[House Hearing, 115 Congress] [From the U.S. Government Publishing Office] IDENTITY VERIFICATION IN A POST-BREACH WORLD ======================================================================= HEARING BEFORE THE SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS OF THE COMMITTEE ON ENERGY AND COMMERCE HOUSE OF REPRESENTATIVES ONE HUNDRED FIFTEENTH CONGRESS FIRST SESSION __________ NOVEMBER 30, 2017 __________ Serial No. 115-83 [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Printed for the use of the Committee on Energy and Commerce energycommerce.house.gov _________ U.S. GOVERNMENT PUBLISHING OFFICE 28-714 PDF WASHINGTON : 2018 COMMITTEE ON ENERGY AND COMMERCE GREG WALDEN, Oregon Chairman JOE BARTON, Texas FRANK PALLONE, Jr., New Jersey Vice Chairman Ranking Member FRED UPTON, Michigan BOBBY L. RUSH, Illinois JOHN SHIMKUS, Illinois ANNA G. ESHOO, California MICHAEL C. BURGESS, Texas ELIOT L. ENGEL, New York MARSHA BLACKBURN, Tennessee GENE GREEN, Texas STEVE SCALISE, Louisiana DIANA DeGETTE, Colorado ROBERT E. LATTA, Ohio MICHAEL F. DOYLE, Pennsylvania CATHY McMORRIS RODGERS, Washington JANICE D. SCHAKOWSKY, Illinois GREGG HARPER, Mississippi G.K. BUTTERFIELD, North Carolina LEONARD LANCE, New Jersey DORIS O. MATSUI, California BRETT GUTHRIE, Kentucky KATHY CASTOR, Florida PETE OLSON, Texas JOHN P. SARBANES, Maryland DAVID B. McKINLEY, West Virginia JERRY McNERNEY, California ADAM KINZINGER, Illinois PETER WELCH, Vermont H. MORGAN GRIFFITH, Virginia BEN RAY LUJAN, New Mexico GUS M. BILIRAKIS, Florida PAUL TONKO, New York BILL JOHNSON, Ohio YVETTE D. CLARKE, New York BILLY LONG, Missouri DAVID LOEBSACK, Iowa LARRY BUCSHON, Indiana KURT SCHRADER, Oregon BILL FLORES, Texas JOSEPH P. KENNEDY, III, SUSAN W. BROOKS, Indiana Massachusetts MARKWAYNE MULLIN, Oklahoma TONY CARDENAS, California RICHARD HUDSON, North Carolina RAUL RUIZ, California CHRIS COLLINS, New York SCOTT H. PETERS, California KEVIN CRAMER, North Dakota DEBBIE DINGELL, Michigan TIM WALBERG, Michigan MIMI WALTERS, California RYAN A. COSTELLO, Pennsylvania EARL L. ``BUDDY'' CARTER, Georgia JEFF DUNCAN, South Carolina Subcommittee on Oversight and Investigations VACANCY Chairman H. MORGAN GRIFFITH, Virginia DIANA DeGETTE, Colorado Vice Chairman Ranking Member JOE BARTON, Texas JANICE D. SCHAKOWSKY, Illinois MICHAEL C. BURGESS, Texas KATHY CASTOR, Florida SUSAN W. BROOKS, Indiana PAUL TONKO, New York CHRIS COLLINS, New York YVETTE D. CLARKE, New York TIM WALBERG, Michigan RAUL RUIZ, California MIMI WALTERS, California SCOTT H. PETERS, California RYAN A. COSTELLO, Pennsylvania FRANK PALLONE, Jr., New Jersey (ex EARL L. ``BUDDY'' CARTER, Georgia officio) GREG WALDEN, Oregon (ex officio) (ii) C O N T E N T S ---------- Page Hon. H. Morgan Griffith, a Representative in Congress from the Commonwealth of Virginia, opening statement.................... 2 Prepared statement........................................... 3 Hon. Kathy Castor, a Representative in Congress from the State of Florida, opening statement..................................... 4 Hon. Greg Walden, a Representative in Congress from the State of Oregon, opening statement...................................... 5 Prepared statement........................................... 7 Hon. Frank Pallone, Jr., a Representative in Congress from the State of New Jersey, opening statement......................... 8 Prepared statement........................................... 9 Witnesses Troy Hunt, Information Security Author and Instructor, Pluralsight.................................................... 11 Prepared statement........................................... 13 Answers to submitted questions............................... 99 Jeremy Grant, Managing Director, Technology Business Strategy, Venable, LLP................................................... 25 Prepared statement........................................... 28 Answers to submitted questions............................... 102 Edmund Mierzwinski, Consumer Program Director, U.S. PIRG......... 47 Prepared statement........................................... 49 Submitted Material Subcommittee memorandum.......................................... 95 IDENTITY VERIFICATION IN A POST-BREACH WORLD ---------- THURSDAY, NOVEMBER 30, 2017 House of Representatives, Subcommittee on Oversight and Investigations, Committee on Energy and Commerce, Washington, DC. The subcommittee met, pursuant to call, at 10:15 a.m., in room 2322, Rayburn House Office Building, Hon. H. Morgan Griffith (vice chairman of the subcommittee) presiding. Members present: Representatives Griffith, Brooks, Collins, Walberg, Costello, Carter, Walden (ex officio), Schakowsky, Castor, Tonko, Clarke, Ruiz, and Pallone (ex officio). Staff present: Jennifer Barblan, Chief Counsel, Oversight and Investigations; Samantha Bopp, Staff Assistant; Adam Fromm, Director of Outreach and Coalitions; Ali Fulling, Legislative Clerk, Oversight and Investigations, Digital Commerce and Consumer Protection; Elena Hernandez, Press Secretary; Paul Jackson, Professional Staff Member, Digital Commerce and Consumer Protection; Bijan Koohmaraie, Counsel, Digital Commerce and Consumer Protection; Alex Miller, Video Production Aide and Press Assistant; John Ohly, Professional Staff Member, Oversight and Investigations; Hamlin Wade, Special Advisor for External Affairs; Jessica Wilkerson, Professional Staff Member, Oversight and Investigations; Greg Zerzan, Counsel, Digital Commerce and Consumer Protection; Julie Babayan, Minority Counsel; Jeff Carroll, Minority Staff Director; Chris Knauer, Minority Oversight Staff Director; Miles Lichtman, Minority Policy Analyst; Dino Papanastasiou, Minority GAO Detailee; and C.J. Young, Minority Press Secretary. Mr. Griffith. We will go ahead and get started. Welcome to this meeting of the O&I Subcommittee of Energy and Commerce. So that everybody knows, there are a lot of folks who are at another hearing downstairs and will be drifting in and out. Also, I would like to take a point of personal privilege and recognize Allie Gilmer and Olivia Smoot, who are here visiting today from my district at Auburn High School in Riner, Virginia. They are too young to remember this but I started representing the Riner area in 1994 in the State legislature. So it's good to have you. Ms. Castor. Do you want to stand up? Mr. Griffith. Yes, stand up. Be recognized. Thank you. Thank you again. Welcome. Glad you're here with us today. That being said, let's get started with our business here today, and other folks will join us as we go forward on this very important issue. OPENING STATEMENT OF HON. H. MORGAN GRIFFITH, A REPRESENTATIVE IN CONGRESS FROM THE COMMONWEALTH OF VIRGINIA We are here today to talk about a very important topic: identity verification in a post-breach world. This hearing is especially timely, given several events that have taken place since the hearing itself was announced last week, including three newly discovered data breaches that comprised an additional 58.7 million records as well as two major shopping days--Black Friday and Cyber Monday. With consumers rushing to take advantage of holiday sales both in stores and online, the questions and challenges around modern identity verification become even more pressing. Data breaches have been increasingly--have been an increasing problem over the last several years. In fact, it is likely that everyone in this room has had their information included in a recent breach. Between the 57 million accounts comprised in Uber's recent disclosed 2016 breach, the 145 million accounts compromised in Equifax's breach, or the 22 million accounts compromised in the OPM breach, as well as many others, I would argue that it would be difficult to find an American whose information has not been compromised. While these breaches themselves are troubling enough, they also raise a subtle more complicated series of questions and issues around the ways in which organizations including government agencies, banks, health care organizations, and retail companies perform identity verification of their citizens and their customers. It is a well understood concept that, to quote the famous cartoon on the internet, nobody knows you're a dog when you're in the internet. This anonymity has many advantages and it is important to many aspects of the modern internet. However, as the global economy has become more and more digital and an increasing amount of commerce takes place online, it also creates significant challenges for organizations attempting to ensure that they provide information and services only to authorized individuals. Because these interactions usually take place on opposite ends of an internet connection with participants rarely if ever meeting face to face, the ability of organizations to remotely verify individuals has been a constant struggle. As a result, for years many organizations have relied on a type of identity verification known as knowledge-based authentication, or KBA. We are all familiar with this process even if we don't quite know it. For example, some online accounts ask consumers to provide answers to security questions such as their mother's maiden name, the make and model of their first car, or the street on which they grew up on. Similarly, when consumers attempt to open new credit lines, they are often asked a series of multiple-choice questions that may ask who provided a consumer loan and in what year. These are all examples of KBA. The effectiveness of KBA depends on a very important assumption--that information such as birthdays, mothers' maiden names, addresses, work histories and other KBA attributes remain relatively secret. In today's post-breach world, this is a tenuous assumption. Add the wealth of personal information consumers voluntarily share about their lives through social media and this assumption appears almost laughable. So what do we do? If modern commerce and many other services including government services rely on KBA for identity verification and that verification is no longer as secure or reliable as it was in the past, we need new strategies and new technologies to ensure that consumers are protected and economic growth continues and we need them quickly. With the exponential growth of connected devices and services, it is likely that we will see more data breaches more often, not less. Luckily, we are not starting from scratch. In the public sector, the National Institute for Standards in Technology-- NIST--spent the past several years developing strategies and frameworks for identity verification under their Trusted Identities Group--TIG. As a part of this work, NIST's TIG has provided funding to pilot programs looking to develop, implement, and leverage innovative new technologies that move organizations beyond KBA. Similarly, in the private sector, many companies and organizations from a wide variety of sectors have come together to create the Fast Identities Online, or FIDO, Alliance. The FIDO Alliance provides a forum for collaboration and cooperation around the development of standards-based interoperable technologies. These standards are freely available and already deployed in the products of companies like Google and PayPal. Our witnesses today will not only help us understand the cumulative impact of the dozens of data breaches that have occurred in recent years go also assess how current practices can and should be improved to protect consumers and their information and how it's been breached. Today's hearing is the start of what I expect will be a much longer conversation. But it's a necessary conversation to have as our world becomes ever more connected. Identity verification is a challenge that will only continue to grow. [The prepared statement of Mr. Griffith follows:] Prepared statement of Hon. H. Morgan Griffith We are here today to talk about a very important topic: identity verification in a post-breach world. This hearing is especially timely given several events that have taken place since the hearing itself was announced last week, including three newly disclosed data breaches that compromised an additional 58.7 million records, as well as two major shopping days, Black Friday and Cyber Monday. With consumers rushing to take advantage of holiday sales, both in stores and online, the questions and challenges around modern identity verification become even more pressing. Data breaches have been an increasing problem over the last several years. In fact, it is likely that everyone in this room has had their information included in a recent breach. Between the 57 million accounts compromised in Uber's recently disclosed 2016 breach, the 145 million accounts compromised in Equifax's breach, or the 22 million accounts compromised in the OPM breach, as well as many others, I would argue that it would be difficult to find an American whose information has not been compromised. While these breaches themselves are troubling enough, they also raise a subtle, more complicated series of questions and issues around the ways in which organizations, including government agencies, banks, healthcare organizations, and retail companies perform identity verification of their citizens and customers. It's a well understood concept that, to quote the famous cartoon, on the Internet nobody knows you're a dog. This anonymity has many advantages, and is important to many aspects of the modern Internet. However, as the global economy has become more and more digital, and an increasing amount of commerce takes place online, it also creates significant challenges for organizations attempting to ensure that they provide information and services only to authorized individuals. Because these interactions usually take place on opposite ends of an Internet connection, with participants rarely meeting face to face, the ability of organizations to remotely verify individuals has been a constant struggle. As a result, for years, many organizations have relied on a type of identity verification known as ``Knowledge-Based Authentication'' or ``KBA.'' We are all familiar with this process, even if we don't quite know it. For example, some online accounts ask consumers to provide answers to ``security questions'' such as their mother's maiden name, the make and model of their first car, or the street on which they grew up. Similarly, when consumers attempt to open new credit lines, they are often asked a series of multiple-choice questions that may ask who provided a consumer a loan, and in what year. These are all examples of KBA. The effectiveness of KBA depends on a very important assumption--that information such as birthdays, mother's maiden names, addresses, work