninformation sharing that could be most useful to them, and \ngeneral recommendations that can enhance the cybersecurity \ncapabilities of small businesses.\n\n    MCAFEE'S COMMITMENT TO CYBERSECURITY\n\n    McAfee is one of the world's leading independent \ncybersecurity companies. Inspired by the power of working \ntogether, McAfee creates business and consumer solutions that \nmake the world a safer place. By building solutions that work \nwith other industry products, McAfee helps businesses \norchestrate cyber environments that are truly integrated, where \nprotection, detection and correction of threats happen \nsimultaneously and collaboratively. By protecting consumers \nacross all their devices, we secure their digital lifestyle at \nhome and while on the go. By working with other security \nplayers, we are leading the effort to unite against state-\nsponsored actors, cybercriminals, hacktivists and other \ndisruptors for the benefit of all. McAfee is focused on \naccelerating ubiquitous protection against security risks for \npeople, businesses and governments worldwide.\n\n    Before beginning my comments, I want to express how \nextremely pleased McAfee is in seeing the focus on improving \nthe cyber threat landscape for small businesses. Through the \npast several years, a great deal of time and effort has been \nfocused on larger organizations with resources to invest, but \nattention on risks to small business--the backbone of our \nnation's economy--is long overdue. For too long, small \nbusinesses have been a target of malicious actors with little \nor no way to protect themselves due to education and resource \nconstraints. Thank you for investigating ways to better protect \nthis vital segment of our digital economy.\n\n    CYBERSECURITY RISKS FACED BY SMALL BUSINESS\n\n    There's no doubt that small businesses face many of the \nsame cybersecurity risks as large ones. Some cyber-attack \nmethods, such as ransomware and those that begin with spear-\nphishing, are particularly well-suited to small businesses, who \nmight be an easy target because of their lack of cybersecurity \nresources. Small businesses store personal information, \nimplement operational requirements and own valuable \nintellectual property just as large enterprises do, so they too \nneed strong cybersecurity protections. In fact, more than 50 \npercent of cyber-attacks are launched on firms having fewer \nthan 50 employees, according to cyber expert Steve Morgan. A \n2016 report from Keeper and the Ponemon Institute found that \nonly 14 percent of small and medium-sized businesses say they \nhave the ability to effectively mitigate risks and \nvulnerabilities. Further, 50 percent say they had been breached \nin the past 12 months. This is not at all surprising, given \nthat many small businesses might not even have IT staff, let \nalone cybersecurity staff.\n\n    Not addressing these risks have real consequences for the \nbusinesses themselves, larger businesses and local economies. \nFor example, an August 2017 analysis by Tech Republic found \nthat a single cybersecurity attack could cost a small business \n$256,000. And we've seen at least one instance of a small \nbusiness breach affecting a larger one in the Target hack.\n\n    An October study by the Better Business Bureau, The State \nof Small Business Cybersecurity in North America, found that \nhalf of small businesses could remain profitable for only one \nmonth if they lost essential data. Further, while small \nbusinesses may be adopting solutions like antivirus software, \none of the most cost-effective tools, employee education, is \nused by fewer than half the companies surveyed. The report also \nfound that while awareness of cybersecurity risk among small \nbusiness owners is growing, they are not at all certain what to \ndo about it.\n\n    According to an August 2017 survey from BizBuySell, the \nInternet's largest business-for-sale marketplace, 90 percent of \nsmall businesses believe it's at least important to protect \nthemselves from a cyber-attack. Yet moving from cyber \nprotection being important to it being essential, practical and \naffordable is a big step. Investing in more than just very \nbasic cybersecurity tools requires time, money and other \nresources--like an IT staff--that small businesses often don't \nhave. We have to acknowledge the fact that for most small \nbusinesses, cybersecurity is an expense they don't want to \nincur when they're trying to simply make payroll and remain \nprofitable.\n\n    ``Profitability is the ultimate test of risk,'' one of the \nBetter Business Bureau report's authors said, adding that small \nbusiness owners have to do a cost-benefit analysis of \ncybersecurity.'' It doesn't do any good for a small business to \nadopt a $10,000 solution if the potential risk reduction is \nworth $5,000,'' he added.\n\n    THE INFORMATION SHARING CHALLENGE FOR SMALL BUSINESS\n\n    So, what's the solution? Should small businesses \nparticipate in the Department of Homeland Security's (DHS) \ncyber threat information sharing program mandated by the \nCybersecurity Information Sharing Act (CISA)? This is a \nquestion worth exploring. In talking with our customers, it is \nclear that many small businesses are unaware of CISA, often \ndon't understand how the law can help them, and are confused by \nthe many information sharing initiatives out there.