[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]
SMALL BUSINESS INFORMATION SHARING: COMBATING FOREIGN CYBER THREATS
=======================================================================
HEARING
before the
COMMITTEE ON SMALL BUSINESS
UNITED STATES
HOUSE OF REPRESENTATIVES
ONE HUNDRED FIFTEENTH CONGRESS
SECOND SESSION
__________
HEARING HELD
JANUARY 30, 2018
__________
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Small Business Committee Document Number 115-053
Available via the GPO Website: www.fdsys.gov
______
U.S. GOVERNMENT PUBLISHING OFFICE
28-359 WASHINGTON : 2018
HOUSE COMMITTEE ON SMALL BUSINESS
STEVE CHABOT, Ohio, Chairman
STEVE KING, Iowa
BLAINE LUETKEMEYER, Missouri
DAVE BRAT, Virginia
AUMUA AMATA COLEMAN RADEWAGEN, American Samoa
STEVE KNIGHT, California
TRENT KELLY, Mississippi
ROD BLUM, Iowa
JAMES COMER, Kentucky
JENNIFFER GONZALEZ-COLON, Puerto Rico
BRIAN FITZPATRICK, Pennsylvania
ROGER MARSHALL, Kansas
RALPH NORMAN, South Carolina
JOHN CURTIS, Utah
NYDIA VELAZQUEZ, New York, Ranking Member
DWIGHT EVANS, Pennsylvania
STEPHANIE MURPHY, Florida
AL LAWSON, JR., Florida
YVETTE CLARK, New York
JUDY CHU, California
ALMA ADAMS, North Carolina
ADRIANO ESPAILLAT, New York
BRAD SCHNEIDER, Illinois
VACANT
Kevin Fitzpatrick, Majority Staff Director
Jan Oliver, Majority Deputy Staff Director and Chief Counsel
Adam Minehardt, Staff Director
C O N T E N T S
OPENING STATEMENTS
Page
Hon. Steve Chabot................................................ 1
Hon. Nydia Velazquez............................................. 2
WITNESSES
Mr. Howard Marshall, Deputy Assistant Director, Cyber Division,
Federal Bureau of Investigation, Washington, DC................ 4
Mr. Richard Driggers, Deputy Assistant Secretary, Office of
Cybersecurity and Communications, National Protection and
Programs Directorate, United States Department of Homeland
Security, Washington, DC....................................... 6
APPENDIX
Prepared Statements:
Mr. Howard Marshall, Deputy Assistant Director, Cyber
Division, Federal Bureau of Investigation, Washington, DC.. 21
Mr. Richard Driggers, Deputy Assistant Secretary, Office of
Cybersecurity and Communications, National Protection and
Programs Directorate, United States Department of Homeland
Security, Washington, DC................................... 29
Questions for the Record:
None.
Answers for the Record:
None.
Additional Material for the Record:
None.
SMALL BUSINESS INFORMATION SHARING: COMBATING FOREIGN CYBER THREATS
----------
TUESDAY, JANUARY 30, 2018
House of Representatives,
Committee on Small Business,
Washington, DC.
The Committee met, pursuant to call, at 11:00 a.m., in Room
2360, Rayburn House Office Building. Hon. Steve Chabot
[chairman of the Committee] presiding.
Present: Representatives Chabot, Radewagen, Kelly, Blum,
Comer, Fitzpatrick, Marshall, Norman, Velazquez, Evans, Lawson,
Chu, Espaillat, and Schneider.
Chairman CHABOT. Good morning. I call this hearing to
order.
We want to thank everyone for being here.
Over the past few years, this Committee has focused its
attention on an issue that is become increasingly important for
small businesses, cybersecurity. In past hearings, we have
learned that a cyber attack on a small business can have
serious consequences, not only for the business itself, but for
its customers and employees and business partners alike. We
have heard from small business owners and cybersecurity experts
and government officials, and there is no question that
improving cybersecurity for America's small businesses should
continue to be a top priority, especially for this Committee.
In today's global economy, small businesses are
increasingly turning to foreign technology to remain
competitive in the world marketplace. However, these same
products and services also provide new opportunities for
foreign cyber criminals to infiltrate small business
information technology systems, allowing them to access
sensitive and valuable information.
A recent survey found that 81 percent of small businesses
are concerned about a cyber attack, but only 63 percent have
the most basic cybersecurity measures in place to combat such
an attack.
Cyber attacks pose a higher risk for small businesses,
since most do not have the means to hire specialized employees
or pay the average $32,000 in damages should they be hit with a
cyber attack. And, cyber threats for small businesses are on
the rise.
This Committee has also found that the federal government
is stepping up its efforts to both prevent and mitigate cyber
attacks by coordinating and distributing cybersecurity
resources directly to small businesses. There is strong
bipartisan support from both chambers of Congress and the
President to increase American protection from foreign cyber
attacks.
However, small businesses are still hesitant to engage with
the federal government. This is often due to uncertainty
surrounding legal liabilities, concerns about privacy and data
protection, and a number of other factors. Still, federal
information sharing is crucial to ensuring that small
businesses have every resource possible to combat cyber threats
and the confidence they need to engage with the federal
agencies tasked with protecting them.
That is why the Ranking Member and I recently introduced
H.R. 4668, the Small Business Advanced Cybersecurity
Enhancements Act of 2017, to increase the defensive measures
available for small businesses undergoing or concerned about a
cyber attack, and to incentivize additional information sharing
between the private sector and the federal government.
This bipartisan legislation seeks to safeguard small
business from cyber attacks in a few simple ways. First, the
bill establishes Small Business Development Centers, SBDCs, as
the primary liaison for federal information sharing for small
businesses. This bill also ensures that small businesses that
engage with SBDCs receive the same protections and exemptions
provided by the Cybersecurity Information Sharing Act, or CISA.
Further, this bill would ensure that any policies or
rulemaking adopted by any federal agency as a result of federal
information sharing does not unfairly burden small businesses.
It would also expand liability protections for small businesses
and engage with the federal government in good faith.
Ultimately, this legislation removes the barriers many small
business owners face when confronted with a cyber threat,
encouraging them to work with the federal government, not fear
it.
As I mentioned before, many cyber threats towards small
businesses come at the hands of foreign bad actors, sometimes
foreign governments, in an attempt to undermine the United
States' national security and economy. In fact, the Department
of Homeland Security recently published a public notice
exposing a vulnerability in a notable security camera company.