histories, and other KBA attributes remain relatively secret. In today's post-breach world, this is a tenuous assumption. Add the wealth of personal information consumers' voluntarily share about their lives through social media and this assumption appears almost laughable. So what do we do? If modern commerce and many other services, including government services, rely on KBA for identity verification, and that verification is no longer as secure or reliable as it was in the past, we need new strategies and new technologies to ensure that consumers are protected, and economic growth continues. And we need them quickly; with the exponential growth of connected devices and services, it is likely that we will see more data breaches more often, not less. Luckily, we are not starting from scratch. In the public sector, the National Institute for Standards and Technology (NIST) spent the past several years developing strategies and frameworks for identity verification under their Trusted Identities Group (TIG). As part of this work, NIST's TIG has provided funding to pilot programs looking to develop, implement, and leverage innovative new technologies that move organizations beyond KBA. Similarly, in the private sector, many companies and organizations from a wide variety of sectors have come together to create the Fast Identities Online, or FIDO, Alliance. The FIDO Alliance provides a forum for collaboration and cooperation around the development of standards-based, interoperable technologies. These standards are freely available and already deployed in the products of companies like Google and PayPal. Our witnesses today will not only help us understand the cumulative impact of the dozens of data breaches that have occurred in recent years, but also assess how current practices can and should be improved to protect consumers after their information has been breached. Today's hearing is the start of what I expect will be a much longer conversation. But it's a necessary conversation to have. As our world becomes ever more connected, identity verification is a challenge that will only continue to grow. Thank you, and I yield back and now recognize Ms. Castor of Florida for an opening statement. OPENING STATEMENT OF HON. KATHY CASTOR, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF FLORIDA Ms. Castor. Well, thank you, Mr. Chairman, and thank you for calling this hearing. Mr. Chairman, data breaches are compromising the personal information of millions of Americans. The Equifax breach earlier this year, for example, exposed the personal information including names, Social Security numbers, birth dates, addresses, and other sensitive data of as many as 145 million Americans. And there have been many more--Yahoo, JPMorgan Chase, eBay, Uber. We simply cannot accept this as standard operating procedure. When companies like Equifax, Yahoo, and Uber fail to protect the vast information they collect about consumers, it poses very serious risks. It's not limited to private corporations. Governmental entities have also failed to adequately protect personal private data. But with each data breach after each data breach, compromising more and more of consumers' personal information, we have got to ask how do we ensure an online identity can be verified only by the person in question. I also think it's important that we not forget that companies should be held accountable when they fail to protect our data. The Equifax breach exposed the personal information of nearly half of the American population and it could have been prevented by applying basic security standards. So what is the recourse? What is the appropriate recourse? I know that experts are working to develop methods to better protect online identities and I would like to hear what your recommended solutions are. Under President Obama, the White House released the National Strategy for Trusted Identities in Cyberspace. It's a framework for public and private collaboration on protecting digital identities and improving online transactions. So building on that effort, companies have begun experimenting with ways to improve identity verification and authentication. I would like to hear about some of these solutions as well as what we can do to protect consumers' privacy. As more and more of our lives are online, it is equally important that we ensure that these systems are secure and that the ways in which we access these systems are protected. I would like to thank our witnesses--Mr. Jeremy Grant, Mr. Troy Hunt, Mr. Ed Mierzwinski--for coming today to discuss the principles and various challenges in verifying online identities. Each of you brings a wealth of knowledge and experience to this hearing and it's a pleasure to have you here today. Thank you, and I yield back. Mr. Griffith. I thank the gentlelady. I now recognize the chairman of the full committee, Mr. Walden of Oregon. OPENING STATEMENT OF HON. GREG WALDEN, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF OREGON Mr. Walden. I thank the chairman, and we appreciate your leadership on this and so many other issues, and we want to thank the witnesses for being here today. We have another hearing going on downstairs on the anniversary of the 21st Century Cures legislation so I am bouncing back and forth today. Today's hearing is about the future of digital commerce, as we all know, and it's about the future of how we ensure the person on the other end of an online transaction is in fact the person they claim to be. What a concept. For years, we have relied on user names, passwords, and knowledge-based questions to confirm a user's identity. It's not a particularly sophisticated process. Your mother's maiden name or the make and model of your first car aren't exactly reliable forms of verification. Regardless, this process was suitable for a period of time in the evolution of our connected world but that time has long since passed, as we all know. As noted by one of our witnesses today, it was almost a decade ago that the 2008 Commission on Cybersecurity for the 44th presidency highlighted identity as a frequent attack vector for cyberattacks. This prompted the previous administration to launch the National Strategy for Trusted Identities in Cyberspace, or NSTIC. As we will hear today, this high-level Federal attention encouraged the progress but we still have a long ways to go. How far? Well, according to Verizon's annual data breach investigation report, about 80 percent of breaches last year used identity as a point of compromise--80 percent. What has changed to make existing identity management practices so ineffectual and vulnerable to attack? There are a number of factors at play but the underlying answer is fairly simple. Today, the information necessary to compromise identity is readily available to those who wish to find it. We live in a post-breach world. Just look at the massive breaches that have occurred over the last several from Target and Home Depot to Yahoo, Anthem, OPM, Equifax and, most recently, Uber, to name a few. I would be surprised if anyone in this room has not had at least some portion of their personal details stolen in the last 2 years, let alone their digital lifetime. I remember a former colleague from Michigan who chaired the Intelligence Committee, Mike Rogers, used to say there are two types of companies in America--those that know they've been breached and those that don't. It is not, however, just stolen data that undermines current identity verification practices. The explosion of social media is also a factor. Every day, consumers voluntarily post, tweet, and share details about their lives, adding to the rich data set of information available to malicious actors. One of our witnesses, Mr. Hunt, is a global expert on these issues and that's why your testimony is so very valuable to our work, especially on how bad actors can compromise identity through the collection of personal information and data that already exists in the digital universe. He endured a 27-hour journey to be here, I am told, and I suspect his testimony will be illuminating for all of us. I thought I had a long trip back and forth to the West coast every week. We can no longer ignore the current reality. Whether through theft or voluntary disclosure, our information is out there and this is not likely to change. Social media will continue to grow. Social, cultural, and economic benefits are just too great for it not to. Likewise, digital commerce and online transactions are integral to our economic prosperity both now and in the future. As our lives become increasingly entwined in the digital-- with the digital space, this must come with an acceptance that our information will always be at risk. Such is the nature of the cyber threat we face and there is no perfect security in the connected world. But that makes it even more important that we find ways to reduce vulnerabilities in our digital ecosystem. Clearly, identity is one of those weaknesses. So therefore, I look forward to the work this committee is doing and the testimony you all have submitted to us and the policies that will develop, moving forward. With that, Mr. Chairman, I yield back the balance of my time and, again, thank our witnesses for being here and, as I said, I've got a couple of these I have to bounce between. But we appreciate the work you're doing. [The prepared statement of Mr. Walden follows:] Prepared statement of Hon. Greg Walden Today's hearing is about the future of digital commerce. It is about the future of how we ensure the person on the other end of an online transaction is, in fact, the person they claim to be. For years, we have relied on user names, passwords and knowledge-based questions to confirm a user's identity. It's not a particularly sophisticated process--your mother's maiden name, or the make and model of your first car aren't exactly reliable forms of verification. Regardless, this process was suitable for a period of time in the evolution of our connected world--but that time has long-since passed. As noted by one of our witnesses, it was almost a decade ago that the 2008 Commission on Cybersecurity for the 44th Presidency highlighted identity as frequent attack vector for cyberattacks. This prompted the previous administration to launch the National Strategy for Trusted Identities in Cyberspace [N- STIC]. As we will hear today, this high-level Federal attention encouraged some progress but we have a long way to go. How far? Well, according to Verizon's annual Data Breach Investigation Report, more than 80 percent of breaches last year used identity as a point of compromise. What has changed to make existing identity management practices so ineffectual and vulnerable to attack? There are a number of factors at play but the underlying answer is fairly simple--today, the information necessary to compromise identity is readily available to those who wish to find it. We live in a post-breach world. Just look at the massive breaches that have occurred over the last several years from Target and Home Depot to Yahoo, Anthem, OPM, Equifax and most recently Uber--to name a few. I would be surprised if anyone is this room has not had at least some portion of their personal details stolen in the last 2 years, let alone through their digital lifetime. It is not, however, just stolen data the undermines current identity verification practices. The explosion of social media is also a factor. Every day consumers voluntarily post, tweet, and share details about their lives--adding to the rich data set of information available to malicious actors. One of our witnesses, Mr. Hunt, is a global expert on these issues--especially how bad actors can compromise identity through the collection of personal information and data that already exists in the digital universe. He endured a 27-hour journey to be here today and I suspect his testimony will be illuminating for all of us. We can no longer ignore the current reality. Whether through theft, or voluntary disclosure, our information is out there. And this is not likely to change. Social media will continue to grow--the social, cultural and economic benefits are too great. Likewise, digital commerce and online transactions are integral to our economic prosperity--both now and in the future. As our lives become increasingly entwined with the digital space, this must come with an acceptance that our information will always be at risk. Such is the nature of the cyber threat. There is no perfect security in the connected world, but that makes it even more important that we find ways to reduce vulnerabilities in our digital ecosystem. Clearly, identity is one of those weaknesses and I look forward hearing from all our witnesses about what options exist to address this challenge. Mr. Griffith. Thank you, Mr. Chairman. I appreciate that. I will tell you that Mr. Hunt not only sacrificed with the 27-hour flight to get here but also put on a suit and tie for us where he normally wears jeans and a black T-shirt, according, at least, to his comments on the internet. [Laughter.] Mr. Griffith. But anyway---- Mr. Walden. I was starting to wonder if it's actually him or a stolen identity before that. But I don't know. Thank you. Mr. Griffith. Anyway, thank you, Mr. Chairman. At this point, I would ask--oh, I would recognize Mr. Pallone of New Jersey for an opening statement. Glad you made it. Thank you. Mr. Pallone. Thank you, Mr. Chairman. I want to--I have actually got the wrong statement here from the other committee. Mr. Griffith. We will give you a minute. We have explained to everybody that we have two hearings going on at the same time and that folks are having to bounce back and forth so---- Mr. Pallone. All right. OPENING STATEMENT OF HON. FRANK PALLONE, JR., A REPRESENTATIVE IN CONGRESS FROM THE STATE OF NEW JERSEY So let me, again, thank you, Mr. Chairman. So much of our lives today is linked to what we do online and companies in virtually every sector of the economy collect vast amounts of personal data about consumers, and these companies know they are targets for malicious attacks and all too often they fail to protect the valuable consumer information they collect and store. For example, recently the ride service company Uber revealed that it had been hacked more than a year ago, and this breach reportedly exposed the personal information of 57 million riders and drivers. This security breach is yet another example of a company that failed to protect the data of its customers and then failed to come clean about their security breach, in this case for more than a year. Then there was the Equifax data breach which compromised the personal