\n\n    However, I also believe we should consider how information \nsharing efforts, such as those mandated by CISA, can directly \nbenefit small businesses.\n\n    The DHS initiative known as Automated Indicator Sharing \n(AIS) is open to small businesses, but few have the resources \nor an educated IT staff to make direct use of or benefit from \nit. The kind of information shared via AIS is comprised of \nindicators of compromise (IOCs). While the overall program has \nbeen a strong step in the right direction, it still provides \nfar too little real value. IOCs are just the breadcrumbs that \nnetwork security staff look for to uncover clues as to what may \nbe occurring inside their organizations. Typical IOCs include \nregistry keys, MD5 hashes of potential malware, IP addresses, \nvirus signatures, unusual DNS requests, and URLs. While these \ncan be useful, they are not enough to provide the defensive \ninformation needed to protect an organization.\n\n    The information shared must be both useful and actionable \nto the receiving parties and, in the case of AIS, it also must \nbe automated. As many small businesses outsource functions like \ntheir point of sale systems, or even their entire IT needs, \nthey may not have access to the information contained there, \nlet alone be able to ensure it is useful and actionable. Even \nif they had their own IT support infrastructure, small \nbusinesses would have to acquire and set up systems and \nsoftware to collect, share and use the information. The reality \nis any information sharing capabilities require time, money and \nresources that many small businesses just do not have.\n\n    Additionally, it should be understood that we are not \nsharing information just for sharing's sake. There needs to be \na valuable purpose for the sharing if a business is going to \nspend the money needed to set it up and maintain it going \nforward as a core business practice. If the information being \nshared is not useful, actionable and automated, then the entity \nsharing it doesn't bring much value to the table--nor would the \nsmall business get value from it. Today, the type of simple \ninformation via IOCs exchanged by AIS is hard for small \nbusinesses to get value out of.\n\n    A DIFFERENT KIND OF INFORMATION SHARING\n\n    This doesn't mean that small businesses don't need or can't \nbenefit from cyber threat intelligence; they certainly can. But \nperhaps we should focus our discussion more on sharing a \ndifferent kind of information--information that is more \ninformative and educational right away.\n\n    The Better Business Bureau study found that when asked to \njudge 10 statements on cybersecurity as either true or false, \nthe average score was below 60 percent, meaning that there are \nstill opportunities to better educate small businesses and \ndispel some myths. And regarding what to do first in a data \nbreach, only about 20 percent of respondents answered \ncorrectly. Granted, the laws vary from state to state and can \nbe complicated, but this just points out the need for more \neducation on the benefits of having a plan before a breach \noccurs.\n\n    Education and awareness efforts are essential. The Federal \nTrade Commission (FTC) just last month launched a new site for \nProtecting Small Business that offers advice on cybersecurity \nbasics, protecting personal information and what to do in the \nevent of a data breach. Likewise, the Small Business \nAdministration (SBA) also provides resources on its website. We \nneed even more initiatives like these that make it as easy as \npossible for small businesses to learn more about how to \nprotect themselves.\n\n    The federal government can also help raise awareness among \nvendors and solutions providers of the role small businesses \nplay in protecting the nation's critical infrastructure. Many \nimportant government contractors are small businesses and, as \nwe learned in the retail attacks of 2014, small businesses are \nattractive attack conduits for breaching larger business or \ngovernment targets rich in high-value data or other assets.\n\n    DEDICATED INFORMATION SHARING ORGANIZATION FOR SMALL \nBUSINESS\n\n    The federal government should also help develop and fund \nthe standup of a non-profit Information Sharing and Analysis \nOrganization (ISAO) focused on U.S. small businesses. Small \nbusinesses do not have the resources to address the problem of \ngathering and analyzing cyber threat intelligence on an ongoing \nbasis, but a highly targeted ISAO with initial support from the \nfederal government could help. A small business-focused ISAO \ncould use the economies of scale to be able to supply \nappropriate information to those business that lack the \nresources but still need current cyber threat intelligence. \nSuch an ISAO could provide education services to its members as \na part of their services, such as basic cyber hygiene and more \nadvanced topics like incorporating the NIST Cybersecurity \nFramework into their security program. Cyber education is \ncritical to the success of small business being able to \nunderstand the problems in order to begin addressing them.