Hikvision, one of the top five largest manufacturers of
security cameras worldwide, is 42 percent owned by the Chinese
government, and in 2017, the Department of Homeland Security
learned that many of its cameras were able to be hacked and
remotely controlled. While Hikvision has worked with DHS to
remedy the flaw, the problem remains that many small businesses
that do not engage with the government or DHS regularly, and
that is probably the majority of them, may not be even aware of
the security flaw. Had the problem gone unnoticed, many small
businesses would not have known that they were vulnerable to
attack.
So we look forward to hearing from our witnesses here today
to learn more about how the federal government is working to
address these important problems, and further, what
preventative measures small businesses can use to protect
themselves from falling victim to cyber attacks.
And I would now like to yield to the Ranking Member, Ms.
Velazquez, for her opening statement.
Ms. VELAZQUEZ. Thank you, Mr. Chairman.
Ever since Russia used cyber attacks to influence the
outcome of our 2016 elections, cybersecurity has been thrust to
the forefront of national discussions. In today's world,
everything from editorial integrity, to national security, to
private sector trade secrets are at risk of cyber exploitation.
In recent years, cybercriminals have increasingly targeted
small businesses. Forty percent of all cyber attacks are
focused on companies with less than 500 employees. This may be
because only 14 percent of small businesses reported having in
place a plan for keeping their company cyber secure.
Among the most prolific users of cyber attacks are Chinese
and Russian companies. In particular, a Chinese company has
been documented to target American small businesses in order to
obtain backdoor access to trade secrets and national security
information.
As hackers and other bad actors, including foreign agents,
continue to evolve their cyber attacks, strengthening the
federal government's engagement with small firms is crucial.
The agencies we will hear from today are on the forefront of
that fight. The FBI, which is testifying today, has worked with
the Small Business Administration to develop InfoGard, a
collaborative effort to conduct regional workshops to counsel
small firms on cybersecurity. The Department of Homeland
Security, which is also represented in our panel, has created a
new effort requiring private companies pursuing government
contracts to be held to the same standards as the awarding
agency to strengthen cybersecurity.
While the goal of this effort is laudable, we must ensure
that small firms have the resources to meet new cybersecurity
requirements. To this end, I am proud to join the Chairman on
H.R. 4668, the Small Business Advanced Cybersecurity
Enhancements Act of 2017. This bill will establish a central
small business cybersecurity assistance unit coordinated by SBA
and federal agencies, including DHS. Furthermore, the act will
create a regional small business cybersecurity assistance unit
within each Small Business Development Center, or SBDC. This
will help to bring much needed hands-on cybersecurity training
to small firms across the country.
Today's hearing is an opportunity to learn more about the
government efforts, specifically DHS and the FBI, to assist
small businesses in the protection of themselves and the
government's national security.
So let me thank all of our witnesses for testifying today.
I would like to especially acknowledge the men and women
serving in all divisions of the FBI. We know that you do
extraordinary work under challenging circumstances and that
your agency, unfortunately, sometimes comes under political
fire. Now more than ever, we need skilled, impartial
professionals serving in the Bureau, and so we thank you for
the work that you and your colleagues do.
With that, let me thank all witnesses for being here today.
I look forward to today's hearing and I yield back the balance
of my time.
Chairman CHABOT. Thank you very much. The gentlelady yields
back.
Now I would like to explain very briefly relative to our
timing and things, and I would also say that if Committee
members have opening statements they can please submit them for
the record.
And we operate under the 5-minute rule here. Basically,
each of you gets 5 minutes to testify and then we get 5 minutes
to ask questions back and forth, Republican, Democrat.
There is a lighting system. The green light will be on for
4 minutes. The yellow light will be on for a minute to let you
know it is getting time to wrap up, and then the red light will
come on, and we would hope you could stay within those
parameters. We will give you a little leeway.
And I would now like to introduce our distinguished panel
here; small, but very distinguished.
Our first witness today is Mr. Howard Marshall. He has
served as Deputy Assistant Director of the Cyber Intelligence
Outreach and Support Branch at the FBI since August 2016. In
this role, Mr. Marshall works to identify and defeat cyber
threats targeting the United States through strategic
partnerships and intelligence coordination. Mr. Marshall began
his career with the FBI in 1997 and has held a variety of
positions both inside and outside of the Cyber Division. And we
thank you for being here today.
And our second witness will be Mr. Richard Driggers. Mr.
Driggers serves as the National Protection and Programs
Directorate Deputy Assistant Secretary for the Office of
Cybersecurity and Communications at the Department of Homeland
Security. And if that is not the longest title we have had in
this Committee ever, it is pretty close. And he is responsible
for developing and implementing operational programs to
strengthen the security of the nation's critical
infrastructure.
Mr. Driggers joined DHS in 2003, and most recently was the
Principal Deputy Director for Operations for the National
Cybersecurity and Communications Integration Center. He is also
a former United States Air Force combat controller. We thank
you very much for your service and for being here today, both
you gentlemen. We appreciate it.
And Mr. Marshall, you are recognized for 5 minutes.
STATEMENTS OF HOWARD MARSHALL, DEPUTY ASSISTANT DIRECTOR, CYBER
DIVISION, FEDERAL BUREAU OF INVESTIGATION; RICHARD DIGGERS,
DEPUTY ASSISTANT SECRETARY, OFFICE OF CYBERSECURITY AND
COMMUNICATIONS, NATIONAL PROTECTION AND PROGRAMS DIRECTORATE,
UNITED STATES DEPARTMENT OF HOMELAND SECURITY
STATEMENT OF HOWARD MARSHALL
Mr. MARSHALL. Chairman Chabot, Ranking Member Velazquez,
and members of the Committee.
Chairman CHABOT. And if you would not mind just pulling the
mic a little closer.
Mr. MARSHALL. Sure.
Chairman CHABOT. Make it easier for the folks out there to
hear. Thank you.
Mr. MARSHALL. Thank you for the invitation to provide
remarks on the FBI's role in helping small businesses defend
against cyber threats. We consider engagement with the private
sector to be a significant factor in our mission to identify,
pursue, and defeat nefarious cybercriminals and enemies of the
United States.
As the Committee is well aware, the growing number and
sophistication of cyber threats poses a critical risk to U.S.
businesses and the impact of a successful attack can be
devastating to small businesses in particular. We continue to
see an increase in the scale and scope of reporting on
malicious cyber activity that can be measured by the amount of
corporate data stolen or deleted, personally identifiable
information compromised, or remediation costs incurred by U.S.
victims.