data of more than 145 million Americans, and what's worse, the Equifax breach compromised personal data like Social Security numbers and birth dates that are difficult or impossible to change. And consumers affected by the Equifax breach are vulnerable, particularly because these identity verifiers can give someone access to other sensitive information. The committee is still waiting for answers to questions we asked Equifax both before and after our hearing on the breach and, obviously, that's unacceptable so, hopefully, we will get answers. It's also unacceptable to the American people because when companies fail to protect consumer data consumers pay the price, sometimes years after a breach. So as data breaches continue to compromise our personal information, it's important that we explore how consumers and the holders of consumer information can verify that individuals are who they say they are online. For example, how many times has each of us been asked to provide the last four digits of our Social Security number to get access to other information? But how do we protect consumers' digital identities, especially after the Equifax data breach exposed the Social Security numbers of nearly half the U.S. population. And as companies suggest that they may move to behavioral and biometric verifiers, are we comfortable with how much more personal information will be collected and used? Are we comfortable with trusting that companies will keep this data secure? And these are important questions now facing the world of digital commerce. According to the Identity Theft Resource Center, as many as 1,190 data breaches have occurred so far this year. Any data breach exacerbates the issues the public is facing in verifying their identities and authenticating access online. Hackers and other malicious actors erode the trust we have online by using the data they've been able to glean about each and every one of us, and that's not good for business and it's certainly not good for consumers. So, again, I just want to thank our witnesses for being here today to discuss the latest in identity verification and the challenges of protecting people's data and I believe that unless we act and pass meaningful legislation we will continue to see more data breaches and the unfortunate ripple effects that result from them. I don't know if--you don't want to add anything? All right. I yield back, Mr. Chairman. [The prepared statement of Mr. Pallone follows:] Prepared statement of Hon. Frank Pallone, Jr. Thank you, Mr. Chairman. So much of our lives today are online. Companies in virtually every sector of the economy collect vast amounts of personal data about consumers. These companies know they are targets for malicious attacks, and all too often, they fail to protect the valuable consumer information they collect and store. Just this past week for example, the ride service company, Uber, revealed that it had been hacked--more than a year ago. This breach reportedly exposed the personal information of 57 million riders and drivers. This security breach is yet another example of a company that failed to protect the data of its customers, and then failed to come clean about their security breach--in this case for more than a year. Then there was the Equifax data breach, which compromised the personal data of more than 145 million Americans. What's worse, the Equifax breach compromised personal data like Social Security numbers and birth dates that are difficult or impossible to change. Consumers affected by the Equifax breach are vulnerable-- particularly because these identity verifiers can give someone access to other sensitive information. This committee is still waiting for answers to questions we asked Equifax both before and after our hearing on the breach. This is unacceptable. This is also unacceptable to the American people because when companies fail to protect consumer data, consumers pay the price--sometimes years after a breach. As data breaches continue to compromise our personal information, it is important that we explore how consumers and the holders of consumer information can verify that individuals are who they say they are online. For example, how many times has each of us been asked to provide the last four digits of our Social Security number to get access to other information? But how do we protect consumers' digital identities, especially after the Equifax data breach exposed the Social Security numbers of nearly half the U.S. population? And as companies suggest that they may move to behavioral and biometric verifiers, are we comfortable with how much more personal information will be collected and used? Are we comfortable with trusting that companies will keep this data secure? These are important questions now facing the world of digital commerce. According to the Identity Theft Resource Center, as many as 1,190 data breaches have occurred so far this year. Any data breach exacerbates the issues the public is facing in verifying their identities and authenticating access online. Hackers and other malicious actors erode the trust we have online by using the data they have been able to glean about each and every one of us. That's not good for business, and it's certainly not good for consumers. I want to thank our witnesses for being here today to discuss the latest in identity verification and the challenges of protecting people's data. I believe that unless we act and pass meaningful legislation, we'll continue to see more data breaches and the unfortunate ripple effects resulting from them. Thank you, and I yield back. Mr. Griffith. Thank you very much for yielding back. I appreciate that, Ranking Member. With that being said, I would now ask for unanimous consent that the Members' written opening statements be made a part of the record. Without objection, they will be so entered. I would now like to introduce our panel of witnesses for today's hearing and appreciate all of you being here. First, we have Mr. Troy Hunt, the information security author and instructor for Pluralsight. Next is Mr. Jeremy Grant, who serves as the managing director of Technology Business Strategy at Venable. And finally, we have Mr. Ed Mierzwinski, who is the consumer program director at U.S. PIRG, or PIRG. Thank you all for being here today, and I look forward to your testimony and we appreciate you providing that testimony. We look forward to the opportunity to discuss identity verification with you all. As you all are aware, the committee is holding an investigative hearing and when doing so it is the practice of this committee--this subcommittee of taking that testimony under oath. Do any of you have an objection to testifying under oath? Seeing none, the Chair then advises you that under the rules of the House and the rules of this committee, you are entitled to be accompanied by counsel. Do any of you desire to be accompanied by counsel during your testimony today? Seeing no request for counsel, in that case would you please rise and raise your right hand, and I will swear you in. [Witnesses sworn.] Seeing affirmative answers from all, you are now under oath and subject to the penalties set forth in Title 18 Section 1001 of the United States Code. You may now give a 5-minute summary of your written statement, and we will begin with you, Mr. Hunt. Thank you so much for being here. You have 5 minutes. STATEMENTS OF TROY HUNT, INFORMATION SECURITY AUTHOR AND INSTRUCTOR, PLURALSIGHT; JEREMY GRANT, MANAGING DIRECTOR, TECHNOLOGY BUSINESS STRATEGY, VENABLE, LLP; AND EDMUND MIERZWINSKI, CONSUMER PROGRAM DIRECTOR, U.S. PIRG STATEMENT OF TROY HUNT Mr. Hunt. Vice Chairman Griffith, Ms. Castor, and distinguished members of the House Energy and Commerce Committee, thank you for the opportunity to testify today. My name is Troy Hunt. I am an independent information security author and instructor for Pluralsight. I am also the creator of data breach notification service known as Have I Been Pwned. In my time running this service, I've analyzed hundreds of individual data breaches containing many billions of records, and I've observed firsthand both the alarming increase in incidents and, indeed, the impact they are having on people's lives. This testimony draws on my experiences running the service and describes the challenges we are now facing in a time where data breaches have become the new normal. When we talk about data breaches, we are really talking about a range of different types of events that can lead to the exposure of our personal information. We typically think of malicious actors exploiting vulnerabilities and protected systems and, indeed, that's an enormous prevalent and alarming situation. But increasingly we also see data breaches occur as a result of simple human error. For example, accidentally publishing data to an unprotected publicly facing server where it's then discovered by intended parties. We have a perfect storm of factors that are causing both the frequency and scale of these incidents to accelerate. Cloud services have made it easier than ever to publish data publicly, and that has helped to drive the expansion of other online services, which have in turn increased the overall attack surface of the internet. At the same time, we have the rapidly growing internet of things, collecting classes of data we simply never had digitized in the past and, increasingly, we are seeing that information appear in data breaches, too. Organizational attitudes to our personal information lead to data maximization. That is a desire to collect as much of it as possible, often well beyond the scope of what is actually needed by the service it's being provided to. Frequently, this is without informed consent, particular by the likes of data aggregators and, indeed, we have seen them suffer data breaches, too, both here in the U.S. and overseas. Now, data is viewed as an asset yet organizations fail to recognize that it is also a liability. Exacerbating exposure of data is a rampant trading scene. Data is not only sold for profit but regularly exchanged by individuals building personal collections. I liken it to kids exchanging baseball cards, except that unlike trading a physical commodity, the exchange of data breaches is more like making a photocopy, as the original version still exists. Once it enters circulation, it is impossible to contain it. The data breach genie is out of the bottle. We are also learning how much we don't know as significant data breaches that occurred years ago come to light. We have no idea how many more unknown incidents are out there, and not only do we not know which organizations have lost their data and are unaware of it themselves, we don't know which ones are deliberately concealing data breaches. There is a lack of accountability when a breach does occur. We know this because very little changes in the industry afterwards. We constantly see large data breaches and people ask, will this be the watershed moment where we start taking these breaches more seriously. Yet, nothing changes and we merely repeat the same discussion after the next incident. We are also disclosing large amounts of personal data of our own free will, such as our date of birth, by social media. We think nothing of it because a growing proportion of the population has never known a time where we didn't do this. They are the internet natives that have grown up in an environment of personal information sharing. Consider the impact on knowledge-based authentication, the very premise that there is information that you know that is sufficient to prove your identity. That same information is increasingly public. My dad recently had some help setting up a new broadband connection, and after calling up the provider the first thing they asked him was his date of birth. That's the same personal attribute I had exposed after I donated blood and that subsequently appeared in a data breach. And that is really the challenge we have today, the premise of authenticating one's self with information that only they should know, yet is increasingly in the public domain. That worked years ago when information was contained in a small number of silos, but that's not the world we live in today. And consequently, our assumption about who knows what has to change accordingly in the age of the data breach. Thank you very much. [The prepared statement of Mr. Hunt follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mr. Griffith. Thank you, Mr. Hunt. I appreciate that, and now recognize Mr. Grant. STATEMENT OF JEREMY GRANT Mr. Grant. Good morning, Vice Chairman Griffith, Ms. Castor, members of the committee. Thank you for the opportunity to discuss identity with you today. As background, I've worked for more than 20 years in both industry and Government at the intersection of identity and cybersecurity. In 2011, I was selected to lead the National Strategy for Trusted Identities in Cyberspace, or NSTIC, which was a White House initiative focused on improving security, privacy, choice, and innovation online for better approaches to digital identity. In that role, I built out what is now the Trusted Identities Group at the National Institute of Standards and Technology and also served as NIST's senior executive advisory for identity management. I left Government in 2015 and now lead the Technology Business Strategy practice at Venable, a law firm with the country's leading privacy and cybersecurity practice, though I should note today my testimony represents my views alone. So let me say up front I'm quite grateful to the committee for calling this hearing today. Identity is a topic that impacts every American but it's only recently that identity has started to get proper attention from policy makers in the U.S., and at a high level the way that we handle identity in America impacts our security, our privacy, and our liberty. From an economic standpoint, particularly as we start to move high-value transactions into the digital world, identity can be the great enabler, providing the foundation for digital transactions and online experiences that are more secure, more enjoyable for the user and, ideally, more respectful with their privacy. When we don't get identity right we enable a great set of attack points for criminals and other adversaries looking to execute attacks in cyberspace and, unfortunately, we have not been doing very well here. Last year, a whopping 81 percent of hacking attacks were executed by taking advantage of weak or stolen passwords. Eighty-one percent is an enormous number. It means that it is an anomaly when a breach happens and identity does not provide the attack factors and, as my