[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]
IDENTITY VERIFICATION IN A POST-BREACH WORLD
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS
OF THE
COMMITTEE ON ENERGY AND COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED FIFTEENTH CONGRESS
FIRST SESSION
__________
NOVEMBER 30, 2017
__________
Serial No. 115-83
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Printed for the use of the Committee on Energy and Commerce
energycommerce.house.gov
_________
U.S. GOVERNMENT PUBLISHING OFFICE
28-714 PDF WASHINGTON : 2018
COMMITTEE ON ENERGY AND COMMERCE
GREG WALDEN, Oregon
Chairman
JOE BARTON, Texas FRANK PALLONE, Jr., New Jersey
Vice Chairman Ranking Member
FRED UPTON, Michigan BOBBY L. RUSH, Illinois
JOHN SHIMKUS, Illinois ANNA G. ESHOO, California
MICHAEL C. BURGESS, Texas ELIOT L. ENGEL, New York
MARSHA BLACKBURN, Tennessee GENE GREEN, Texas
STEVE SCALISE, Louisiana DIANA DeGETTE, Colorado
ROBERT E. LATTA, Ohio MICHAEL F. DOYLE, Pennsylvania
CATHY McMORRIS RODGERS, Washington JANICE D. SCHAKOWSKY, Illinois
GREGG HARPER, Mississippi G.K. BUTTERFIELD, North Carolina
LEONARD LANCE, New Jersey DORIS O. MATSUI, California
BRETT GUTHRIE, Kentucky KATHY CASTOR, Florida
PETE OLSON, Texas JOHN P. SARBANES, Maryland
DAVID B. McKINLEY, West Virginia JERRY McNERNEY, California
ADAM KINZINGER, Illinois PETER WELCH, Vermont
H. MORGAN GRIFFITH, Virginia BEN RAY LUJAN, New Mexico
GUS M. BILIRAKIS, Florida PAUL TONKO, New York
BILL JOHNSON, Ohio YVETTE D. CLARKE, New York
BILLY LONG, Missouri DAVID LOEBSACK, Iowa
LARRY BUCSHON, Indiana KURT SCHRADER, Oregon
BILL FLORES, Texas JOSEPH P. KENNEDY, III,
SUSAN W. BROOKS, Indiana Massachusetts
MARKWAYNE MULLIN, Oklahoma TONY CARDENAS, California
RICHARD HUDSON, North Carolina RAUL RUIZ, California
CHRIS COLLINS, New York SCOTT H. PETERS, California
KEVIN CRAMER, North Dakota DEBBIE DINGELL, Michigan
TIM WALBERG, Michigan
MIMI WALTERS, California
RYAN A. COSTELLO, Pennsylvania
EARL L. ``BUDDY'' CARTER, Georgia
JEFF DUNCAN, South Carolina
Subcommittee on Oversight and Investigations
VACANCY
Chairman
H. MORGAN GRIFFITH, Virginia DIANA DeGETTE, Colorado
Vice Chairman Ranking Member
JOE BARTON, Texas JANICE D. SCHAKOWSKY, Illinois
MICHAEL C. BURGESS, Texas KATHY CASTOR, Florida
SUSAN W. BROOKS, Indiana PAUL TONKO, New York
CHRIS COLLINS, New York YVETTE D. CLARKE, New York
TIM WALBERG, Michigan RAUL RUIZ, California
MIMI WALTERS, California SCOTT H. PETERS, California
RYAN A. COSTELLO, Pennsylvania FRANK PALLONE, Jr., New Jersey (ex
EARL L. ``BUDDY'' CARTER, Georgia officio)
GREG WALDEN, Oregon (ex officio)
(ii)
C O N T E N T S
----------
Page
Hon. H. Morgan Griffith, a Representative in Congress from the
Commonwealth of Virginia, opening statement.................... 2
Prepared statement........................................... 3
Hon. Kathy Castor, a Representative in Congress from the State of
Florida, opening statement..................................... 4
Hon. Greg Walden, a Representative in Congress from the State of
Oregon, opening statement...................................... 5
Prepared statement........................................... 7
Hon. Frank Pallone, Jr., a Representative in Congress from the
State of New Jersey, opening statement......................... 8
Prepared statement........................................... 9
Witnesses
Troy Hunt, Information Security Author and Instructor,
Pluralsight.................................................... 11
Prepared statement........................................... 13
Answers to submitted questions............................... 99
Jeremy Grant, Managing Director, Technology Business Strategy,
Venable, LLP................................................... 25
Prepared statement........................................... 28
Answers to submitted questions............................... 102
Edmund Mierzwinski, Consumer Program Director, U.S. PIRG......... 47
Prepared statement........................................... 49
Submitted Material
Subcommittee memorandum.......................................... 95
IDENTITY VERIFICATION IN A POST-BREACH WORLD
----------
THURSDAY, NOVEMBER 30, 2017
House of Representatives,
Subcommittee on Oversight and Investigations,
Committee on Energy and Commerce,
Washington, DC.
The subcommittee met, pursuant to call, at 10:15 a.m., in
room 2322, Rayburn House Office Building, Hon. H. Morgan
Griffith (vice chairman of the subcommittee) presiding.
Members present: Representatives Griffith, Brooks, Collins,
Walberg, Costello, Carter, Walden (ex officio), Schakowsky,
Castor, Tonko, Clarke, Ruiz, and Pallone (ex officio).