Some of the more prevalent arising cyber threats to small
businesses from both domestic and foreign cyber actors include
business email compromise; ransomware; the criminal targeting
of data, including customer data, financial data, or
intellectual property; and the growing risk posed by
vulnerabilities of IOT devices, Internet of Things.
In light of these and other cyber threats to U.S.
businesses, the FBI has made private sector engagement a key
component of our strategy for combatting cyber threats.
Recognizing the ever-changing threat landscape, the FBI is
enhancing the way it communicates with private industry.
Traditionally, the Bureau has used information developed
through its investigations shared by intelligence community
partners or provided by other law enforcement agencies to
understand the threat posed by nation states and criminal
actors.
However, we are now also looking to integrate private
industry information into our intelligence cycle to enhance our
ability to identify, prioritize, and respond to both emerging
and ongoing threats. Private industry has unique insight into
their own networks and may have information as to why their
company or their sector may be an attractive target for
malicious cyber activity. Companies may also be able to share
intelligence on the types of attempted attacks they experience.
We believe it is important the FBI integrate this type of data
into its own intelligence cycle. This type of information
sharing enables us to provide more specific, actionable, and
timely information to our industry partners so they can protect
their systems in a proactive manner.
The FBI disseminates information regarding specific threats
to the private sector through various reporting mechanisms.
Public service announcements published by the Internet Crime
Complaint Center provide timely and practical information to
U.S. businesses and individuals on the latest threats of scams.
Private industry notifications, PINs, offer contextual
information about ongoing or emerging cyber threats and FBI
liaison alert system reports provide technical indicators
gleaned through investigations or intelligence. These
communication methods facilitate the sharing of information
with a broad audience or specific sector and are intended to
provide recipients with actionable intelligence to aid in
victim notifications, threat neutralization, and other
investigative efforts.
The FBI also believes it is critical to maintain strong
relationships with our private sector partners to allow for
successful responses to cyber attacks. One example of an
effective public-private relationship is the National Cyber
Forensic and Training Alliance, a nonprofit 501(c)(3)
corporation focused on identifying, mitigating, and
neutralizing cybercrime threats globally. Working hand-in-hand
with private industry, law enforcement, and academia, the
NCFTA's mission is to provide a neutral, trusted environment
that enable two-way information sharing, collaboration, and
training.
The NCFTA works directly with 136 member organizations from
the banking, retail, critical infrastructure, healthcare, and
government sectors. Their analysts have real-time access to FBI
agents, analysts, and the actionable intelligence they collect.
The FBI Cyber Division regularly coordinates initiatives for
engagement with private sector partners to prevent threats and
ultimately close intel gaps. In recent years, we have launched
public awareness campaigns or open houses to educate businesses
on serious cyber threats.
In 2016, the FBI collaborated with DHS, U.S. Secret
Service, Department of Health and Human Services, and the
National Council on Information Sharing and Analysis Centers to
host conferences and workshops at FBI and Secret Service field
offices across the country to educate businesses on the
ransomware threat. The FBI and Secret Service jointly hosted
these workshops in 14 key cities, targeting small, medium, and
large organizations. Over 5,700 individuals were briefed during
this campaign. Similarly, in 2017, the FBI collaborated with
DHS, Secret Service, and NCISACs to host workshops across the
country on business email compromise.
The Cyber Division engages directly with businesses in
other ways as well. We host or participate in briefings,
conferences, workshops, and other meetings providing strategic
level information to key executives throughout industry. These
briefings include both classified and unclassified discussions
regarding cyber threats. Over the past 5 years, the FBI Cyber
Division has completed nearly 2,800 such engagements, not
counting the many informal contacts and interactions we have
with businesses in our field offices on a regular basis.
When a small business has been victimized by a cybercrime
and reaches out to the FBI for assistance, we coordinate with
the individual business to determine the best course of action
to address the incident. The FBI's approach in working with
potential actual victims of cyber intrusions or attacks is to
first and foremost, and to the best of our ability, use our
processes to protect the victim from being revictimized. We at
the FBI appreciate the Committee's efforts in making cyber
threats to small businesses a focus and to committing to
improving how we can work together to better defend U.S.
businesses from cyber adversaries.
We thank you for the opportunity to speak about our cyber
outreach efforts. We look forward to discussing these issues in
greater detail and answering any questions you may have.
Chairman CHABOT. Thank you very much.
Mr. Driggers, you are recognized for 5 minutes.
STATEMENT OF RICHARD DRIGGERS
Mr. DRIGGERS. Chairman Chabot, Ranking Member Velazquez,
and members of the Committee, thank you for the opportunity to
discuss the ongoing efforts to enhance the cybersecurity of
America's small businesses.
The Department of Homeland Security serves a critical role
in safeguarding and securing cyberspace, which is a core
Homeland Security mission. At DHS, we assist with protecting
civilian federal government networks, share information related
to cybersecurity risks in an incident, and provide technical
assistance to federal agencies, as well as State and local
governments, international partners, and the private sector.
The Department of Homeland Security, the federal Bureau of
Investigation, the Small Business Administration, and other
interagency partners play a crucial role in helping small
businesses identify and mitigate cybersecurity risks.
Cyber threats remain one of the most significant strategic
risks for the United States, threatening the national security,
economic prosperity, and public health and safety. Global cyber
events or incidents such as the WannaCry ransomware incident
last May and the NotPetya malware incident in June are examples
of malicious actors leveraging cyberspace to create disruptive
effects and cause economic loss. We have also seen advanced
persistent threat actors target small businesses to leverage
their infrastructure and their relationships with larger
businesses to gain access to networks of major and high-value
assets that operate components of the Nation's critical
infrastructure. DHS has confidence that these threat actors are
actively pursuing their ultimate long-term campaign goals, and
DHS and the FBI remain ever-vigilant and active with incident
response and have published multiple joint technical alerts to
enable network defenders to identify and take action to reduce
exposure to malicious activity.
These incidents remind us that small businesses play a key
role in ensuring the security, reliability, and resilience of
the Nation's critical infrastructure and that small businesses
can be easy targets across a complex attack surface. This is
especially evident when analyzing cyber risk to many of our
Nation's supply chains. Critical infrastructure assets can be
small businesses themselves or may be dependent on small
businesses to provide essential services or materials. It is
essential that small businesses implement common cybersecurity
standards and practices to protect themselves and their
customers. Small businesses face the same threats as large
businesses, but do not necessarily have access to the same
resources. DHS is working with our interagency partners to
close this gap for cybersecurity information sharing, training,
as well as resources.