colleague, Troy, will probably discuss today with his Web site, Have I Been Pwned, there is now billions of compromised usernames and passwords that are out there in the marketplace. It is high time we find a way to kill the password. Outside of passwords, we have seen adversaries go after massive datasets of Americans in large part so they have an easier time compromising the questions used in identity verification tools like KBA. This was illustrated quite vividly by the 2015 hack of the IRS' Get My Transcript application where more than 700,000 Americans had sensitive tax data compromised. A key takeaway for this committee to understand today is that attackers have caught up with many of the first generation tools that we have used to protect and verify identity. The recent Equifax breach might have driven this point home but the reality is that these tools have been vulnerable for quite some time. There are many reasons for this, and there is certainly blame to allocate. But the most important question at this point is, What should Government and industry do about it now? As I lay out today, I believe the Government is going to need to step up and play a bigger role to help address critical vulnerabilities in our digital identity fabric. There are five primary areas where Government, working together with the private sector, can help address the weaknesses of first generation identity verification and authentication tools and deliver next-generation solutions that are not only more secure but also better for privacy and consumer experiences. First, when talking about the future of the Social Security number and whether it needs to be replaced, it is essential for folks to understand the difference between SSN's role as an identifier and its use as an authenticator. SSN should no longer be used as authenticators but that does not mean we need to replace them as identifiers. Instead, let's just try treating like the widely available numbers that they are. That means that as a country we stop pretending that knowledge of somebody's Social Security number can actually be used to prove that they are who they claim to be. Second, along with the SSN let's just recognize how useless passwords have become as a security tool. There is no such thing as a strong password in 2017 and we should stop trying to pretend otherwise. Third, recognize that it's not all bad news out there. Government and industry have recognized the problem with old authenticators like passwords and SSNs and they've actually been working together the last few years to make strong authentication easier. Multistakeholder efforts like the FIDO Alliance, which Vice Chairman Griffith mentioned earlier, have developed standards for next-generation authentication that are now being embedded in most devices, operating systems, and browsers in a way that enhances security, privacy, and user experience. The Government can play a role in helping to drive user adoption. Fourth, while authentication is getting easier, identity proofing is getting harder as attackers have caught up to first-generation solutions like static KBA. This might actually be the most impactful area where the Government can help, by allowing consumers to ask agencies that already have their personal information and have validated it, in many cases with an in-person process, to then vouch for them for--with other parties that they seek to do business with. The Social Security Administration and State Department and Motor Vehicles have the most to offer here, and this is actually a concept that was embraced in the 2016 report from the bipartisan Commission on Enhancing National Cybersecurity. Here, the Federal Government should work to develop a framework of standards and rules to make sure this is done in a secure, privacy-enhancing way and look at funding work to get it started. Finally, technology can help solve the problem but better standards will be needed for companies and agencies to apply it. Further investments in Government research and standards work can go a long way toward making it easier for any party in the public or private sector to implement stronger identity solutions. I appreciate the opportunity to testify today and look forward to answering your questions. [The prepared statement of Mr. Grant follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mr. Griffith. I thank the gentleman and now recognize Mr. Mierzwinski for 5 minutes. STATEMENT OF EDMUND MIERZWINSKI Mr. Mierzwinski. Thank you, Vice Chairman, and Representative Castor, and members of the committee. The Equifax breach was an epic fail in a lot of different ways. I know that this full committee has held hearings on it. Mr. Walden, the chairman of the full committee, used an excellent line when he said, ``I can't fix stupid,'' when he was talking about Equifax's many problems. I agree with the chairman on that, but I want to point out a few other points about Equifax that may not have been pointed out in that hearing. First of all, I think everybody sees them as a credit bureau, and that is true--they are one of the big three credit bureaus that collect information and sell it for the purpose of employment and credit and insurance decisions. They are gatekeepers to our financial and economic opportunity. So it's very important that they do a better job. In fact, that's their only job is buying and selling data. So you can't blame Target or even OPM the same way you can blame Equifax for their many, many epic fails in that--in that debacle. But I want to point out also--and the Federal Trade Commission has issued several reports on this--Equifax is not only a credit bureau. It is a data broker, and data brokers, unlike credit bureaus, are ubiquitous in society and they are virtually unregulated and they buy and sell information every day that's very similar to credit reports but unregulated. So we need to take a look at the data broker system and figure out a way to regulate it more closely. Second, I think we need to go back to first principles. Mr. Hunt referred to data maximization. The code of fair information practices says data minimization should be a goal and the code of fair information practices is embedded in a number of our laws, including the U.S. Privacy Act of 1974. So we can't just protect all information. We've got to start collecting less information and keeping it for shorter periods of time. We have already heard from several witnesses and members of the committee about the problem of SSNs as identifiers and authenticators. But I want to point out that our credit reporting system, how we obtain credit in society, a bad guy doesn't try to get your credit report. That's very hard to do. A bad guy gets your Social Security number and goes to a creditor, and a creditor, being a trusted partner to the credit bureaus, gets your credit report and gives credit to the imposter. That's a very flawed system that needs to be fixed. The principal thing that I think Congress should do in response to Equifax, and I think it's bipartisan, is make credit freezes free. Credit freezes are the best way to protect your identify from financial identity theft. But, unfortunately, they cost money in most States. The problem of KBA authentication has already been discussed. I want to point out it's so obsolete it's pathetic and it also upset--it's not only bad because imposters can do one-second searches on the internet and obtain answers to the questions. Sometimes consumers don't know the answers to the questions. My colleague was asked how much credit her--you know, her family member Chester had. Chester was her dog. He died years ago. She was 5 years old. Why is Chester a security question? What is the name of your first student loan company? Was it Sallie Mae or was it Navient? They keep changing the names of all of these companies. It's all ludicrous. On multifactor identification, I think it's a real positive step. But I do want to point out that biometrics, the third general multifactor authentication--something you know, something you have, and something you are--privacy groups are very concerned about databases of biometric information posing privacy and civil liberties threats. But on the other hand, if my fingerprint is only stored in my phone, perhaps that's a better solution. I'm very encouraged by the work that the other witnesses have talked about. The FIDO Alliance and the NIST program have been open- source, open-standard, multistakeholder investigations of how to improve our privacy and authentication mechanisms. On the other hand, I contrast that to the credit card PCS standards that have been imposed on merchants. The Target and the Home Depot, the Michael's, et cetera--all the merchant breaches--you can't blame the merchants for having to use an obsolete credit card with a magnetic stripe. And now the--now the first have gone to a chip card, which is a type of tokenization, and that is good but they could have gone further. They could have gone to chip and PIN. They could have gone to best available technology. So we have made some progress but a lot more needs to be done. Thank you very much for the time. [The prepared statement of Mr. Mierzwinski follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mr. Griffith. Thank you. Appreciate that, and we will now begin the questioning, and I will start with questions. Mr. Hunt, in your testimony you talk about the exposure of data due to accidental misconfigurations of cloud services. You were certainly spot on. One such misconfiguration was discovered in the Federal Government this week, and it has been reported that this is the fifth time the Government has suffered a similar accidental exposure this year. Indeed, many companies, including Uber, have suffered information compromises because of these kinds of misconfigurations. Why does this keep happening? Is it really that easy to accidentally share your cloud services with the world? Mr. Hunt. Well, the easy answer to the last question is yes, it is that easy. It's very often just a simple misconfiguration, and the difference between, let's say, a storage account within Amazon being protected and needed credentials in order to access it and being wide open is literally one configuration that can take seconds to make. So in terms of why it's that easy or how come this keeps happening so frequently, very often this is a competency problem. So people have access to resources such as cloud services that aren't sufficiently skilled in order to figure out how to configure them securely. Sometimes it can just be a simple oversight and there's not enough backup controls to identify when something like this is exposed publicly. It is also very difficult for organizations because when cloud services are used they tend to very frequently sit outside their known address base. So, traditionally, an organization could say these are our IP addresses, this is the range of our scope of assets and then you can go onto the cloud and you can put things in totally outside that construct. And then compounding that as well we have this--this, I guess, construct called Shadow IT and for the longest time we have had the concern of Shadow IT--people working outside the formal constructs of the way the IT department and organization should run. And today, it is very simple for someone in an organization to go to the likes of Amazon and say, ``Look, I would like a storage account. I am going to publish data there,'' and the IT department never even knows about it. So there's a number of factors leading to the prevalence of what is now becoming a very common event. Mr. Griffith. Now, are any of the data breaches included in your service from such a misconfiguration? Mr. Hunt. From which, sir? Mr. Griffith. From--from your service. Mr. Hunt. Oh, from misconfiguration? Mr. Griffith. Yes. Mr. Hunt. Yes, many of them. So we are seeing many incidents. The perfect example that comes to mind, earlier this year we had an OIT device called a CloudPet. It is literally a teddy bear with a listening device that talks to the internet. Their data was left publicly exposed in a database facing the worldwide web without a password. And, again, that is just a simple misconfiguration on their behalf. Mr. Griffith. Wow. What can companies do to decrease the likelihood of this kind of a misconfiguration? Mr. Hunt. It's a combination of things. To me, many of these incidents, whether it be misconfiguration or flaws in software, come back to education, and this is the sort of thing we are trying to do with Pluralsight. Let's try and get education out there to the people that are building these systems and standing them up. Because so frequently it is just such a simple little thing and had the person understood what the ramifications of the configuration change they're making or the code change they're making was, it wouldn't have happened. So I would love to see more education. Mr. Griffith. And what are the consequences? I mean, we can all think of some. But what are the consequences of companies exposing this kind of data? Mr. Hunt. Really depends on the data. I mean, at sort of the least end of the scale, very often we are seeing large amounts of email addresses and passwords. Now, that then often becomes a skeleton key into other things because we know that people reuse their passwords. So that--I almost hesitate to say that's the best that could happen. But when we think about the worst that could happen, well, now we start to talk about large amounts of very personal data. So we have been speaking about the impact of things like the Equifax incident. South Africa just recently had an incident which was data exposed as a backup on a publicly facing server that had information about the entire country and this included their national identifier, so think about a Social Security number, which within there also includes date of birth and gender, and now we have got a whole country saying we literally had all of its data published on the internet and we know that it had been obtained by other unauthorized parties and redistributed. But what do we do? And to me, that's sort of the worst-case scenario, because now you got a whole country saying, how are we going to do knowledge-based authentication when the knowledge about the whole country has gone public? Mr. Griffith. Now, from what I understand, when folks go back and analyze many security instances like data breaches, they find that somewhere along the line someone in the organization chose convenience such as the ability to check their personal email from their work computer, for example, over security. Have you found that to be true as well, in your