Staff present: Jennifer Barblan, Chief Counsel, Oversight
and Investigations; Samantha Bopp, Staff Assistant; Adam Fromm,
Director of Outreach and Coalitions; Ali Fulling, Legislative
Clerk, Oversight and Investigations, Digital Commerce and
Consumer Protection; Elena Hernandez, Press Secretary; Paul
Jackson, Professional Staff Member, Digital Commerce and
Consumer Protection; Bijan Koohmaraie, Counsel, Digital
Commerce and Consumer Protection; Alex Miller, Video Production
Aide and Press Assistant; John Ohly, Professional Staff Member,
Oversight and Investigations; Hamlin Wade, Special Advisor for
External Affairs; Jessica Wilkerson, Professional Staff Member,
Oversight and Investigations; Greg Zerzan, Counsel, Digital
Commerce and Consumer Protection; Julie Babayan, Minority
Counsel; Jeff Carroll, Minority Staff Director; Chris Knauer,
Minority Oversight Staff Director; Miles Lichtman, Minority
Policy Analyst; Dino Papanastasiou, Minority GAO Detailee; and
C.J. Young, Minority Press Secretary.
Mr. Griffith. We will go ahead and get started.
Welcome to this meeting of the O&I Subcommittee of Energy
and Commerce. So that everybody knows, there are a lot of folks
who are at another hearing downstairs and will be drifting in
and out.
Also, I would like to take a point of personal privilege
and recognize Allie Gilmer and Olivia Smoot, who are here
visiting today from my district at Auburn High School in Riner,
Virginia.
They are too young to remember this but I started
representing the Riner area in 1994 in the State legislature.
So it's good to have you.
Ms. Castor. Do you want to stand up?
Mr. Griffith. Yes, stand up. Be recognized. Thank you.
Thank you again. Welcome. Glad you're here with us today.
That being said, let's get started with our business here
today, and other folks will join us as we go forward on this
very important issue.
OPENING STATEMENT OF HON. H. MORGAN GRIFFITH, A REPRESENTATIVE
IN CONGRESS FROM THE COMMONWEALTH OF VIRGINIA
We are here today to talk about a very important topic:
identity verification in a post-breach world. This hearing is
especially timely, given several events that have taken place
since the hearing itself was announced last week, including
three newly discovered data breaches that comprised an
additional 58.7 million records as well as two major shopping
days--Black Friday and Cyber Monday.
With consumers rushing to take advantage of holiday sales
both in stores and online, the questions and challenges around
modern identity verification become even more pressing.
Data breaches have been increasingly--have been an
increasing problem over the last several years. In fact, it is
likely that everyone in this room has had their information
included in a recent breach.
Between the 57 million accounts comprised in Uber's recent
disclosed 2016 breach, the 145 million accounts compromised in
Equifax's breach, or the 22 million accounts compromised in the
OPM breach, as well as many others, I would argue that it would
be difficult to find an American whose information has not been
compromised.
While these breaches themselves are troubling enough, they
also raise a subtle more complicated series of questions and
issues around the ways in which organizations including
government agencies, banks, health care organizations, and
retail companies perform identity verification of their
citizens and their customers.
It is a well understood concept that, to quote the famous
cartoon on the internet, nobody knows you're a dog when you're
in the internet.
This anonymity has many advantages and it is important to
many aspects of the modern internet.
However, as the global economy has become more and more
digital and an increasing amount of commerce takes place
online, it also creates significant challenges for
organizations attempting to ensure that they provide
information and services only to authorized individuals.
Because these interactions usually take place on opposite
ends of an internet connection with participants rarely if ever
meeting face to face, the ability of organizations to remotely
verify individuals has been a constant struggle.
As a result, for years many organizations have relied on a
type of identity verification known as knowledge-based
authentication, or KBA. We are all familiar with this process
even if we don't quite know it.
For example, some online accounts ask consumers to provide
answers to security questions such as their mother's maiden
name, the make and model of their first car, or the street on
which they grew up on.
Similarly, when consumers attempt to open new credit lines,
they are often asked a series of multiple-choice questions that
may ask who provided a consumer loan and in what year.
These are all examples of KBA. The effectiveness of KBA
depends on a very important assumption--that information such
as birthdays, mothers' maiden names, addresses, work histories
and other KBA attributes remain relatively secret.
In today's post-breach world, this is a tenuous assumption.
Add the wealth of personal information consumers voluntarily
share about their lives through social media and this
assumption appears almost laughable.
So what do we do? If modern commerce and many other
services including government services rely on KBA for identity
verification and that verification is no longer as secure or
reliable as it was in the past, we need new strategies and new
technologies to ensure that consumers are protected and
economic growth continues and we need them quickly.
With the exponential growth of connected devices and
services, it is likely that we will see more data breaches more
often, not less.
Luckily, we are not starting from scratch. In the public
sector, the National Institute for Standards in Technology--
NIST--spent the past several years developing strategies and
frameworks for identity verification under their Trusted
Identities Group--TIG.
As a part of this work, NIST's TIG has provided funding to
pilot programs looking to develop, implement, and leverage
innovative new technologies that move organizations beyond KBA.
Similarly, in the private sector, many companies and
organizations from a wide variety of sectors have come together
to create the Fast Identities Online, or FIDO, Alliance.
The FIDO Alliance provides a forum for collaboration and
cooperation around the development of standards-based
interoperable technologies. These standards are freely
available and already deployed in the products of companies
like Google and PayPal.
Our witnesses today will not only help us understand the
cumulative impact of the dozens of data breaches that have
occurred in recent years go also assess how current practices
can and should be improved to protect consumers and their
information and how it's been breached.
Today's hearing is the start of what I expect will be a
much longer conversation. But it's a necessary conversation to
have as our world becomes ever more connected. Identity
verification is a challenge that will only continue to grow.
[The prepared statement of Mr. Griffith follows:]
Prepared statement of Hon. H. Morgan Griffith
We are here today to talk about a very important topic:
identity verification in a post-breach world. This hearing is
especially timely given several events that have taken place
since the hearing itself was announced last week, including
three newly disclosed data breaches that compromised an
additional 58.7 million records, as well as two major shopping
days, Black Friday and Cyber Monday. With consumers rushing to
take advantage of holiday sales, both in stores and online, the
questions and challenges around modern identity verification
become even more pressing.