\n\n    The ISAO could provide its members with best practices, \nlessons learned, templates and processes for addressing \nincidents, the ability to get help understanding the problems \nand act as a hub in case a breach occurs. In the event of an \nincident, small businesses need to know where to go and what to \ndo. The ISAO could also act as the first point of contact in \ndetermining whether or not to reach out to law enforcement and \nto assist the business in addressing the incident. This would \nalso allow the ISAO to communicate the situation to its other \nmembers so that they too could be informed.\n\n    An information sharing organization such as this would be \nalso able to spread costs among its members. We encourage the \ngovernment to consider providing the initial startup funding \nfor a national small business ISAO.\n\n    ADDITIONAL RECOMMENDATIONS FOR PROTECTING SMALL BUSINESS\n\n    Move to the Cloud\n\n    Advances in technology can also serve to protect \ntechnology. For example, outsourcing infrastructure to a cloud \nprovider is becoming more common. This practice could have real \nadvantages for a small business, as the cloud provider would be \nresponsible for security. Both infrastructure as a service and \nsecurity as a service warrant attention from small business, as \nboth can be economical ways to provide efficiencies and \nsecurity without the business owner having to think about it. \nThe growth of cloud applications has made these ``as-a-\nservice'' technologies real possibilities. Leveraging them \ncould enable a small business to focus on becoming a medium-\nsized business, for example, rather than having to be an IT and \nsecurity expert.\n\n    At the same time, cloud providers have the opportunity to \ngain the insight from the threats they see on the endpoints of \ntheir small business customers, benefiting from the ever-\ngrowing network effects of more and more threat data, which in \nturn can enhance their ability to improve their customers' \nsecurity. Cloud providers should also be able to leverage their \neconomies of scale to share threat information with their \npartners in the private and public sectors.\n\n    While the move to the cloud has real benefits, small \nbusiness owners cannot contract out all of their cybersecurity \nobligations, particularly in the area of strong blocking and \ntackling--making sure that passwords are updated on a regular \nbasis and backing up information on a regular basis.\n\n    Improve DHS's Automated Indicator Sharing (AIS) Program\n\n    While the AIS program is still in the startup phase and \nneeds to broaden the type of information it receives and \nshares, we should not give up on its potential. Policymakers \nneed to enable the administration to move beyond simple \nindicators supplied via AIS and provides a means to enrich the \neffectiveness of shared information. The administration should \nincrease its efforts with the private sector to further evolve \nthe way cyber threat information is represented, enriched and \ndistributed in a timely fashion. Dong so will help create a \nhigh-functioning ecosystem of information sharing that will \nhelp all organizations, both large and small, to compete with \nglobal networks of sophisticated hackers.\n\n    Encourage Cyber Insurance for Small Businesses\n\n    Small businesses would also benefit from cyber insurance, \nwhich is specifically designed to protect an organization from \nrisk. This is still a small but growing part of the insurance \nmarket. It deserves more attention, as does the idea of having \nthe government act as a reinsurer for the cybersecurity \ninsurance market during its early stages. Alternatively, the \ngovernment could establish a program similar to the National \nFlood Insurance Program to help support the private market in \nthe event of catastrophic, widespread attacks.\n\n    Invest in Fighting Cyber Crime\n\n    The government should also devote additional resources to \nfighting cybercrime. Too often, it is small businesses in \nsectors like health care and finance that are being hacked by \ncyber criminals. These criminals are perfecting the art of \nransomeware, and small businesses are all too often being \nforced to pay to protect their data. Law enforcement at all \nlevels--federal, state and local--need to have the resources to \nidentify and take down hackers who have been terrorizing the \nsmall business community.\n\n    CONCLUSION\n\n    It's important to recognize that technical information \nsharing is only one piece of the puzzle. Small businesses need, \nfirst of all, to get the basics of cybersecurity right. \nInformation sharing efforts designed to educate and raise \nawareness are more important--at least at this point--than \nthose intended to share automated, actionable indicators of \nthreats. Small businesses can benefit greatly from moving their \ninfrastructure and security to the cloud and the economies of \nscale of ISAOs dedicated to their unique requirements. Cyber \ninsurance also holds promise, as does doubling down on \ninvestments to fight cybercrime. We also need to support \nefforts to boost the effectiveness of the Automated Indicator \nSharing program to ensure that everyone wins over time.\n\n    Thank you for giving McAfee the opportunity to testify on \nthis important topic. I'm be happy to answer any questions.\n\n                                 <all>\n</pre></body></html>\n"