work? Mr. Hunt. Absolutely. I mean, the concern with convenience--I will give you a really good analogy--is very often I will say to people, look, we might see an application talking to a database that has effectively server admin rights--the most privileged user you could possibly have--and I will say to people, why would that happen. And they say, well, it was easy--it was much easier to give access to everything than to start implementing fine-grained permissions. And they are right, it is much easier. But that then leads to the problems we have got here. Mr. Griffith. And so, how do we make it easier to protect things--protect that data? Mr. Hunt. Well, again, I go back to that education side. This is people making mistakes unknowingly, and when we see these happen over and over again and we look at the behaviors of the individuals, very often it is because they've never been taught what are the ramifications of setting this configuration or writing code that way. Mr. Griffith. Yes. I do think we all choose convenience from time to time when we know in our hearts we ought not. With that, I have to yield back because my time is up and now recognize Ms. Castor of Florida for 5 minutes of questions. Ms. Castor. Well, thank you, Mr. Chairman. As the Equifax breach made all too clear, there's an astounding amount of data that is collected by companies and especially credit bureaus. The Equifax breach, for example, exposed the personal information including names, Social Security numbers, birth dates, addresses, other sensitive data of almost 150 million Americans. Mr. Grant, if this data is out there, should companies no longer use this information as a component of identity verification online? Mr. Grant. I wouldn't say that they shouldn't use the information anymore, but they should be smart about the ways in which they use it and I think there needs to be a recognition, you know, across Government and industry that these first- generation systems that we were using, the attackers have caught up with them. So let's figure out where it can be valuable in a process to establish identity or authenticate identity and where it can't be. I think there are still tools that are out there that are using some of this data that could be--you know, I often talk about, you know, you have an arrow with multiple quivers in terms of, you know, the tools that you're using. There still may be some value. But I think we need to recognize that it is been greatly diminished and we need to focus on next-generation solutions. Ms. Castor. So, Mr. Mierzwinski, a similar question. In your testimony, you stated in reference to Social Security numbers that, quote, ``you cannot authenticate with a number that is also an identifier, especially one that anyone can obtain, thanks to the data breach world that we live in.'' This seems like a good reason to prevent companies from using the Social Security number as an authenticator. Is that right? Mr. Mierzwinski. Well, I think you're absolutely right, Congresswoman, and many people don't know that the Social Security number was invented so long ago it doesn't even have a correct check sum number. When you type your credit card number and make a mistake in an online form, it knows instantly. Your Social Security number can be completely garbled and it wouldn't know. The first five digits actually aren't really about you. They're about when you were born and where you got your number more than unique. So it is a very big mistake. I am encouraged that some of my banks know that when I've logged on from a new machine or even a new place. But others of my banks and other companies that I do business with don't ask me extra questions or don't want to send me a text. So it is uneven how companies are doing better authentication and, to me, you have also got to penalize them when they make a mistake. I realize Equifax and other firms will be penalized by the market. However, I wonder whether regulators need more authority to penalize companies that lose our info. Ms. Castor. So let's talk about that especially. You mentioned the data brokers. Even outside of data breaches, internet-connected datasets contain vast information. A University of North Carolina study showed that data brokers can obtain almost anything from demographic data to financial data to travel data. In your opinion, are there adequate safeguards in place to limit what information data brokers collect, store, and sell about us? It seemed in your testimony you said no, it is kind of the ---- Mr. Mierzwinski. No, despite--and you can find many items on the record from me criticizing the credit bureaus and the Fair Credit Reporting Act for being too weak. It actually is one of our stronger privacy laws. There are virtually no laws that apply to data brokers and they are out there in a Wild West ecosystem of digital collection and selling of information about consumers in real time, and as I believe the vice chairman pointed out in his opening statement, a lot more information is being collected into their databases. Your locational information is, for one, a new piece that should be protected that isn't protected under many laws. Ms. Castor. So are there any incentives currently in place for companies to minimize the data they collect and store? Mr. Mierzwinski. Unfortunately, I don't know that there are enough and there--public shaming helps but regulatory accountability would help even more, and companies just feel that we are not their customers. Consumers are not Equifax's customer. Mr. Smith, the ex- CEO, said that before numerous committees over the last month. Business is their customer. We are their product. We need to get them to think about taking care of us, and they haven't. Ms. Castor. Mr. Grant, thank you for all of your work on the National Strategy for Trusted Identities. The identity ecosystem adheres to fair information practice principles, one of which is data minimization. This is the idea that organizations should collect only information that is directly relevant and necessary to accomplish the specified purpose. Is that right? Mr. Grant. Yes. Ms. Castor. So now it seemed to me, in this day and age, companies want to know everything about you. I am going to ask you the same question. What incentives are currently in place for companies to minimize the data they collect and store? Mr. Grant. Well, I will say concerns both about regulatory enforcement as well as liability that they might face by having too much data. You know, Mr. Hunt talked before about data maximization. When I was running the NSTIC program there was a term one of our staffers coined, which was data promiscuity--the practice that, you know, companies are just quite open in terms of collecting and sharing gobs of data. And I do think one thing you're starting to see now, particularly when some of that data is exposed in a massive breach, is other companies take a look at it and say, do we actually want to have all of this data. And so, you know, now that I am in the private sector I spend a lot of time working with companies, advising companies on how to minimize their risk, and I would say there are some companies that still want to hoard data and there are some that are realizing that it might be a liability and are actually trying to put proactive measures in place to reduce the footprint of data that they have on their customers and really focus only on what they need. So I do think a mix of regulation and liability does have an impact in the marketplace. You know, certainly, if you look across the ocean to what's happening in Europe right now with the impending implementation of Europe's general data protection regulation--GDPR--there's a lot of companies here in the U.S. that are still going to be impacted by that and that's also causing some firms to wake up and reevaluate in some cases what data they collect, how they store it, how they use it. Ms. Castor. Thank you. Mr. Griffith. I thank the gentlelady for yielding back. Now recognize the gentleman from New York, Mr. Collins, for 5 minutes of questions. Mr. Collins. Thank you, Mr. Chairman. And Mr. Hunt, I guess it is 3:00 a.m. right now so I am hoping you got some sleep on the flight coming up from Down Under. I want to try to put today's hearing maybe in context just for the everyday person. So many of us--you know, every three months one of our credit cards is accessed in some way. Usually we find out because we get a notification--a fraud alert from American Express or Master Card. They've actually got some algorithm somewhere that says, this looks unusual, or something. So I want to make sure I understand. That's a little-- people doing that, grabbing our credit report and stealing our numbers is perhaps different than the data breach area, or not? Mr. Hunt. Where it probably differs to credit cards is there are a lot of different places where credit cards are exposed which may not be as a result of a data breach. I've had my wife's card compromised several different times now and, as you say, you hear from American Express---- Mr. Collins. Because I am sure she uses it daily. [Laughter.] Mr. Hunt. Well, she does appear to use it regularly, evidently. When this happens, she will, as you say, get fraud alerts from the bank. Now, that could have been anything from--we might have been in a taxi in a particular location and they scribbled down the number when they had physical access to it. You give it to someone at a restaurant, they go behind the counter. It could have happened in an incident like that. It could have been that a single merchant resold the data after purchasing something online. Now, that's not necessarily the same as someone who was a malicious party came along, found a vulnerability in software, and sucked out a million different records in one go. Mr. Collins. Yes. So I wanted to kind of make--because I think sometimes we confuse the two and I think most of us are impacted by somebody grabbing our credit card more than not. Then we got to go to the inconvenience--getting a new card, set up on autopay. You know, I probably have to do that three, four times a year, even. So here we are talking about data breach. So now it begs the question, when someone is getting that, and I certainly understand someone, if they had enough, could try to apply for, I don't know, a mortgage or something. But that probably doesn't impact too many Americans as much as somebody stealing their credit cards. So it kind of begs the question, these data brokers, as we call them--it sounds like a business because there's guys--and it sounds like they're--are they continuing to try to fill out, you know, for, you know, myself, you know, there's people with my same name, so I don't know. Are they sorting by my last name? My first name? My middle initial? As they find out that I, you know, just went to the SPCA and got a new cat, you know, what's the cat's name. You know, how are they sorting this? By Social Security number? By address, in multiple ways, and as you said, trading baseball cards--are they doing this for fun? And then once they have it, and they're just out there selling it, why can't we catch these guys? If somebody--I think of Raymond Reddington on ``The Black List,`` you know. He'd be the guy buying this stuff. Why can't we find them, shut them down? And so that kind of general questions. What would you add to that? Mr. Hunt. I would say one point to maybe sort of disambiguify here is when I made the comment about trading baseball cards what I am talking about is there are a lot of individuals out there who obtain access to data breaches and then they redistribute them between peers--not necessarily commercial legal entities like data brokers such as Equifax but individuals, in many cases children, sitting in their bedroom going, hey, I've got a data breach--you have got this one-- let's swap and we'll build up these personal collections. Now, that is not necessarily with malicious intent but it does lead to the redistribution and the growth of the amount of data that's out there. And then in terms of the data brokers, in terms of the legally operating entities, very often they refer to data enrichment, which is like let's just get as much data as we can about the individuals, refine it so that we have very, very clear pictures because that makes the product that they offer that much more valuable. And then whether they sort it by your Social Security number or your name or your job title, whatever it may be, that got significant amounts of data that they can offer people, whatever sort of sorting or filtering mechanism they like. Mr. Collins. So in this case, you're referring to a data broker as a legal entity---- Mr. Hunt. Correct. Mr. Collins [continuing]. Not a blacklister that's out there selling it? Mr. Hunt. That's right. Mr. Collins. All right. So the folks that are out there selling it on the darknet or whatever, just walk us through--we don't have a lot of time--how are they finding their customers, verifying it is not an FBI or somebody under cover? Mr. Hunt. Well, they don't always get that right. [Laughter.] So how are they selling it? Well, very often we see data breaches being traded on the same sorts of marketplaces that are trading things like drugs. So we have seeing very prominent darkweb Web sites--the Silk Road, Hansa Market, AlphaBay. Now, many of those services have now been shut down but others have emerged in their place and they operate on Tor hidden services on the darkweb, which does make it very difficult many times to actually track them down. So they operate illegal marketplaces and data breaches are another commodity like heroin. Mr. Collins. Well, I appreciate all your comments. My time is up. I yield back, and thank you for coming up from Australia. Mr. Griffith. I thank the gentleman for yielding back. I now recognize Mr. Tonko of New York for 5 minutes for questions. Mr. Tonko. Thank you, Mr. Chair. In recent years, as breaches have become more common, companies and technology have not kept pace to protect consumers. As more breaches occur, more consumers are at risk for identity theft and other crimes. While progress has been made, we must do much more to, obviously, protect consumers. Many ongoing concerns were brought to the forefront once again with the Equifax breach. More than 8 million New Yorkers were affected by the Equifax breach including many of my constituents. One constituent, who I will label as Lee from Albany, asked Equifax, why are you using this gross misconduct to turn your victims into customers for a paid monitoring service that you will profit from. Mr. Mierzwinski, can you speak to