Data breaches have been an increasing problem over the last
several years. In fact, it is likely that everyone in this room
has had their information included in a recent breach. Between
the 57 million accounts compromised in Uber's recently
disclosed 2016 breach, the 145 million accounts compromised in
Equifax's breach, or the 22 million accounts compromised in the
OPM breach, as well as many others, I would argue that it would
be difficult to find an American whose information has not been
compromised.
While these breaches themselves are troubling enough, they
also raise a subtle, more complicated series of questions and
issues around the ways in which organizations, including
government agencies, banks, healthcare organizations, and
retail companies perform identity verification of their
citizens and customers.
It's a well understood concept that, to quote the famous
cartoon, on the Internet nobody knows you're a dog. This
anonymity has many advantages, and is important to many aspects
of the modern Internet. However, as the global economy has
become more and more digital, and an increasing amount of
commerce takes place online, it also creates significant
challenges for organizations attempting to ensure that they
provide information and services only to authorized
individuals. Because these interactions usually take place on
opposite ends of an Internet connection, with participants
rarely meeting face to face, the ability of organizations to
remotely verify individuals has been a constant struggle.
As a result, for years, many organizations have relied on a
type of identity verification known as ``Knowledge-Based
Authentication'' or ``KBA.'' We are all familiar with this
process, even if we don't quite know it. For example, some
online accounts ask consumers to provide answers to ``security
questions'' such as their mother's maiden name, the make and
model of their first car, or the street on which they grew up.
Similarly, when consumers attempt to open new credit lines,
they are often asked a series of multiple-choice questions that
may ask who provided a consumer a loan, and in what year. These
are all examples of KBA.
The effectiveness of KBA depends on a very important
assumption--that information such as birthdays, mother's maiden
names, addresses, work histories, and other KBA attributes
remain relatively secret. In today's post-breach world, this is
a tenuous assumption. Add the wealth of personal information
consumers' voluntarily share about their lives through social
media and this assumption appears almost laughable.
So what do we do? If modern commerce and many other
services, including government services, rely on KBA for
identity verification, and that verification is no longer as
secure or reliable as it was in the past, we need new
strategies and new technologies to ensure that consumers are
protected, and economic growth continues. And we need them
quickly; with the exponential growth of connected devices and
services, it is likely that we will see more data breaches more
often, not less.
Luckily, we are not starting from scratch. In the public
sector, the National Institute for Standards and Technology
(NIST) spent the past several years developing strategies and
frameworks for identity verification under their Trusted
Identities Group (TIG). As part of this work, NIST's TIG has
provided funding to pilot programs looking to develop,
implement, and leverage innovative new technologies that move
organizations beyond KBA.
Similarly, in the private sector, many companies and
organizations from a wide variety of sectors have come together
to create the Fast Identities Online, or FIDO, Alliance. The
FIDO Alliance provides a forum for collaboration and
cooperation around the development of standards-based,
interoperable technologies. These standards are freely
available and already deployed in the products of companies
like Google and PayPal.
Our witnesses today will not only help us understand the
cumulative impact of the dozens of data breaches that have
occurred in recent years, but also assess how current practices
can and should be improved to protect consumers after their
information has been breached.
Today's hearing is the start of what I expect will be a
much longer conversation. But it's a necessary conversation to
have. As our world becomes ever more connected, identity
verification is a challenge that will only continue to grow.
Thank you, and I yield back and now recognize Ms. Castor of
Florida for an opening statement.
OPENING STATEMENT OF HON. KATHY CASTOR, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF FLORIDA
Ms. Castor. Well, thank you, Mr. Chairman, and thank you
for calling this hearing.
Mr. Chairman, data breaches are compromising the personal
information of millions of Americans. The Equifax breach
earlier this year, for example, exposed the personal
information including names, Social Security numbers, birth
dates, addresses, and other sensitive data of as many as 145
million Americans.
And there have been many more--Yahoo, JPMorgan Chase, eBay,
Uber. We simply cannot accept this as standard operating
procedure. When companies like Equifax, Yahoo, and Uber fail to
protect the vast information they collect about consumers, it
poses very serious risks.
It's not limited to private corporations. Governmental
entities have also failed to adequately protect personal
private data.
But with each data breach after each data breach,
compromising more and more of consumers' personal information,
we have got to ask how do we ensure an online identity can be
verified only by the person in question.
I also think it's important that we not forget that
companies should be held accountable when they fail to protect
our data.
The Equifax breach exposed the personal information of
nearly half of the American population and it could have been
prevented by applying basic security standards.
So what is the recourse? What is the appropriate recourse?
I know that experts are working to develop methods to better
protect online identities and I would like to hear what your
recommended solutions are.
Under President Obama, the White House released the
National Strategy for Trusted Identities in Cyberspace. It's a
framework for public and private collaboration on protecting
digital identities and improving online transactions.
So building on that effort, companies have begun
experimenting with ways to improve identity verification and
authentication.
I would like to hear about some of these solutions as well
as what we can do to protect consumers' privacy. As more and
more of our lives are online, it is equally important that we
ensure that these systems are secure and that the ways in which
we access these systems are protected.
I would like to thank our witnesses--Mr. Jeremy Grant, Mr.
Troy Hunt, Mr. Ed Mierzwinski--for coming today to discuss the
principles and various challenges in verifying online
identities.
Each of you brings a wealth of knowledge and experience to
this hearing and it's a pleasure to have you here today. Thank
you, and I yield back.
Mr. Griffith. I thank the gentlelady.
I now recognize the chairman of the full committee, Mr.
Walden of Oregon.
OPENING STATEMENT OF HON. GREG WALDEN, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF OREGON
Mr. Walden. I thank the chairman, and we appreciate your
leadership on this and so many other issues, and we want to
thank the witnesses for being here today.