As the Committee knows, DHS and the U.S. Small Business
Administration have partnered to develop a strategy to help
small- and medium-size businesses enhance their cybersecurity
planning and risk management efforts. Small businesses are
diverse in size and complexity, with varying needs for
improving their cybersecurity posture. Because of this, it is
imperative that we work with Small Business Development Centers
across the country, as well as other information-sharing
organizations. The federal government offers a suite of
services and capabilities that can help small businesses
improve their cybersecurity. For some, it may be simple
training on cybersecurity beset practices or the implementation
of basic cyber hygiene. For others, it may be performing
complex vulnerability assessments to understand appropriate
mitigation steps based on their specific risk profile. DHS
offers a range of services to meet these needs and continues to
pursue new opportunities to provide assistance.
In developing the small business cybersecurity strategy
with the Small Business Administration, we have identified over
40 federal programs or initiatives that are helpful in
assisting small businesses raise awareness of their
cybersecurity posture. Some programs were created specifically
for small businesses, while others provide assistance across a
broader business community.
As our Nation continues to evolve and new threats emerge,
we must not only develop more effective methods to protect our
information systems, but also find more cost-effective and
efficient ways to increase public awareness and access to
cybersecurity resources. The Cybersecurity Act of 2015
established DHS as the federal government's central hub for the
automated sharing of cyber threat indicators and defensive
measures. Automated indicator sharing is part of the
Department's efforts to create an ecosystem in which as soon as
a company or federal agency observes malicious activity, the
indicator associated with that activity can be shared in real-
time at machine speed with all of our partners that are
leveraging DHS's automated indicator-sharing service. This
real-time sharing capability can limit the scalability of many
attacks and thereby increasing the cost for the adversaries, as
well as reducing the impact of malicious cyber activity. The
automated indicator-sharing service is a relatively new
capability, and we expect the volume of threat indicators
shared through this system to substantially increase as
technical standards, software, and hardware supporting the
system continues to be refined and more businesses sign up.
This approach to collective defense helps ensure that small-
and medium-size businesses are protected using the best cyber
defense available information.
Thank you for the opportunity to testify, and I look
forward to your questions.
Chairman CHABOT. Thank you very much.
And I will now recognize myself to open the questions. And
Mr. Driggers, I will start with you.
And I would like to begin with the Hikvision matter, and,
first of all, it is my understanding that the Chinese
government owned at least 40 percent of the company and maybe
up to 42 is the figure we have been getting. Is that correct?
Mr. DRIGGERS. Yeah, that is what I have been seeing in
reporting as well, sir.
Chairman CHABOT. Okay, thank you. And as I mentioned in my
opening statement, there is a real concern regarding
vulnerabilities in some of Hikvision's security cameras. I
understand that the weakness made cameras remotely exploitable,
and I also understand that when DHS became aware of the
security exposure there was an advisory notice from DHS's cyber
emergency response team and that Hikvision worked with DHS to
fix the problem.
My question is this, is it likely that some small
businesses could still be susceptible to this cybersecurity
flaw? And how is DHS working to inform small businesses that
they could be exposed to this risk?
Mr. DRIGGERS. So we publish our alerts on the US-CERT
website, so that is open to the web, so anybody can access
those. With access to this particular flaw, we did work with a
research community. We discovered the vulnerability. We worked
with the company and they put out a software update that
mitigated the impacts of this particular exploitation. That is
kind of standard practice that we do at the Department of
Homeland Security across many different companies' devices and
software, working to understand what vulnerabilities exist, and
working with the companies to publish updates to their software
so that we can close down and mitigate vulnerabilities.
Certainly, if there are small businesses that are using devices
and they are not patching those system or updating the
software, they could be exposed to the vulnerability if they
have not covered down on that particular update.
Chairman CHABOT. Okay, thank you.
Mr. Marshall, how do you determine whether a cyber attack
on a small business warrants FBI intervention? Is there a
monetary loss, threshold, or some other indicator to assess an
appropriate level of response and/or dedication of resources
from the FBI?
Mr. MARSHALL. There is no hard-and-fast rule, Mr. Chairman.
Generally, there are a number of variables we will look at. It
depends on the field office that has jurisdiction over the
particular attack. It depends on the prosecutorial discretion
of the U.S. Attorney's Office. Certainly, we are not going to
dedicate resources to something that may not be prosecuted. The
loss amount is certainly one of those things we would consider,
and it is a variable in terms of say a $100,000 loss in New
York City may not draw our attention or resources, it may not
get prosecuted, but a $100,000 loss in Louisville, Kentucky,
likely will. So there are a number of different factors.
We would also look at the attack vector, and if there was
any interest, we still maintain our counterintelligence
authorities and interest. We may look at it even though the
loss amount is low and maybe it is not going to get prosecuted
as a crime, but there are a number of different variables that
would lead someone to make that determination.
Chairman CHABOT. Okay, thank you.
Mr. Driggers, let me go back to you. Does the Department of
Homeland Security, or the FBI for that matter, leverage the
Small Business Development Centers to assist small businesses
in identifying and mitigating cybersecurity risks? And how
effective has that partnership been if you do do that?
Mr. DRIGGERS. So we certainly work with many different
information-sharing organizations, the Small Business
Development Centers being one of those. Whether or not the
Small Business Development Center itself has the technical
acumen and the subject matter expertise to actually assist us
with the particular support that we are providing a small
business, that depends, but we certainly--I do not want to say
100 percent of the time we work through the Small Business
Development Center, but if the small business is engaged with a
Small Business Development Center and that is the way they want
to engage the government, we would certainly go that route.
Chairman CHABOT. Okay. Thank you. And I have time for about
one more question so I will go back to you, Mr. Marshall.
What steps are being taken by the FBI, and also by DHS, to
guarantee that small businesses' personal information and IT
data is protected? Are there any efforts to ensure that their
information cannot be used against them in the future by some
bad actors?
Mr. MARSHALL. Well, certainly, we would treat any
information that we would come across through the course of
investigation as evidence. And so it would absolutely get that
protection from us. Our first and foremost responsibility when
we respond to a scene is to pursue a criminal investigation. So
we are not interested in collaborating necessarily with any
regulatory agency. Certainly, we do not disseminate it to
anyone else not directly involved in the investigation.
Chairman CHABOT. Okay. My time is expired, but let me just
go real quick.