Lee's concerns that companies are profiting off these breaches? Mr. Mierzwinski. We think it is outrageous and we wish it would stop. The companies have turned consumers into cash cows. They're responsible for keeping our information safe and keeping it accurate. They don't, and so instead they say, you better buy this credit monitoring service at $19.95 a month, and the marketing of these services is extremely deceptive. Several banks have been fined by the bureau and several of the credit bureaus have been fined by the FTC. A third party company, Lifelock, has been fined by the FTC and numerous State's attorneys general. After it violated the terms of its settlement order, it was fined an additional $100 million for contempt. So the marketing of credit monitoring is unfair, and you don't need credit monitoring either because you can get your credit report for free under Federal law. In seven States, you can get a second credit report for free from each of the three companies. If you file a fraud alert--a 90-day fraud alert--after you have been a victim of a breach, you could get an additional free credit report, get them every three months, and you have got your own free credit monitoring. But Equifax should not be profiting. We'd like to put a stop to it and we'd like them to not charge consumers for freezing. Mr. Tonko. Thank you. And Mr. Mierzwinski, again, you discussed the privacy risks that come along with biometrics. Can you elaborate on these risks? Mr. Mierzwinski. Well, very simply, I think that as we put our biometric information into databases, it becomes another commodity in the cloud. It becomes another way that you can steal information about a consumer, if you steal my fingerprints or my retina scan, it's--you could clone yourself as me in a lot of different ways. I am not an expert on whether that is being done yet today, but we are very concerned and also concerned about the civil liberties aspects of Government agencies getting access to the information in the databases without warrants, et cetera. Mr. Tonko. Mm-hmm. I thank you for that. And a 2017 New York Times article described the nightmare that Americans face when confronted with identity theft. The article referenced a study on identity theft and pointed out that, and I quote, ``Last year, 15.4 million American victims of identity theft lost $16 billion.'' The article continues, describing cases where Americans were denied the ability to refinance their mortgages or tax refunds were fraudulently sent to hackers and other similar cases. So Mr. Mierzwinski, many companies use certain information to verify someone's identity like a full name, home address, and Social Security number. Now with the data for nearly half of Americans stolen, is it true that malicious actors could retrieve those identifiers? Mr. Mierzwinski. Absolutely malicious actors can retrieve your information in a variety of ways. They can even retrieve more information if they've only obtained some. So the Yahoo breach largely obtained for the bad guys phone numbers and email addresses. That's the way that you can then conduct phishing and spear phishing exploits to get more information from consumers or even call them on the phone and say, ``I've got your Social Security number. I am going to read part of it to you. You read the rest of it to me''--those kinds of gimmicks--social engineering. It is easier than hacking, actually. Mr. Tonko. Mm-hmm. The article also makes the case that we shouldn't necessarily get rid of using Social Security numbers to identify someone but that we should stop using it as an authenticating factor. Mr. Grant, do you agree with that? Mr. Grant. Yes. I wrote an op-ed that was published in The Hill about a month ago that made that same point. I think we need to understand how Social Security numbers are both an identifier and an authenticator and essentially stop recognizing them for use of the latter. If I call my credit card company and they ask for the last four of my Social Security number, my answer should be, ``Why in the world would you think that me knowing that actually proves that I am me?`` My information has been stolen several times over. It could be anybody who's calling in making that claim. But as an identifier, look, identifiers are needed in the modern economy. The Government needs a way to track how much money I am making from both my job and my bank accounts. You know, individual companies need an identifier as well. Let's just treat it as something that's widely available and I think once we acknowledge that it is not something that is a secret, then we can start to focus on what comes next, which are better solutions for identity verification, better solutions for authentication that don't have the weaknesses that the ones that we are using today have. Mr. Tonko. Thank you. And with that, I yield back, Mr. Chair. Mr. Griffith. I thank the gentleman, and now recognize Mr. Costello of Pennsylvania for 5 minutes for questioning. Mr. Costello. Thank you, Mr. Chairman. I am going to try this with my voice. To all three of you, I am just going to read through a series of questions and ask that you weigh in as appropriate. You spoke in your testimony about the role of Social Security numbers, both as they are used now and as they should be used in the future. In particular, you're both adamant that we don't need to replace Social Security numbers, as some have suggested we need to. Instead, you have said that using them--or, the need to change them, from using them as identifiers and authenticators to using them solely as identifiers. My questions are oriented in this fashion. Are there barriers to moving away from Social Security numbers as both identifiers and authenticators? For example, are there Government regulations that require them in certain instances? Are there private sector standards that recommend or require their collection? And how will these organizations begin making the change you suggested? How expensive both in terms of time and resources would this change be and are there any potential down sides, and if so, what are they? Mr. Grant. So I am happy to jump in with that first. I think one point you raised is there are a lot of entities that are required to collect my Social Security number. I started a new job at Venable five months ago. They needed to know my SSN. Any bank account that I open they need to know my SSN. And that's for the purpose of an identifier and I don't know that there are any real issues there with them continuing to use that. There are issues that are out there in terms of, you know, particularly when opening financial accounts. I mean, one big problem we have in this country is what, you know, many people refer to as synthetic identity fraud--when you'll see fraudsters try and combine a real name and a real Social Security number that don't match and then start throwing it into the system in an attempt to establish credit, and that's, you know, one way that, you know, organizations are then defrauded or people are defrauded. I mean, so, you know, I think there's good reasons to keep using the SSN as an identifier but we could also use better systems to verify. One of the things I talked about in my opening statement was what Government could actually do as a provider of identity verification services themselves. The Social Security Administration knows that there's a Jeremy Grant that has my Social Security number that matches but if I go to open a new account at a bank today or a mobile network operator or anybody else who's collecting it, there's no way to electronically verify that with Social Security that that really matches up. There's a paper-based system that requires a wet signature. It was a great thing 20 years ago. It is 2017 now. I think you could actually help cut down on fraud in new account opening if there was an electronic way for Social Security to validate those numbers if queried. I think where there's going to be bigger issues--you were asking about barriers and costs and things like that--is where we replace the Social Security numbers and authenticator. So I can make fun of the credit card company I called last week who asked for the last four of my Social Security number and, obviously, there's no security value to that in 2017. But their next question is, well, then how do I authenticate you when I am talking to you on the phone, and that's a much harder question. I think there's some interesting products. There's new standards that are emerging. There's-- there are ways that you can do it. But there tends to be--the pace of adoption tends to lag the creation of new technology. And so I think this is actually an area where I would love to see Government partnering with industry focus more is how can we identify where those are--where there are promising technologies that could replace the first-generation tools that have, you know, started to fail and accelerate the pace of adoption everyplace. Mr. Mierzwinski. I agree. Mr. Costello. That's a good answer. Mr. Mierzwinski. Yes. Try to keep some of your time for you. Mr. Costello. Very good. I will yield back, Mr. Chair. Mr. Griffith. I thank the gentleman for yielding back. I now recognize Ms. Clarke of New York for 5 minutes for questions. Ms. Clarke. I thank you, Mr. Chairman. I thank our ranking member. I thank our panelists for their expert testimony here today. And I wanted to bring up the National Strategy for Trusted Identities in Cyberspace. Under President Obama, the White House released this strategy and this spurred the public and private sectors to collaborate on issues related to identities and online transactions. Mr. Grant, is it accurate that this strategy laid the framework for privacy-enhancing technology as well as identity solutions that must be secure and cost effective? Mr. Grant. Well, I would say it helped. I think where NSTIC really helped was throwing down a marker in 2011 for an industry that, you know, hadn't really started to think about this yet, and when I look at the impact several years later, you know--I talked about this in my written statement-- companies that liked it came in and said, hey, ``Hey, this is a great idea. How can we actually work with you to come up with solutions that align with it?'' Even companies that didn't like the fact that the Government had thrown down a marker still had to pay attention to it because their customers were focusing on it. So when I look at where the market is today, look, we still have plenty of problems in the identity space. We wouldn't be having this hearing if it wasn't the case. But I think the strategy helped and some of the specific activities that we-- that we sponsored and funded out of NIST during the time that there was a national program office implementing NSTIC really helped to move the market along at a point much faster than it would have gone otherwise and, you know, also pointed the way to, you know, create the--you know, just pointing out basic things like security doesn't have to be at odds with privacy. Security doesn't have to be at odds with user experience. Those are concepts--it is not a radical statement to make, but there were some vendors in the space who seemed to think that they were going to be at odds, and this helped to show that there could be other ways. Ms. Clarke. So what--can you elaborate a little bit more as to what a privacy-enhancing solution may look like in the age of data breaches? Mr. Grant. Sure. So, you know, the concept of privacy enhancing it is, you know, how does--how do you create solutions that can actually give people more control over their personal information--have more choice in terms of what attributes they choose to share about themselves when they go online. And, you know, it is a catch-all term. But in terms of practical application, I think it is, you know, something you see today. Let's say you're logging in to a Web site with a social provider and they now give you radio buttons that, you know, let you choose--do I just share my name? Do I log in anonymously or do I share--let's say it is using Facebook Connect--a whole bunch of information about me with that site. That's, you know, one example of giving consumers choice in a way that's also pretty easy to select, you know, with radio buttons, for example, that you can click on or off. That is something that we didn't have in the marketplace before. I think there's other interesting approaches. You know, people can get--we could really go down the rabbit hole in terms of talking about privacy-enhancing encryption, which is an area that I will say there's been a ton of R&D done but I would say we still have barriers in the marketplace in terms of coming up with systems that can scale. I know there's really a commercial--a need for. We, you know, funded a lot of research there as well and NIST continues to do good work there today. That's probably some of the next generation work, I think, in terms of where the market focus is next. Ms. Clarke. So can you tell us the benefits of a universal two-factor authentication or similar types of technologies that secure a user's identity? Mr. Grant. Well, it is a universal two factor. Whether it is universal or whether you're just using two-factor authentication everywhere. You know, I mentioned in my opening statement 81 percent of breaches last year were caused by exploiting passwords. There is a reason for that. The password is really easy to compromise and the notion that there's such a thing as a secure password just doesn't make sense. You know, a lot of the attacks we see these days are spear phishing attacks where you get something that looks like a normal login to your email provider or your bank but it is not. It is somebody who's inside trying to phish your user name and password. If you have unphishable two-factor authentication behind it, that attack doesn't work anymore. Although one problem we are actually seeing in the marketplace is some of the first- generation tools that we have seen for two-factor authentication--things like getting a code through SMS or, you know, through an app on your phone. That is phishable as well. And so, you know, I keep making the point we had solutions that were good for a while and now the attackers have caught up with them. Moving to unphishable authentication--you know, we have talked in this hearing about, you know, standards bodies like the FIDO Alliance that are coming up with solutions based on public key crypto, which is unphishable. That, I think, is where, you know, we need to focus there. Ms. Clarke. Where we need to go. OK. And just sort of in closing, you know, I am glad that we somewhat