We have another hearing going on downstairs on the
anniversary of the 21st Century Cures legislation so I am
bouncing back and forth today.
Today's hearing is about the future of digital commerce, as
we all know, and it's about the future of how we ensure the
person on the other end of an online transaction is in fact the
person they claim to be. What a concept.
For years, we have relied on user names, passwords, and
knowledge-based questions to confirm a user's identity. It's
not a particularly sophisticated process. Your mother's maiden
name or the make and model of your first car aren't exactly
reliable forms of verification.
Regardless, this process was suitable for a period of time
in the evolution of our connected world but that time has long
since passed, as we all know.
As noted by one of our witnesses today, it was almost a
decade ago that the 2008 Commission on Cybersecurity for the
44th presidency highlighted identity as a frequent attack
vector for cyberattacks.
This prompted the previous administration to launch the
National Strategy for Trusted Identities in Cyberspace, or
NSTIC.
As we will hear today, this high-level Federal attention
encouraged the progress but we still have a long ways to go.
How far? Well, according to Verizon's annual data breach
investigation report, about 80 percent of breaches last year
used identity as a point of compromise--80 percent.
What has changed to make existing identity management
practices so ineffectual and vulnerable to attack? There are a
number of factors at play but the underlying answer is fairly
simple.
Today, the information necessary to compromise identity is
readily available to those who wish to find it. We live in a
post-breach world. Just look at the massive breaches that have
occurred over the last several from Target and Home Depot to
Yahoo, Anthem, OPM, Equifax and, most recently, Uber, to name a
few.
I would be surprised if anyone in this room has not had at
least some portion of their personal details stolen in the last
2 years, let alone their digital lifetime.
I remember a former colleague from Michigan who chaired the
Intelligence Committee, Mike Rogers, used to say there are two
types of companies in America--those that know they've been
breached and those that don't.
It is not, however, just stolen data that undermines
current identity verification practices. The explosion of
social media is also a factor.
Every day, consumers voluntarily post, tweet, and share
details about their lives, adding to the rich data set of
information available to malicious actors.
One of our witnesses, Mr. Hunt, is a global expert on these
issues and that's why your testimony is so very valuable to our
work, especially on how bad actors can compromise identity
through the collection of personal information and data that
already exists in the digital universe.
He endured a 27-hour journey to be here, I am told, and I
suspect his testimony will be illuminating for all of us. I
thought I had a long trip back and forth to the West coast
every week.
We can no longer ignore the current reality. Whether
through theft or voluntary disclosure, our information is out
there and this is not likely to change.
Social media will continue to grow. Social, cultural, and
economic benefits are just too great for it not to. Likewise,
digital commerce and online transactions are integral to our
economic prosperity both now and in the future.
As our lives become increasingly entwined in the digital--
with the digital space, this must come with an acceptance that
our information will always be at risk.
Such is the nature of the cyber threat we face and there is
no perfect security in the connected world. But that makes it
even more important that we find ways to reduce vulnerabilities
in our digital ecosystem.
Clearly, identity is one of those weaknesses. So therefore,
I look forward to the work this committee is doing and the
testimony you all have submitted to us and the policies that
will develop, moving forward.
With that, Mr. Chairman, I yield back the balance of my
time and, again, thank our witnesses for being here and, as I
said, I've got a couple of these I have to bounce between. But
we appreciate the work you're doing.
[The prepared statement of Mr. Walden follows:]
Prepared statement of Hon. Greg Walden
Today's hearing is about the future of digital commerce. It
is about the future of how we ensure the person on the other
end of an online transaction is, in fact, the person they claim
to be. For years, we have relied on user names, passwords and
knowledge-based questions to confirm a user's identity. It's
not a particularly sophisticated process--your mother's maiden
name, or the make and model of your first car aren't exactly
reliable forms of verification.
Regardless, this process was suitable for a period of time
in the evolution of our connected world--but that time has
long-since passed. As noted by one of our witnesses, it was
almost a decade ago that the 2008 Commission on Cybersecurity
for the 44th Presidency highlighted identity as frequent attack
vector for cyberattacks.
This prompted the previous administration to launch the
National Strategy for Trusted Identities in Cyberspace [N-
STIC]. As we will hear today, this high-level Federal attention
encouraged some progress but we have a long way to go. How far?
Well, according to Verizon's annual Data Breach Investigation
Report, more than 80 percent of breaches last year used
identity as a point of compromise.
What has changed to make existing identity management
practices so ineffectual and vulnerable to attack? There are a
number of factors at play but the underlying answer is fairly
simple--today, the information necessary to compromise identity
is readily available to those who wish to find it.
We live in a post-breach world. Just look at the massive
breaches that have occurred over the last several years from
Target and Home Depot to Yahoo, Anthem, OPM, Equifax and most
recently Uber--to name a few. I would be surprised if anyone is
this room has not had at least some portion of their personal
details stolen in the last 2 years, let alone through their
digital lifetime.
It is not, however, just stolen data the undermines current
identity verification practices. The explosion of social media
is also a factor. Every day consumers voluntarily post, tweet,
and share details about their lives--adding to the rich data
set of information available to malicious actors.
One of our witnesses, Mr. Hunt, is a global expert on these
issues--especially how bad actors can compromise identity
through the collection of personal information and data that
already exists in the digital universe. He endured a 27-hour
journey to be here today and I suspect his testimony will be
illuminating for all of us.
We can no longer ignore the current reality. Whether
through theft, or voluntary disclosure, our information is out
there. And this is not likely to change. Social media will
continue to grow--the social, cultural and economic benefits
are too great. Likewise, digital commerce and online
transactions are integral to our economic prosperity--both now
and in the future. As our lives become increasingly entwined
with the digital space, this must come with an acceptance that
our information will always be at risk.