I assume DHS has policies in place to make sure that their
personal information that they have is protected so it is not
getting in the wrong hands. Is that correct, Mr. Driggers?
Mr. DRIGGERS. That is correct. We have a couple different
information sharing handling caveats that we use, or handling
processes that we use. We use a traffic light protocol, which
is an international standard for safeguarding information. And
we also use our liability coverage protections that we got with
the Cybersecurity Information Sharing Act of 2015.
Chairman CHABOT. Okay. I thank both of you. My time is
expired.
The Ranking Member is recognized for 5 minutes.
Ms. VELAZQUEZ. Thank you, Mr. Chairman.
I would like to address this question to both of you.
Based on your knowledge of and interaction with small
firms, what is your opinion of the general state of small
business cybersecurity? And is the federal government doing
enough to help them and your agencies to improve it?
Mr. MARSHALL. I would tell you that they are underprepared.
Even in the biggest firms, cybersecurity is oftentimes
considered a cost center and the general thought process is
that it is not necessarily the cost of doing business. So even
in your bigger firms, cybersecurity is usually not something
that is being considered. So as you go down the pecking order
in terms of size when it comes to business ventures, when you
get down to small businesses, I would tell you they are
underprepared.
Ms. VELAZQUEZ. Thank you.
Yes, sir?
Mr. DRIGGERS. I would agree with Mr. Marshall. I would also
say that each individual business needs to take a look at their
risk profile. Not all businesses need the same cybersecurity
posture. Cybersecurity mitigation and systems can be extremely
costly so, you know, depending on what type of small business
you are, the type of data you are holding, the services,
whether you belong to a critical supply chain, you need to look
at all of those factors in determining what types of security,
cybersecurity mitigation steps you need to put in place.
Ms. VELAZQUEZ. Thank you.
Mr. Marshall, information sharing between the government
and the private sector is critical to reducing national
security breaches and cybercrime against Americans. Can you
tell us how preventive information sharing is more effective
for small firms from solely a cost perspective and how it
assists the FBI in its role fighting cyber attacks?
Mr. MARSHALL. So to Mr. Driggers' point, not everybody has
the same set of concerns. Not everybody is established or
created a security posture that is forward leaning enough. So
the hope is that the information we provide to them, whether it
is indicators of compromise or a general awareness message
about good cyber hygiene, the hope is that they can drill down
and focus and spend whatever resources they are willing to
commit to cybersecurity on those things. If we can provide them
with IP addresses that they can block at their firewall, that
is certainly more than what they would have had had we not
provided information of that nature. We think it is absolutely
critical to get the message out as far and wide as possible on
the prevention side. Certainly, the fewer of these we have to
investigate the better, obviously, but the more information we
can provide the better. And we do tend to try to over
communicate. Certainly, there are things that cannot be
released because they are classified, either because of the way
they were collected or what they are telling us about the
adversary, but to the degree that we can declassify and push
that information out we do, and we do it as quickly as
possible.
Ms. VELAZQUEZ. So Mr. Driggers, we have 28 million small
businesses in our country and knowledge is power. So if they
are not aware of the threats in terms of cybersecurity attacks,
they will not take any preventive measures. How can the federal
government work in a way that raises awareness, especially for
those small contractors that are doing business within the
federal marketplace?
Mr. DRIGGERS. So I think that information sharing really
underpins all the services and capabilities that we have at DHS
with our cybersecurity programs. It is foundational to getting
as much information out as we can, whether that is highly
technical data and providing some context around that; or
whether it is threat information or things like that, getting
stuff declassified as much as we possibly can; or whether that
is sharing machine-to-machine or just putting stuff out on our
website or working with the FBI or these other information-
sharing organizations, such as the ISACs or the ISAOs, Small
Business Development Centers.
We also, obviously, work very closely under the National
Infrastructure Protection Partnership model with the Sector
Coordinating Councils. And so I think it is important to raise
the awareness. We certainly need to do that. We need to use all
available resources to do that and to get the information out
as much as we possibly can.
Those organizations or those small businesses that are part
of the supply chain, we are certainly sharing information with
those individuals. Awareness is an issue. One of the objectives
that you will see when we publish the small business strategy
is a consolidation of resources and dedicated resources to do
this outreach to the small business community to make sure that
they understand what programs are available to assist them with
their cybersecurity posture.
Ms. VELAZQUEZ. Thank you, Mr. Chairman.
Chairman CHABOT. The gentlelady's time is expired.
The gentleman from Kentucky, Mr. Comer, is recognized for 5
minutes.
Mr. COMER. Thank you, Mr. Chairman.
My first question for either witness, can you all walk me
through your agency's protocol for responding to cyber threat
indicators or reports of a cyber attack from a small business?
In other words, what information do you need and how do you get
the information?
Mr. MARSHALL. Sure. So we would get the information to our
field offices one of two ways. Hopefully, there is an ongoing
established relationship with the victim, either they are a
member of InfoGard or some other group that has allowed us to
create that relationship. If not, they tend to go through IC3
and report it there and then it is pushed to the appropriate
field office. We would then have probably the cyber program
coordinator in that field office make an assessment of what was
written and then make contact, depending, again, depending upon
the size of the breach, what was reported initially. If it is
big enough, there would be probably coordination at the federal
level here in Washington, D.C., but with field offices in 56
different locations, that would generically be how it would
come to us. Then we would make an assessment probably through a
phone call with the victim or somebody representing the victim
whether or not to send resources and actually start opening
investigation and start that process.
Mr. COMER. Many small businesses do not have preventive
procedures in place to thwart a cyber attack before it happens.
What do you suggest small businesses do to safeguard themselves
against potential threats?
Mr. MARSHALL. Well, there are a number of things they can
do, and I would suspect the best thing they could do is elevate
the necessity for cybersecurity within their own organizations.
Hire capable, competent people to help protect data. Create a
culture within the organization that promotes security. It has
got to be something you do every day. It cannot be done after
the fact. So that would be my advice, is they need to be
thinking about it on the front end.
Mr. DRIGGERS. I think there are some basic things that
really all businesses can do. And some of these basic things
individuals can do at home as well. You know, the bottom line
is that an adversary is going to use the least cost tactic to
get into a network, and so any time you can raise your security
posture by doing simple basic things, they are going to bypass
you and move on to the next target that may be more available
so that they do not have to spend as many resources.