have a roadmap to improve the security of our online identities but it seems that more efforts are needed to implement these effective solutions and we need to continue to evolve, as you have stated, because we sort of get static after a while and, of course, there are those who are out there constantly working at how to phish and break through. So thank you for your response today. Hopefully, we will heed what you have shared with us today. I yield back, Mr. Chairman. Mr. Griffith. I thank the gentlelady for yielding back. I now recognize Mr. Walberg of Michigan for 5 minutes of questions. Mr. Walberg. Thank you, Mr. Chairman, and thanks to the panel for being here. Mr. Hunt, I appreciate you coming all that distance. In fact, I've often had some sinister thoughts of sending some of these hackers, et cetera, back to Darwin, Australia, and let them confront some of the wildlife there in that beautiful but dangerous part of your great country. But I won't suggest that. One of the reasons that we are having this hearing today is to shine a light on a problem that we think is getting worse, namely, that there is so much data available on individuals from these various breaches that malicious actors can package or enrich data to create very robust profiles of almost any given person. Is that something that you have seen or heard about and if so is it a growing problem? Mr. Hunt. Yes. Look, it is certainly a concerning thing because, obviously, the more personal attributes you can gather about an individual the richer the picture you have. And then when it then comes to things like knowledge-based authentication you start to build up many different attributes. And in my written testimony I talk about the concern of aggregating from multiple services, and they're not always data breaches either. So someone might take certain attributes from one data breach--let's say a name and a birth date. They'll go to another data breach and they may get gender and home address. And then they'll go to open source intelligence sources such as LinkedIn, Facebook, Twitter, and aggregate further data attributes from there--your profile photo, your social connections. And the real concern I have there is that even beyond just data breaches alone there are so many sources of information that we literally willing publish ourselves publicly that we now have to start to work on this assumption that so many known attributes about ourselves, which we did previously consider to be personal attributes, are now public and that's the concern I have. There's just so many different sources and it is not just data breaches. Mr. Walberg. And that's what makes it so valuable then, that---- Mr. Hunt. Oh, absolutely, and I can see why the likes of legally operating data aggregators are running great businesses these days because there is so much data that they can obtain from us. Mr. Walberg. Yes. Mr. Grant, as former head of NSTIC, this is likely an issue that you're familiar with as well. Did NSTIC look at this kind of problem and, if so, what were its conclusions and recommendations? Mr. Grant. So I would say we spend a lot of time looking at it in the Trusted Identities Group and NIST continues to focus on this. You know, I think probably the most--well, there's a lot of things that NIST has done in this space that's been Impactful. But one that I would point to are the updated digital identity guidelines. One of the NIST special publications, 800- 63-3, is the title or the code that was put out this past summer, which was an effort led by my old office to basically take a look at what is the modern state of solutions in terms of what we can use for identity verification and authentication in the marketplace and also recognize where some of the attackers have caught up with some of the old technologies. And so they published new guidance this past summer which I think--you know, what's been nice about it is not just in Government but also a number of entities in industry have looked at this and said, this is fantastic--this is a guidebook that we can use as we are building solutions for the private sector to make sure that we are, you know, both taking into account new technologies and new standards that are emerging-- things like FIDO as well as make sure that we are not using some of the legacy solutions that just aren't as good anymore. So, you know, certainly, in the topic of identity verification, one of the things that the new guidelines did was diminish the role of KBA in terms of how much you can trust it for identity proofing. It establishes that there's still a role for it in the process of identity resolution, you know, trying to figure out whether I am the Jeremy Grant who's actually applying for an account but says you cannot use it alone for, you know, full- blown identity verification. That was a big change from what we've seen in the past. So, you know, one thing I mentioned in my written testimony some of the budget for NIST work in this area has been proposed for a cut in 2018 at a time when everybody's looking at, you know, where we can actually take some actions after events like the Equifax breach. I think we, you know, are going to continue to need more funding for research and standards in this area, both to help Government implement better solutions as well as the private sector. Mr. Walberg. What updated standards are you talking about there? Mr. Grant. There is updated--well, I think there's other work to be done still. So I think NIST has put out digital identity guidelines. I would say two things. One, attackers are always evolving and technology is always evolving and so it is something that should be updated I would say, you know, on a regular basis rather than, you know, a cycle that's every 5 or 10 years, which is often how NIST tackles the special publications. Beyond that, I think there's other research for areas. You know, for example, one of the questions that Mr. Hunt was asked before was about the security of cloud services and how entities are getting into that. And often, again, the attack vector there when you're guarding against big enterprise class data breaches is through identity. I think NIST could do a lot more work looking at enterprise identity and how you actually manage administration, authentication, authorization, analytics, and audit--what I call the five A's of the identity life cycle. There is not great guidance out there anywhere in the world and NIST is really well poised to help enterprises apply better identity security. Mr. Walberg. Thank you. My time has expired. I yield back. Mr. Griffith. I thank the gentleman for yielding back and now recognize Representative Jan Schakowsky of Illinois. The gentlelady is recognized for 5 minutes. Ms. Schakowsky. Thank you so much. As we talk about consumer protection, which has really kind of been my bailiwick for a very long time, I have to mention what's going on right now at the Consumer Financial Protection Bureau. OMB Director Mick Mulvaney is serving now as acting director as his appointment continues to be challenged in the-- in the courts and Mr. Mulvaney has been pretty much a longtime opponent of the CFPB and no friend of consumer protection regulations. He has already put a hiring freeze and a regulatory freeze in place at the agency. So Mr. Mierzwinski, I wondered if you could just share your thoughts on what is currently going on at the CFPB and perhaps how it relates now to this issue also of data protection, et cetera. Mr. Mierzwinski. Well, thank you, Congresswoman, and of course, the Consumer Bureau was created after the big collapse of the economy and it was designed to be independent of the political process that has corrupted a lot of the control of how we protect consumers in the financial system. By appointing--by suggesting that the head of the OMB, a deeply political agency of the White House, could also at the same time be the director of the independent Consumer Bureau, we just don't think that computes and we support Director Cordray's appointment of Leandra English as acting director. We truly recognize the president has the authority to eventually nominate and get someone confirmed by the Senate. But we hope that person is qualified as a consumer advocate and is not someone who has attacked the bureau and called it a sick, sad joke, as the current acting director has. The Consumer Bureau, in just 6 years of existence, has recovered over $12 billion--about $12 billion for 29 million Americans and has restored confidence in the financial system. So we like--we'd like to protect it. Going forward, you have pointed out one issue that is in conflict there is actually data security. Interestingly, the Consumer Bureau gained authority over Equifax when it sells credit reports through the Fair Credit Reporting Act. But the Gramm-Leach-Bliley Act under the Federal Trade Commission still controls on data security for a number of nonbanks including the credit bureaus. That's a real problem. Ms. Schakowsky. Yes, although before he left, Chairman Cordray said that he thought that there ought to be embedded regulators at Equifax and companies--and the other companies. Mr. Mierzwinski. Well, actually, he does have the authority or he did have. The bureau still retains the authority to supervise Equifax in the same manner that bank regulators including the bureau supervise banks, meaning the ability to be there in an embedded basis and look for problems before they get bad and also to look at the toxic--not the toxic but the secret sauce that the company uses to generate its credit scores. There are a lot of things that the bureau can and should do. But there is this one little piece of Gramm-Leach-Bliley that says the Federal Trade Commission is still the regulator for when you have a breach, when you have to notify. The Federal Trade Commission rule still has not created a notification standard at the Federal level and this is something people may not be aware of. The Federal Trade Commission under Gramm-Leach-Bliley cannot impose a penalty for the first violation of the data security rules. The bureau can and any bank regulator can impose a penalty for any first violation by companies they regulate. The Federal Trade Commission cannot. Ms. Schakowsky. So regardless of how big the breach is, how many people are affected, they do not have the authority? Mr. Mierzwinski. Not under their statute and not under their regulations. They've never done it so I don't believe they have the authority and it is been confirmed to me by former staff there. Ms. Schakowsky. Oh, I see. Do I have time? Well, let me see if I can get to one last question and that is about credit freezes. So the long-term risk from data breaches underscores the need for strong data security and breach notification legislation such as the--I have a bill called the Secure and Protect America's Data Act that I introduced with Ranking Member Pallone, several other members of this committee. So, again, Mr. Mierzwinski, when a company fails to protect consumers' data, then where does that leave the consumer? And let me just add also in the wake of the Equifax breach you have talked about making credit freezes free for consumers. How would that help? Mr. Mierzwinski. Well, how--making credit freezes free would give us control of our own data, and by the way, that has almost become a bipartisan issue. The next step is to make credit freezes the default on switch. Make the consumer information always protected until the consumer agrees to turn it on. Ms. Schakowsky. So the---- Mr. Mierzwinski. The opposite of the current situation. Ms. Schakowsky. OK. Thank you so much. I yield back. Mr. Mierzwinski. Thank you. Mr. Griffith. Appreciate the gentlelady yielding back. I now recognize the gentlelady from Indiana, Mrs. Brooks. Mrs. Brooks. Thank you, Mr. Chairman, and thank you to all of our witnesses for being here. I am a former Federal prosecutor--former U.S. attorney that worked on and prosecuted identity theft cases between 2001 and 2007. So this is certainly not something new. I haven't heard very much, quite frankly though, about going after the bad guys, and we are talking about the hackers and I want to learn a little bit more. And Mr. Hunt, when you talked about the analogy of it is like shopping for heroin or so forth on the darknet and so forth, could you please talk with me a little bit more? Because I haven't been in that world, quite frankly, since '07 and really want to learn a little bit more about the buyers, the sellers, and how do they purchase it, select their buyers and sellers. Do they earn reputations on the darknet? Can you tell us a little bit, and then for yourself and maybe Mr. Grant a little bit about what kind of cooperation you have engaged in with law enforcement. Mr. Hunt? Mr. Hunt. I think we can sort of speak to the last part of the question first, which is around reputation, so how do people establish a reputation. One of the quite intriguing things when you do see these dark market marketplaces or darkweb marketplaces is that in many ways they look very familiar. They look like an eBay, for example, and there are buyers and sellers on there that have a reputation that they gain over a series of trades. Now, of course, the difference is they're not buying iPhones or consumer electronics. It is, literally, drugs, data breaches, and so on. So that's sort of the first part of the answer. The establish a reputation. In terms of then identifying who those parties are, one of the difficulties we have with privacy and anonymity tools is whilst they're very good for maintaining privacy and anonymity for people that want to do good things, they're also very good at maintaining privacy and anonymity for people doing bad things. Now, we have seen a number of these marketplaces taken down over time but, obviously, they are much harder to track down. I guess to the other points, one of the things that sort of concerns us is that there is a thriving marketplace for this data and there are, I guess, various shades of gray in terms of who finds this data attractive. That's, clearly, criminals--those who literally want to go out and mount identity theft attacks. They find this data attractive. One of the things that worries me a little bit more is that it is also an attractive piece of information for more mainstream legitimate organizations who are looking to gain access to this data so that they can figure out which of their customers are protected. So we are now seeing very mainstream online web properties that many of us know and use on a daily basis that will tell people when they have appeared in a data breach and some of