Such is the nature of the cyber threat. There is no perfect
security in the connected world, but that makes it even more
important that we find ways to reduce vulnerabilities in our
digital ecosystem. Clearly, identity is one of those weaknesses
and I look forward hearing from all our witnesses about what
options exist to address this challenge.
Mr. Griffith. Thank you, Mr. Chairman. I appreciate that.
I will tell you that Mr. Hunt not only sacrificed with the
27-hour flight to get here but also put on a suit and tie for
us where he normally wears jeans and a black T-shirt,
according, at least, to his comments on the internet.
[Laughter.]
Mr. Griffith. But anyway----
Mr. Walden. I was starting to wonder if it's actually him
or a stolen identity before that. But I don't know. Thank you.
Mr. Griffith. Anyway, thank you, Mr. Chairman.
At this point, I would ask--oh, I would recognize Mr.
Pallone of New Jersey for an opening statement. Glad you made
it. Thank you.
Mr. Pallone. Thank you, Mr. Chairman.
I want to--I have actually got the wrong statement here
from the other committee.
Mr. Griffith. We will give you a minute. We have explained
to everybody that we have two hearings going on at the same
time and that folks are having to bounce back and forth so----
Mr. Pallone. All right.
OPENING STATEMENT OF HON. FRANK PALLONE, JR., A REPRESENTATIVE
IN CONGRESS FROM THE STATE OF NEW JERSEY
So let me, again, thank you, Mr. Chairman.
So much of our lives today is linked to what we do online
and companies in virtually every sector of the economy collect
vast amounts of personal data about consumers, and these
companies know they are targets for malicious attacks and all
too often they fail to protect the valuable consumer
information they collect and store.
For example, recently the ride service company Uber
revealed that it had been hacked more than a year ago, and this
breach reportedly exposed the personal information of 57
million riders and drivers.
This security breach is yet another example of a company
that failed to protect the data of its customers and then
failed to come clean about their security breach, in this case
for more than a year.
Then there was the Equifax data breach which compromised
the personal data of more than 145 million Americans, and
what's worse, the Equifax breach compromised personal data like
Social Security numbers and birth dates that are difficult or
impossible to change.
And consumers affected by the Equifax breach are
vulnerable, particularly because these identity verifiers can
give someone access to other sensitive information.
The committee is still waiting for answers to questions we
asked Equifax both before and after our hearing on the breach
and, obviously, that's unacceptable so, hopefully, we will get
answers.
It's also unacceptable to the American people because when
companies fail to protect consumer data consumers pay the
price, sometimes years after a breach.
So as data breaches continue to compromise our personal
information, it's important that we explore how consumers and
the holders of consumer information can verify that individuals
are who they say they are online.
For example, how many times has each of us been asked to
provide the last four digits of our Social Security number to
get access to other information?
But how do we protect consumers' digital identities,
especially after the Equifax data breach exposed the Social
Security numbers of nearly half the U.S. population.
And as companies suggest that they may move to behavioral
and biometric verifiers, are we comfortable with how much more
personal information will be collected and used?
Are we comfortable with trusting that companies will keep
this data secure? And these are important questions now facing
the world of digital commerce.
According to the Identity Theft Resource Center, as many as
1,190 data breaches have occurred so far this year. Any data
breach exacerbates the issues the public is facing in verifying
their identities and authenticating access online.
Hackers and other malicious actors erode the trust we have
online by using the data they've been able to glean about each
and every one of us, and that's not good for business and it's
certainly not good for consumers.
So, again, I just want to thank our witnesses for being
here today to discuss the latest in identity verification and
the challenges of protecting people's data and I believe that
unless we act and pass meaningful legislation we will continue
to see more data breaches and the unfortunate ripple effects
that result from them.
I don't know if--you don't want to add anything? All right.
I yield back, Mr. Chairman.
[The prepared statement of Mr. Pallone follows:]
Prepared statement of Hon. Frank Pallone, Jr.
Thank you, Mr. Chairman. So much of our lives today are
online. Companies in virtually every sector of the economy
collect vast amounts of personal data about consumers. These
companies know they are targets for malicious attacks, and all
too often, they fail to protect the valuable consumer
information they collect and store.
Just this past week for example, the ride service company,
Uber, revealed that it had been hacked--more than a year ago.
This breach reportedly exposed the personal information of 57
million riders and drivers. This security breach is yet another
example of a company that failed to protect the data of its
customers, and then failed to come clean about their security
breach--in this case for more than a year.
Then there was the Equifax data breach, which compromised
the personal data of more than 145 million Americans. What's
worse, the Equifax breach compromised personal data like Social
Security numbers and birth dates that are difficult or
impossible to change.
Consumers affected by the Equifax breach are vulnerable--
particularly because these identity verifiers can give someone
access to other sensitive information. This committee is still
waiting for answers to questions we asked Equifax both before
and after our hearing on the breach. This is unacceptable.
This is also unacceptable to the American people because
when companies fail to protect consumer data, consumers pay the
price--sometimes years after a breach.
As data breaches continue to compromise our personal
information, it is important that we explore how consumers and
the holders of consumer information can verify that individuals
are who they say they are online.
For example, how many times has each of us been asked to
provide the last four digits of our Social Security number to
get access to other information? But how do we protect
consumers' digital identities, especially after the Equifax
data breach exposed the Social Security numbers of nearly half
the U.S. population?
And as companies suggest that they may move to behavioral
and biometric verifiers, are we comfortable with how much more
personal information will be collected and used? Are we
comfortable with trusting that companies will keep this data
secure? These are important questions now facing the world of
digital commerce. According to the Identity Theft Resource
Center, as many as 1,190 data breaches have occurred so far
this year.
Any data breach exacerbates the issues the public is facing
in verifying their identities and authenticating access online.
Hackers and other malicious actors erode the trust we have
online by using the data they have been able to glean about
each and every one of us. That's not good for business, and
it's certainly not good for consumers.