Certainly, backing up critical data is important for small
businesses, particularly those that are holding a lot of
sensitive, personal information about their customers'
protecting their mobile devices, making sure that there is the
ability to track, lock, as well as wipe any device that could
be stolen or lost; protecting your organization against malware
by making sure that you have a good patching schedule for
software updates. A lot of companies that produce software and
produce devices on a regular basis also produce security
updates or software updates to those, and so it is important
that you take advantage of that and you update your software,
as well as protecting your data with passwords, two-factor
authentication, changing default passwords on devices. These
default passwords are available on the web, so it is important
when you buy a new device that you change the default passwords
on those. And I think some simple training for your employees
about phishing attacks and the fact that those exist. That is a
very low-tech, easy way for adversaries to get into networks.
So doing that training for your employees is pretty low cost,
and I think there is training available on the web for that.
Mr. COMER. Thank you, Mr. Chairman. I yield back.
Chairman CHABOT. The gentleman yields back.
The gentleman from South Carolina, Mr. Norman, is
recognized for 5 minutes.
Mr. NORMAN. Thank you, Mr. Chairman.
I live in a rural district. A lot of small businesses. What
would you say that the FBI, DHS could do to, I guess, avert the
threat that they have? And secondly, to get people to talk
about it. A lot of these firms will not talk about it because
it is, for whatever reason, it is embarrassing. Either Mr.
Driggers or Mr. Marshall, how would you respond to that?
Mr. DRIGGERS. Well, I think with regard to talking about
it, I mean, that is an issue. Talking about it publicly could
be an issue for a particular company. But what we want them to
do is call the FBI or call the Department of Homeland Security,
the National Cybersecurity and Communications Integration
Center, so that we can take the steps necessary to help
mitigate whatever incident happened, so that we can provide
assistance to the impacted victim, and I think, even more
importantly, learn what happened, develop analysis, and develop
indicators so that we can share that more broadly so that other
cyber network defenders can take advantage of the information.
That said, when we do that we anonymize the information. We
protect the identity of the victim through those information-
sharing protocols that I talked about earlier.
Mr. MARSHALL. I would further that by saying maybe a better
understanding of the fact that when you are a victim, we are
going to continue to treat you as a victim. This is not a
``gotcha game.'' This is not a, hey, we are going to run and
tell a regulator or a State regulator that you were not
properly prepared or defensed against these type of attacks. I
understand the stigma to a degree because who wants to do
business with someone that cannot protect their data? And you
see that in small firms, and you see it in big firms, too. But
what it will take to get over that stigma, I am not entirely
sure.
We push the message repeatedly that, to Mr. Driggers'
point, please call us. We certainly cannot do anything if we
are not aware of it. But beyond that, pushing the message of
better cybersecurity is probably all we can do.
Mr. NORMAN. What is your opinion? DHS oversees the National
Cybersecurity and Communications Integration Center, which
basically encourages the public and private sectors to swap
information. Is this reliable? Is it worth the money? What is
your take on that?
Mr. DRIGGERS. So it is absolutely reliable, and it has
allowed us to, quite frankly, thwart many attacks to the
analysis that we have done and the indicator sharing that we
have pushed out either through our Automated Indicator Sharing
System, which is, as I said in my opening statement, is a
machine-to-machine, near real-time, as well as just publishing
technical alerts with the technical information in there so
that cyber network defenders can also take advantage of that,
that are not necessarily leveraging that automated system. A
lot of these technical alerts, the analysis is done at the
National Cybersecurity and Communications Integration Center,
but it is representative of whole government. So there is a lot
of different interagency partners that are there to include the
intelligence community as well as the FBI.
Mr. NORMAN. I yield back, Mr. Chairman.
Chairman CHABOT. The gentleman yields back.
The gentleman from Florida, Mr. Lawson, who is the Ranking
Member of the Subcommittee on Health and Technology, is
recognized for 5 minutes.
Mr. LAWSON. Thank you very much, Mr. Chairman. And welcome
to the Committee.
And you all may already be aware of H.R. 4668 introduced by
the chair here. Can you describe what challenges exist in the
cybersecurity sphere as it relates to small business? How this
bill may help to alleviate those challenges?
Mr. DRIGGERS. I certainly think the focus on small
businesses and, quite frankly, I appreciate the Committee and
the Chairman's focus on small businesses, particularly with
regard to their cybersecurity. I think that putting more focus,
making sure that we are attentive to the small business
community and make sure that they are aware that there are
resources that exist in the federal government that can help
them and assist them with their cybersecurity activities and
posture, that there are organizations like the 56 field offices
that Mr. Marshall talked about, as well as the National
Cybersecurity Communications Integration Center, that those
organizations exist to provide assistance, to protect your
information, to protect your identity. But the bottom line is
we exist to support your efforts.
That said, we also want to work with the various different
information-sharing organizations that are existing. The
private sector has self-organized to create information-sharing
and analysis centers, information-sharing and analysis
organizations, the Small Business Development Centers. And we
want to certainly work with them and through them to make sure
that we are raising awareness about the various different
programs that the federal government has to offer.
Mr. LAWSON. Okay. Mr. Marshall, do you want to comment?
Mr. MARSHALL. Anything that promotes cybersecurity would be
beneficial. I referenced the NCFTA in my opening remarks. The
original was opened in Pittsburgh, Pennsylvania, several years
ago. It was wildly successful. It includes some smaller
businesses, but we are expanding into New York. We are
expanding into Los Angeles. And that model is one that we think
is very effective.
Mr. LAWSON. Okay. When the question was asked earlier about
small businesses in rural areas, how can these really small
businesses--you know, I have a lot of rural areas back in my
district. What incentives can you give to these ``mom-and-pop''
operations to really share cybersecurity data, and what do they
get? What kind of cybersecurity will they inherit? You know,
they are just a small-time operation.
Mr. MARSHALL. Hopefully, what they get, and we touched on
this a little bit earlier, what they get are indicators of
compromise and things that they can do quickly, cheaply, and
effectively to try to stop some of the potential attacks
against them. I do not know that they give up much more than
their time to participate in things like InfraGard or even the
business email compromise open houses or the ransomware open
houses.
What they get is a better understanding of how the threat
impacts them. A lot of these small businesses do not even know
what business email compromise is. They probably do not know
what phishing is. They probably do not know what ransomware is.
So just the hour that it would take to attend a meeting in
an FBI field office or Secret Service field office to better
understand the threat and get those things, as Mr. Driggers
referred to, those things that will help them focus what they
can invest on cybersecurity. They can really drill down and
make sure that they are doing that very well. It will not stop
everything, but to the point made earlier, if it makes you a
less attractive target, then it is worth its investment in
time.