these are actually purchasing information in order to gain access to that to protect their customers. And, frankly, that--I am a little bit torn with that because I understand the desire to protect their consumers but I also worry about the incentives that provides those who are breaking into systems. Mrs. Brooks. Mr. Grant, anything you want to add? Mr. Grant. Not too much. I mean, my--look, law enforcement is quite important. It is--I think as Mr. Hunt pointed out, it is becoming quite hard to attract people down in part because of the international nature of, you know, many of the criminal rings that are actually running all of these, you know, marketplaces and what not. I would agree in terms of what, you know, Mr. Hunt said as well in terms of the same tools that can protect us and keep us anonymous can also be protecting them. So there are definitely challenges there. Mrs. Brooks. Has there also been evidence that nation- states besides entities, individuals, criminal organizations are involved in this as well? Mr. Grant. Absolutely. I mean, that's something we haven't talked about much. I am sure most of us in this room were victims of the OPM breach, which I guess I appreciate that the Government is giving me credit monitoring services for this. I don't think that the government of China is looking to establish credit in my name. They're interested in looking through the 75 pages or so of my SF-86 and figuring out if they can compromise me because I have a top-secret clearance. But this is certainly something that has been quite interesting to other nation-states who are looking to execute attacks, you know, both for those purposes as well as just for, you know, getting into basic accounts. Again, if we are protecting access to an account with only something like static KBA and they've now stolen the answers to those questions, well, then you can get into them and do things with them. You know, likewise, Mr. Mierzwinski talked before about, you know, some of the risks of biometrics. All of my fingerprints are now sitting in another country somewhere because of the OPM breach, which means I wouldn't feel particularly comfortable using anything that's doing remote match fingerprint to secure anything that I care about. That said, I am really comfortable with using a fingerprint on my phone because you have to come get my device out of my hands first before you can compromise it. Mrs. Brooks. Mr. Mierzwinski mentioned that the credit monitoring services maybe have been not very honest in their practices. Do you agree that when we receive these requests after we've been a target of a breach that people should or should not be accepting those services by the company? Mr. Grant. You know, I don't think it hurts to accept them. Whether you pay for them is another question that I think---- Mrs. Brooks. Right. Mr. Grant [continuing]. You know, folks are asking right now. Look, I think they are helpful because it is good to know if something is happening. It is good to be able to monitor your account. Whether you need to pay for it is another question. From, you know, the Government perspective as a victim of the OPM breach I don't know what value it offers me other than it is nice thing to have to be able to keep close watch on my credit. So it--you know, value in the service, yes. Whether, you know, I want to pay for it as a consumer that's another question. Mrs. Brooks. Thank you. Thank you all for your work. Yield back. Mr. Griffith. Thank you. I now recognize the gentleman from Georgia, Mr. Carter, for 5 minutes of questioning. Mr. Carter. Thank you, Mr. Chairman, and thank all of you for being here and for your efforts to get here. Appreciate it very much. This is, obviously, very, very important to all of us. I want to start with you, Mr. Grant, and just ask you if you can, and please dumb it down for me, if you will, what are trust marks? Can you just explain that to me? Mr. Grant. Trust marks--sure. Best example of a trust mark is the Visa logo that's on two credit cards in my wallet. So that if I go down to the cafeteria here afterwards and have lunch with Troy or Ed, the cafeteria doesn't really care which credit card I pay with. I got one issued by Capital One and one issued by Chase. Because it is got that Visa trust mark on it, which stands for a bunch of standards and operating rules that govern everything from how that card's authenticated at the point of sale terminal, what security is in place, how long it takes for my bank to pay the cafeteria for my lunch, what transaction rate that they're actually going to pay in terms of, you know, the fee for processing that, and some would argue most importantly if--let's say Vice Chairman Griffith steals my credit card and buys lunch for the committee and I contest that with my bank--what am I liable for and what's the merchant liable for. So the trust mark is essentially something that represents all those standards and operating rules that in the credit card network everybody who's an issuing bank has to follow and everybody else has to follow. In the identity space, one argument--this was a lot of the focus of NSTIC is that we need to create something similar to the Visa network before identity, which is that I could have the issuer be my State DMV or the Social Security Administration, my bank, my mobile network operator. It could be an advocacy group like the NRA or the ACLU or U.S. PIRG, who all could validate my identity a certain way, issue me a credential that I could use everywhere and the reason it would be trusted is because it has that trust mark. Mr. Carter. Well, that's really what I am getting at because as I understand it, the Trusted Identities Group has actually farmed out, if you will, pilot projects and the Georgia Tech Research Institute has actually come up with the emphasis on the machine-readable trust marks, and it is been very successful and the results have been positive, particularly when it was--when it was over a trusted framework and that would encourage greater trust. How can this be implemented in industry? How can we use this? Mr. Grant. So I don't think--you know, a little bit of background on the GTRI pilot that was one of the ones that I selected for funding when I was, you know, running the NSTIC program and the idea was, you know, how can you do something for identity that's, you know, similar to what you see in financial services. I would say, you know, where it has gone as a pilot, it was a great--look, it is a pilot. It is a proof of concept, basically. It isn't something that's been picked up yet by industry. What I can say, though, is that work is being looked at by--I don't want to break confidentiality with anybody I am, you know, doing work with now. Mr. Carter. Right. Right. Mr. Grant. But some bigger players that matter in the ecosystem who are actually looking at taking that similar concept and actually developing a, you know, broader federated identity system that could be led by the private sector for making it easier for consumers to identify themselves. The idea would be to basically leverage work that's being done there already with I can actually say some financial services. Since banks know you, thanks to the Know Your Customer rules that they go through and you might trust your bank--not everybody does but some might--how could they vouch for you other places when you're looking to open up a new account. Mr. Carter. Right. But do you agree that this is kind of the route we ought to be going? Mr. Grant. I think--yes, I think it is a big part of the solution. I don't know that trust marks are going to solve everything. You know, look, so we did some good things with NSTIC. One of the things we didn't do is solve all the problems and it is because it is really complicated and there's a whole bunch of, you know, whether it is legal barriers, technical barriers, how do you create something that's really easy for consumers to use. There's issues that are out there. For as much as everybody loves to beat up on KBA and what the credit bureaus do, there's a reason it is been used so much in the market for years because that for many people it is work. Mr. Carter. Right. Mr. Grant. I am applying for a new credit card. I can do something instantly. When I went to lease a new car for my wife a year ago, I was able to get quick credit. So I don't want to suggest we throw the baby out with the bath water because there's problems. It is more realizing where attackers have caught up and how do we develop better solutions. Mr. Carter. OK. Mr. Hunt, any--any comments on trust marks and how it can be implemented into the private sector? Mr. Hunt. I think I would probably defer back to Mr. Grant as the expert on trust marks there. Mr. Carter. Right. Right. Were there any other new technologies that you find interesting and perhaps that have some potential? Mr. Hunt. I think ultimately we are going to see an augmentation of different practices. I mean, many people, for example, say, well look, is the answer biometrics or is the answer physical tokens. And where we are getting to now is I think an acknowledgement that we can't rely on one single knowledge- based authentication attribute, for example--that we do have many other things available to us now that we didn't have, say, two, decades ago. We have ubiquitous mobile devices with internet connectivity. We have SMS. We have other forms of identifiers like physical YubiKey tokens, for example. And I think the right strategy moving forward is going to be the right augmentation of those under the right scenarios, depending on the trust level that you need to establish. Mr. Carter. Great. Thank you all again, and I yield back. Mr. Griffith. I thank the gentleman for yielding back. I do have a couple of follow-up questions just to try to clarify some things. Staff did a nice job, as they always do, in educating me beforehand. But, Mr. Grant, you used the term public encrypto. Mr. Grant. No, public key crypto. Mr. Griffith. Oh. And what does that mean? Mr. Grant. Well, so there's--we can get really geeky talking about cryptography now--there's essentially two ways you can manage cryptographic keys. One is called symmetric-key, which is when I got a key and you know the key, and I have to present the key to you for it to match. It is a lot--similar to the way passwords work. The other is what's commonly known as asymmetric public key cryptography, or PKI for public key infrastructure. It is what the Defense Department as well as the Federal Government had been using for years, in many cases in lieu of passwords, in order to, you know, come up with unphishable authentication to protect Federal networks and systems. At the end of the day, the concept is rather than each entity having the same key, I get a key pair, and the public key is known to everybody but the private key is only residing with me. It can be in my mobile phone. It could be in my computer. It can be on a device like the YubiKey, which is--that Mr. Hunt mentioned which is a FIDO standard token, and when I am logging in someplace, I am basically asked to sign a cryptographic challenge where my public key is presented but the only way I can get in is if I have the corresponding private key with me physically. And so the--we could really go into the details of it in ways that would make everybody's head explode. It is not--this is actually one of the problems with--about the adoption of technology, by the way. It has been very complicated. But I think the most important point to keep in mind is it is a way to deliver unphishable authentication. It is not based on shared secrets. And when I talk about how attackers have caught up not only to passwords but also things like SMS codes or other one-time passwords that are only good for 30 seconds, you know, that 30 seconds is still enough for a moderately skilled attacker to phish my authentication code. Asymmetric public key crypto is where we should be building authentication solutions in the future so that we don't have phishable authentication. Mr. Griffith. All right. I appreciate that. Mr. Hunt, you travelled a long way. Is there anything that you had a burning desire to tell us that you haven't had an opportunity already to do so? Mr. Hunt. I think that the other thing I would add, obviously, I am very interested in how do we stem the flood of data breaches that we are seeing. And, you know, the things that really come to my mind that I would love to see implemented I mentioned education. So we are making lots of fundamental little mistakes. Another thing that's very important is making the disclosure of these incidents much easier. So I myself have been in this situation many times where someone has sent me data from an organization and just the ability to disclose it to the company, to find the right person who will listen, who will take it seriously, is enormously difficult. So I am very supportive of some of the initiatives we are seeing like bug bounties. So, for example, companies like BugCrowd are running many bug bounties where you as an organization can say if someone finds something wrong with my systems, I would like to know about it and I will likely pay a reward for that. And it is done legally, ethically, and it encourages the right behaviors. And I guess, finally, we'd also like to see more in the way of penalties because at the moment there's not enough accountability when things do go wrong, and I think we are all very curious to see how things like GDPR, which Mr. Grant mentioned earlier, how that plays out when it comes into effect in Europe in May where potentially an organization can be fined up to 4 percent of their annual gross revenue. Now, that starts to sting and we really hope that that actually drives more positive behaviors in the industry. Mr. Griffith. All right. I appreciate that. Mr. Tonko? Ms. Castor? Appreciate you all being here. This has been very informative. I suspect it'll be one of the more popular reruns on CSPAN, for those folks who are really into this, and I have learned so much. Thank you all for your time today and I appreciate it. And with that, got to go to my script so I don't leave anything out. I would remind Members that they have 10 business days to submit questions for the record and I ask that the witnesses all agree to respond promptly to those questions. Do I need to say anything else? All right. Got all that business--housekeeping taken care of. With that, the subcommittee is adjourned. Thank you. [Whereupon, at 11:47 a.m., the subcommittee was adjourned.] [Material submitted for inclusion in the record follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]