I want to thank our witnesses for being here today to
discuss the latest in identity verification and the challenges
of protecting people's data. I believe that unless we act and
pass meaningful legislation, we'll continue to see more data
breaches and the unfortunate ripple effects resulting from
them.
Thank you, and I yield back.
Mr. Griffith. Thank you very much for yielding back. I
appreciate that, Ranking Member.
With that being said, I would now ask for unanimous consent
that the Members' written opening statements be made a part of
the record. Without objection, they will be so entered.
I would now like to introduce our panel of witnesses for
today's hearing and appreciate all of you being here.
First, we have Mr. Troy Hunt, the information security
author and instructor for Pluralsight. Next is Mr. Jeremy
Grant, who serves as the managing director of Technology
Business Strategy at Venable. And finally, we have Mr. Ed
Mierzwinski, who is the consumer program director at U.S. PIRG,
or PIRG.
Thank you all for being here today, and I look forward to
your testimony and we appreciate you providing that testimony.
We look forward to the opportunity to discuss identity
verification with you all.
As you all are aware, the committee is holding an
investigative hearing and when doing so it is the practice of
this committee--this subcommittee of taking that testimony
under oath.
Do any of you have an objection to testifying under oath?
Seeing none, the Chair then advises you that under the
rules of the House and the rules of this committee, you are
entitled to be accompanied by counsel.
Do any of you desire to be accompanied by counsel during
your testimony today?
Seeing no request for counsel, in that case would you
please rise and raise your right hand, and I will swear you in.
[Witnesses sworn.]
Seeing affirmative answers from all, you are now under oath
and subject to the penalties set forth in Title 18 Section 1001
of the United States Code.
You may now give a 5-minute summary of your written
statement, and we will begin with you, Mr. Hunt.
Thank you so much for being here. You have 5 minutes.
STATEMENTS OF TROY HUNT, INFORMATION SECURITY AUTHOR AND
INSTRUCTOR, PLURALSIGHT; JEREMY GRANT, MANAGING DIRECTOR,
TECHNOLOGY BUSINESS STRATEGY, VENABLE, LLP; AND EDMUND
MIERZWINSKI, CONSUMER PROGRAM DIRECTOR, U.S. PIRG
STATEMENT OF TROY HUNT
Mr. Hunt. Vice Chairman Griffith, Ms. Castor, and
distinguished members of the House Energy and Commerce
Committee, thank you for the opportunity to testify today.
My name is Troy Hunt. I am an independent information
security author and instructor for Pluralsight. I am also the
creator of data breach notification service known as Have I
Been Pwned.
In my time running this service, I've analyzed hundreds of
individual data breaches containing many billions of records,
and I've observed firsthand both the alarming increase in
incidents and, indeed, the impact they are having on people's
lives.
This testimony draws on my experiences running the service
and describes the challenges we are now facing in a time where
data breaches have become the new normal.
When we talk about data breaches, we are really talking
about a range of different types of events that can lead to the
exposure of our personal information.
We typically think of malicious actors exploiting
vulnerabilities and protected systems and, indeed, that's an
enormous prevalent and alarming situation.
But increasingly we also see data breaches occur as a
result of simple human error. For example, accidentally
publishing data to an unprotected publicly facing server where
it's then discovered by intended parties.
We have a perfect storm of factors that are causing both
the frequency and scale of these incidents to accelerate. Cloud
services have made it easier than ever to publish data
publicly, and that has helped to drive the expansion of other
online services, which have in turn increased the overall
attack surface of the internet.
At the same time, we have the rapidly growing internet of
things, collecting classes of data we simply never had
digitized in the past and, increasingly, we are seeing that
information appear in data breaches, too.
Organizational attitudes to our personal information lead
to data maximization. That is a desire to collect as much of it
as possible, often well beyond the scope of what is actually
needed by the service it's being provided to.
Frequently, this is without informed consent, particular by
the likes of data aggregators and, indeed, we have seen them
suffer data breaches, too, both here in the U.S. and overseas.
Now, data is viewed as an asset yet organizations fail to
recognize that it is also a liability. Exacerbating exposure of
data is a rampant trading scene. Data is not only sold for
profit but regularly exchanged by individuals building personal
collections.
I liken it to kids exchanging baseball cards, except that
unlike trading a physical commodity, the exchange of data
breaches is more like making a photocopy, as the original
version still exists.
Once it enters circulation, it is impossible to contain it.
The data breach genie is out of the bottle. We are also
learning how much we don't know as significant data breaches
that occurred years ago come to light.
We have no idea how many more unknown incidents are out
there, and not only do we not know which organizations have
lost their data and are unaware of it themselves, we don't know
which ones are deliberately concealing data breaches.
There is a lack of accountability when a breach does occur.
We know this because very little changes in the industry
afterwards.
We constantly see large data breaches and people ask, will
this be the watershed moment where we start taking these
breaches more seriously.
Yet, nothing changes and we merely repeat the same
discussion after the next incident. We are also disclosing
large amounts of personal data of our own free will, such as
our date of birth, by social media.
We think nothing of it because a growing proportion of the
population has never known a time where we didn't do this. They
are the internet natives that have grown up in an environment
of personal information sharing.
Consider the impact on knowledge-based authentication, the
very premise that there is information that you know that is
sufficient to prove your identity. That same information is
increasingly public.
My dad recently had some help setting up a new broadband
connection, and after calling up the provider the first thing
they asked him was his date of birth. That's the same personal
attribute I had exposed after I donated blood and that
subsequently appeared in a data breach.
And that is really the challenge we have today, the premise
of authenticating one's self with information that only they
should know, yet is increasingly in the public domain.
That worked years ago when information was contained in a
small number of silos, but that's not the world we live in
today. And consequently, our assumption about who knows what
has to change accordingly in the age of the data breach.
Thank you very much.