Mr. LAWSON. The incentives to you, Mr. Driggers, that you
might use is that they will grasp anything that they think is
going to be harmful to their business operations, so how do you
approach them?
Mr. DRIGGERS. Well, we approach them with the protections
that we afford them, that we were given the authority for, to
offer liability protection for information that they share with
us. And I will tell you that just from a cultural perspective
within DHS, particularly within the National Cybersecurity and
Communications Integration Center that we call the NCCIC,
protecting the identity of a victim underpins all the services
and programs and the Information Sharing Protocols that we
have. So you can rest assured, if you are going to share
information with the NCCIC, that we are going to protect the
identity of you. So there is a protection there, as well as a
liability protection.
But to Mr. Marshall's point, just raising awareness,
understanding that these types of threats are out there or
these types of risk are out there, and doing some of the basic,
very low-cost things that I kind of laid out before with regard
to patching your networks, training your staff on email or on
phishing attacks. You know, making sure that you have a simple
policy in place that, you know, if there is a network email
password that one employee has one password, that type of a
thing, so you do not share passwords.
Mr. LAWSON. Okay. Thank you, Mr. Chairman. I yield back.
Chairman CHABOT. Thank you. The gentleman's time is
expired.
The gentlelady from American Samoa, Mrs. Radewagen, who is
the Chairman of the Subcommittee on Health and Technology, is
recognized for 5 minutes.
Mrs. RADEWAGEN. Talofa and good morning. And I want to
thank the Chairman for holding this hearing on this important
issue.
As the Chairman of the Health and Technology Subcommittee,
cybersecurity is something I care about deeply, and I want to
thank you, Mr. Marshall and Mr. Driggers, for testifying before
us today. Now, you gentlemen have already answered my first
question, and I thank you for that.
My second issue is with foreign cyber threats, especially
Chinese are out in our neck of the woods. The Chinese are
making massive inroads with my neighbors in the South Pacific.
And Mr. Marshall, what steps is the FBI taking to safeguard
against sophisticated, state-backed cyber attackers?
Furthermore, and this may be outside of the scope of this
hearing, is there any technical assistance the United States
may be able to provide for my neighbors who do not have the
ability to counter these threats?
Mr. MARSHALL. I am not quite sure exactly which neighbors
you are referring to. We get a tremendous amount of assistance
from the NSA, from the agency. We certainly partner regularly
with DHS. But we have a tremendous amount of technical
assistance that helps us identify those threats and assess
their intelligence value, and then come up with a comprehensive
strategy to either mitigate them or monitor them.
Mrs. RADEWAGEN. My home district is American Samoa, as you
may know, and so my neighbors are the Independent Nation of
Samoa, Fiji, Tonga, and that part of the Pacific.
Mr. MARSHALL. We have a very good friend not that far away
in Australia, and we do a lot of collaborative work with our
Five Eye partners, of which they are one.
Mrs. RADEWAGEN. Thank you very much. I yield back the
balance of my time, Mr. Chairman.
Chairman CHABOT. Thank you very much. The gentlelady yields
back.
The gentleman from Iowa, Mr. Blum, who is Chairman of the
Subcommittee on Agriculture, Energy, and Trade, is recognized
for 5 minutes.
Mr. BLUM. Thank you, Chairman Chabot. And thank you to our
panelists today for being here.
First question, kind of broad, I know, but how bad is this
problem? I am a small businessman. I go back to my district and
I talk to small business people every week and, you know, I can
say, oh, you know, hey, cyber hacking, it is a big problem. It
is a big deal. I do not think they really believe me. I mean,
how bad is this problem? How can we quantify this? Is it
getting better? Getting worse?
Mr. MARSHALL. Well, it is definitely getting worse.
Mr. BLUM. As evidenced by what?
Mr. MARSHALL. It is bad and getting worse. The number of
cases that are referred for investigation. The number of
attacks that are thwarted that we know that have been
prevented. All of these numbers indicate a rise.
Mr. BLUM. A rise is a 2 percent rise? It has doubled? What
kind of increase are we talking about?
Mr. MARSHALL. So if you wanted to narrow the question just
a little bit further to look at something like business email
compromise or ransomware, we are talking about in the
neighborhood of 40 to 50 percent growth year over year. I do
not have the exact numbers in front of me. Now, our hope is
certainly that we can begin to do things as technology evolves
and gives us other investigative opportunities that maybe we
can figure out what the private sector had or maybe tamp some
of these down. Indeed, I think that is happening.
Mr. BLUM. Is organized crime involved in this at all?
Mr. MARSHALL. Certainly, they are involved in it. I would
say there are organized criminals around the world that have
figured out how to branch into the cyberspace.
Mr. BLUM. I guess I do not mean organized criminals. I
mean, organized crime, as in the Mafia and drug cartels and
organizations like that?
Mr. MARSHALL. Yes. And you would be surprised at the areas
in which they are looking. You mentioned drug cartels. If you
were able to penetrate someone's air traffic system to
determine or identify U.S. surveillance planes, would you be
better or worse off? Things of that nature. Places where you
would not normally expect to see.
Mr. BLUM. You bring that up. I fly 130 times a year, so I
do care. I assume our air traffic control system is
unbelievably secure. Not that it could not happen, but.
Mr. MARSHALL. It is, but it is not the only technology out
there that helps monitor what is in the sky. And I use that
just as an example. Can you monitor activity along the border--
this may be a question better for you than for me--through
introducing on somebody's network? Yes, you probably can. Would
that be information that a drug cartel would be interested in?
Sure, it would. So the answer to your question is yes.
Mr. BLUM. I assume some of these operations are relatively
sophisticated?
Mr. MARSHALL. Yes.
Mr. BLUM. And maybe this would be a question for you, Mr.
Driggers, Homeland Security. Are more of the cyber hackers
domestic or are they foreign? And are they individuals or are
they countries?
Mr. DRIGGERS. So I do not have the specific details as to
whether they are foreign or domestic, or whether they are
individuals or they are nation states. Certainly, we can make
the assumption that all of those categories of adversary are
working hard every day. They are certainly getting more
sophisticated and they are getting more persistent, and we have
seen that over the past at least 3 or 4 years.