[The prepared statement of Mr. Hunt follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Griffith. Thank you, Mr. Hunt. I appreciate that, and
now recognize Mr. Grant.
STATEMENT OF JEREMY GRANT
Mr. Grant. Good morning, Vice Chairman Griffith, Ms.
Castor, members of the committee. Thank you for the opportunity
to discuss identity with you today.
As background, I've worked for more than 20 years in both
industry and Government at the intersection of identity and
cybersecurity.
In 2011, I was selected to lead the National Strategy for
Trusted Identities in Cyberspace, or NSTIC, which was a White
House initiative focused on improving security, privacy,
choice, and innovation online for better approaches to digital
identity.
In that role, I built out what is now the Trusted
Identities Group at the National Institute of Standards and
Technology and also served as NIST's senior executive advisory
for identity management.
I left Government in 2015 and now lead the Technology
Business Strategy practice at Venable, a law firm with the
country's leading privacy and cybersecurity practice, though I
should note today my testimony represents my views alone.
So let me say up front I'm quite grateful to the committee
for calling this hearing today. Identity is a topic that
impacts every American but it's only recently that identity has
started to get proper attention from policy makers in the U.S.,
and at a high level the way that we handle identity in America
impacts our security, our privacy, and our liberty.
From an economic standpoint, particularly as we start to
move high-value transactions into the digital world, identity
can be the great enabler, providing the foundation for digital
transactions and online experiences that are more secure, more
enjoyable for the user and, ideally, more respectful with their
privacy.
When we don't get identity right we enable a great set of
attack points for criminals and other adversaries looking to
execute attacks in cyberspace and, unfortunately, we have not
been doing very well here.
Last year, a whopping 81 percent of hacking attacks were
executed by taking advantage of weak or stolen passwords.
Eighty-one percent is an enormous number.
It means that it is an anomaly when a breach happens and
identity does not provide the attack factors and, as my
colleague, Troy, will probably discuss today with his Web site,
Have I Been Pwned, there is now billions of compromised
usernames and passwords that are out there in the marketplace.
It is high time we find a way to kill the password.
Outside of passwords, we have seen adversaries go after
massive datasets of Americans in large part so they have an
easier time compromising the questions used in identity
verification tools like KBA.
This was illustrated quite vividly by the 2015 hack of the
IRS' Get My Transcript application where more than 700,000
Americans had sensitive tax data compromised.
A key takeaway for this committee to understand today is
that attackers have caught up with many of the first generation
tools that we have used to protect and verify identity.
The recent Equifax breach might have driven this point home
but the reality is that these tools have been vulnerable for
quite some time.
There are many reasons for this, and there is certainly
blame to allocate. But the most important question at this
point is, What should Government and industry do about it now?
As I lay out today, I believe the Government is going to
need to step up and play a bigger role to help address critical
vulnerabilities in our digital identity fabric.
There are five primary areas where Government, working
together with the private sector, can help address the
weaknesses of first generation identity verification and
authentication tools and deliver next-generation solutions that
are not only more secure but also better for privacy and
consumer experiences.
First, when talking about the future of the Social Security
number and whether it needs to be replaced, it is essential for
folks to understand the difference between SSN's role as an
identifier and its use as an authenticator.
SSN should no longer be used as authenticators but that
does not mean we need to replace them as identifiers. Instead,
let's just try treating like the widely available numbers that
they are.
That means that as a country we stop pretending that
knowledge of somebody's Social Security number can actually be
used to prove that they are who they claim to be.
Second, along with the SSN let's just recognize how useless
passwords have become as a security tool. There is no such
thing as a strong password in 2017 and we should stop trying to
pretend otherwise.
Third, recognize that it's not all bad news out there.
Government and industry have recognized the problem with old
authenticators like passwords and SSNs and they've actually
been working together the last few years to make strong
authentication easier.
Multistakeholder efforts like the FIDO Alliance, which Vice
Chairman Griffith mentioned earlier, have developed standards
for next-generation authentication that are now being embedded
in most devices, operating systems, and browsers in a way that
enhances security, privacy, and user experience. The Government
can play a role in helping to drive user adoption.
Fourth, while authentication is getting easier, identity
proofing is getting harder as attackers have caught up to
first-generation solutions like static KBA.
This might actually be the most impactful area where the
Government can help, by allowing consumers to ask agencies that
already have their personal information and have validated it,
in many cases with an in-person process, to then vouch for them
for--with other parties that they seek to do business with.
The Social Security Administration and State Department and
Motor Vehicles have the most to offer here, and this is
actually a concept that was embraced in the 2016 report from
the bipartisan Commission on Enhancing National Cybersecurity.
Here, the Federal Government should work to develop a
framework of standards and rules to make sure this is done in a
secure, privacy-enhancing way and look at funding work to get
it started.
Finally, technology can help solve the problem but better
standards will be needed for companies and agencies to apply
it. Further investments in Government research and standards
work can go a long way toward making it easier for any party in
the public or private sector to implement stronger identity
solutions.
I appreciate the opportunity to testify today and look
forward to answering your questions.
[The prepared statement of Mr. Grant follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Griffith. I thank the gentleman and now recognize Mr.
Mierzwinski for 5 minutes.
STATEMENT OF EDMUND MIERZWINSKI
Mr. Mierzwinski. Thank you, Vice Chairman, and
Representative Castor, and members of the committee.
The Equifax breach was an epic fail in a lot of different
ways. I know that this full committee has held hearings on it.
Mr. Walden, the chairman of the full committee, used an
excellent line when he said, ``I can't fix stupid,'' when he
was talking about Equifax's many problems.
I agree with the chairman on that, but I want to point out
a few other points about Equifax that may not have been pointed
out in that hearing.
First of all, I think everybody sees them as a credit
bureau, and that is true--they are one of the big three credit
bureaus that collect information and sell it for the purpose of
employment and credit and insurance decisions.