But I also want to preference, particularly with the small
business, it does not take sophistication to exploit a
vulnerability in a small business. And I think all small
businesses need to assume that they have some type of
vulnerability that exists within their networks or the devices
that they are using. And so it is really important that,
because a lot of small businesses do not have the resources to
really put in place very sophisticated cyber defense
mechanisms, but they do have the resources to do the low-cost
things that I talked about, and I think that that should be the
focus and the awareness that we are talking about. We need to
make sure that they are doing the basics with regard to
cybersecurity hygiene, training their staff, and that they know
who to call if there is a particular issue.
Mr. BLUM. I have often heard that warfare of the future
will not be about bullets and bombs; it will be about bits and
bytes. So this is a war. Are we winning the war or are we
losing the war?
Mr. MARSHALL. As it pertains to the general public becoming
more cybersecurity aware, I would say we are losing. Again,
security is one of the last things people consider. Whether you
are a small businessman or whether you are pulling a laptop out
of its box for the first time when you set it up at home, these
are just not things that we have been trained to think about.
So in that regard I would say we are probably losing.
Mr. BLUM. Mr. Driggers, are we winning the war or are we
losing the war?
Mr. DRIGGERS. So I will answer the same way Mr. Marshall
did. I think if we look at the large businesses, particularly
those that are designated as nationally critical
infrastructure, and those from a risk profile that the
Department of Homeland Security, you know, on a day-to-day
basis interacts with, I think that they have certainly raised
their game. But I think that there is a huge chasm between
those individual businesses and the ones that are medium and
small size.
Mr. BLUM. Thank you, gentlemen, and I yield back the time I
do not have. Thank you.
Chairman CHABOT. Okay. The gentleman yields back.
And I just have one final question. When we have been
discussing malware, just for those that may be watching at home
or may see the transcript of this or whatever, we are
essentially talking about your computer, your files,
photographs, documents being seized by some criminal element or
blackmailer or something that says I have got them now. I am
not releasing this. I am not going to let you have access to
your own computer unless you pay me X amount of money within a
certain amount of time. And I guess that can happen to
individuals on their home computer, or this is a Small Business
Committee, so we are obviously most directly trying to help
small businesses across the country. It can happen to anybody,
but that is what we are talking about. Correct? I see you are
both nodding.
If that should happen to a citizen or a small business,
what should he or she do at that point? And either one of you
or both of you, if you would like to.
Mr. MARSHALL. So the Bureau does not have an official
position. What you are referring to is ransomware. The Bureau
does not have an official position as to whether or not a
victim of ransomware should, in fact, pay the ransom in order
to get their data back. We have discussed a couple times that
the important thing is to back up your data consistently so
when this happens you can just ignore the request for ransom.
One of the things we would ask victims to consider is the
fact that, one, they are being attacked by a criminal, so the
promise of returning your data after payment should be
considered by the person making the demand. The other thing is
a lot of the malware variants now are locking data permanently.
And you can pay a ransom, you can pay 100 times the ransom,
there is no technical way to unlock our data.
So there is no formal advice. Different companies, big and
small, have different types of responses to this, but we would
ask that people consider the fact that a criminal is the one
that is making the demand.
Chairman CHABOT. And I misspoke. I meant to say ransomware
when I said malware, but it is a form of that.
Mr. Driggers, anything?
Mr. DRIGGERS. I would agree with Mr. Marshall. We do not
necessarily have an official position. The individual business
needs to make their own risk determination as to whether or not
what action they take in terms of responses to some type of
ransomware attack.
Chairman CHABOT. Thank you very much.
The gentleman from New York, Mr. Espaillat, is recognized
for 5 minutes.
Mr. ESPAILLAT. Thank you, Chairman.
Mr. Marshall, the FBI's Cyber Division addresses a wide
variety of issues, including nontraditional forms of
cybercrimes. What is the most common form of cyber attack your
division encounters? Is it different from small business
complaints that you process on a regular basis? Are businesses
coming forward as well?
Mr. MARSHALL. Sure. I would tell you the most frequent
attack vector is spear phishing. It happens repeatedly, over
and over and over again, and we have talked about the amount of
money it costs to have good cybersecurity and cyber hygiene.
The bottom line is if somebody can send out 10 million emails,
it just takes one employee not paying attention to click on it
to thwart your multimillion investment in cybersecurity. I will
not go down the laundry list of breaches that we have had in
the last year, but I think a lot of them have that component in
common. And I do not have an exact number for you, but a vast
majority of them are through a spear phish campaign.
Mr. ESPAILLAT. Okay. And Mr. Driggers, the Obama
administration made efforts to increase cybersecurity by
creating a federal privacy panel and creating sanctions to
block those that pose a significant threat. How are these
efforts beneficial to small businesses? And what more remains
to be done in this particular area?
Mr. DRIGGERS. Well, Congressman, I do not have a lot of
details on the panel. I can certainly take that back and get
the information and respond to you.
Mr. ESPAILLAT. And finally, I will ask both of you. I have
had several discussions with experts regarding cybersecurity in
general, and they have told me that basically, if somebody
wants to hack you, if they are really intent on doing this,
there is basically very little we can do about it. They can
penetrate eventually at some point or another. Is that the
case? Are we at the mercy of these hackers? And is there
anything we can do to prevent it? I mean, America should not be
at the mercy of folks that may have an intent to do something
and cannot be stopped. Is there anything that we can do to stop
this?
Mr. MARSHALL. If the question is, is there a magic bullet
or a silver bullet that will put an end to this, the answer is
no. There are things that you can do, an escalating series of
things you can do to try to avoid becoming a victim, everything
from simple awareness and then a ``Do not click this email''
campaign, all the way up to the most sophisticated technical,
advanced technical protections and defenses that include
encryption and routine backups. It depends upon what kind of
money you are willing to spend, but I do not believe that there
is a magic bullet that will just make this problem go away.
Mr. ESPAILLAT. Thank you, Mr. Chairman. I yield my time.
Chairman CHABOT. Thank you. The gentleman yields back.
As the hearing comes to a close, we want to again thank our
witnesses here this morning for, and now right after this
afternoon as well, for being here and going over one of the
topics that this Committee considers to be one of the chief
challenges that small businesses face across the country. And
we appreciate the information that you have given us.
We also appreciate, the chair appreciates working with the
Ranking Member on legislation, H.R. 4668 as it moves forward.
I would ask unanimous consent that members have 5
legislative days to submit statements and supporting materials
for the record.
Without objection, so ordered.
And if there is no further business to come before the
Committee, we are adjourned. Thank you very much.
[Whereupon, at 12:04 p.m., the Committee was adjourned.]
A P P E N D I X
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
[all]