They are gatekeepers to our financial and economic
opportunity. So it's very important that they do a better job.
In fact, that's their only job is buying and selling data. So
you can't blame Target or even OPM the same way you can blame
Equifax for their many, many epic fails in that--in that
debacle.
But I want to point out also--and the Federal Trade
Commission has issued several reports on this--Equifax is not
only a credit bureau. It is a data broker, and data brokers,
unlike credit bureaus, are ubiquitous in society and they are
virtually unregulated and they buy and sell information every
day that's very similar to credit reports but unregulated. So
we need to take a look at the data broker system and figure out
a way to regulate it more closely.
Second, I think we need to go back to first principles. Mr.
Hunt referred to data maximization. The code of fair
information practices says data minimization should be a goal
and the code of fair information practices is embedded in a
number of our laws, including the U.S. Privacy Act of 1974.
So we can't just protect all information. We've got to
start collecting less information and keeping it for shorter
periods of time.
We have already heard from several witnesses and members of
the committee about the problem of SSNs as identifiers and
authenticators.
But I want to point out that our credit reporting system,
how we obtain credit in society, a bad guy doesn't try to get
your credit report. That's very hard to do.
A bad guy gets your Social Security number and goes to a
creditor, and a creditor, being a trusted partner to the credit
bureaus, gets your credit report and gives credit to the
imposter. That's a very flawed system that needs to be fixed.
The principal thing that I think Congress should do in
response to Equifax, and I think it's bipartisan, is make
credit freezes free.
Credit freezes are the best way to protect your identify
from financial identity theft. But, unfortunately, they cost
money in most States.
The problem of KBA authentication has already been
discussed. I want to point out it's so obsolete it's pathetic
and it also upset--it's not only bad because imposters can do
one-second searches on the internet and obtain answers to the
questions.
Sometimes consumers don't know the answers to the
questions. My colleague was asked how much credit her--you
know, her family member Chester had. Chester was her dog. He
died years ago. She was 5 years old. Why is Chester a security
question? What is the name of your first student loan company?
Was it Sallie Mae or was it Navient? They keep changing the
names of all of these companies. It's all ludicrous.
On multifactor identification, I think it's a real positive
step. But I do want to point out that biometrics, the third
general multifactor authentication--something you know,
something you have, and something you are--privacy groups are
very concerned about databases of biometric information posing
privacy and civil liberties threats.
But on the other hand, if my fingerprint is only stored in
my phone, perhaps that's a better solution. I'm very encouraged
by the work that the other witnesses have talked about.
The FIDO Alliance and the NIST program have been open-
source, open-standard, multistakeholder investigations of how
to improve our privacy and authentication mechanisms.
On the other hand, I contrast that to the credit card PCS
standards that have been imposed on merchants. The Target and
the Home Depot, the Michael's, et cetera--all the merchant
breaches--you can't blame the merchants for having to use an
obsolete credit card with a magnetic stripe.
And now the--now the first have gone to a chip card, which
is a type of tokenization, and that is good but they could have
gone further. They could have gone to chip and PIN. They could
have gone to best available technology.
So we have made some progress but a lot more needs to be
done. Thank you very much for the time.
[The prepared statement of Mr. Mierzwinski follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Griffith. Thank you. Appreciate that, and we will now
begin the questioning, and I will start with questions.
Mr. Hunt, in your testimony you talk about the exposure of
data due to accidental misconfigurations of cloud services. You
were certainly spot on.
One such misconfiguration was discovered in the Federal
Government this week, and it has been reported that this is the
fifth time the Government has suffered a similar accidental
exposure this year.
Indeed, many companies, including Uber, have suffered
information compromises because of these kinds of
misconfigurations.
Why does this keep happening? Is it really that easy to
accidentally share your cloud services with the world?
Mr. Hunt. Well, the easy answer to the last question is
yes, it is that easy. It's very often just a simple
misconfiguration, and the difference between, let's say, a
storage account within Amazon being protected and needed
credentials in order to access it and being wide open is
literally one configuration that can take seconds to make.
So in terms of why it's that easy or how come this keeps
happening so frequently, very often this is a competency
problem. So people have access to resources such as cloud
services that aren't sufficiently skilled in order to figure
out how to configure them securely. Sometimes it can just be a
simple oversight and there's not enough backup controls to
identify when something like this is exposed publicly.
It is also very difficult for organizations because when
cloud services are used they tend to very frequently sit
outside their known address base.
So, traditionally, an organization could say these are our
IP addresses, this is the range of our scope of assets and then
you can go onto the cloud and you can put things in totally
outside that construct.
And then compounding that as well we have this--this, I
guess, construct called Shadow IT and for the longest time we
have had the concern of Shadow IT--people working outside the
formal constructs of the way the IT department and organization
should run.
And today, it is very simple for someone in an organization
to go to the likes of Amazon and say, ``Look, I would like a
storage account. I am going to publish data there,'' and the IT
department never even knows about it.
So there's a number of factors leading to the prevalence of
what is now becoming a very common event.
Mr. Griffith. Now, are any of the data breaches included in
your service from such a misconfiguration?
Mr. Hunt. From which, sir?
Mr. Griffith. From--from your service.
Mr. Hunt. Oh, from misconfiguration?
Mr. Griffith. Yes.
Mr. Hunt. Yes, many of them. So we are seeing many
incidents. The perfect example that comes to mind, earlier this
year we had an OIT device called a CloudPet.
It is literally a teddy bear with a listening device that
talks to the internet. Their data was left publicly exposed in
a database facing the worldwide web without a password. And,
again, that is just a simple misconfiguration on their behalf.
Mr. Griffith. Wow. What can companies do to decrease the
likelihood of this kind of a misconfiguration?
Mr. Hunt. It's a combination of things. To me, many of
these incidents, whether it be misconfiguration or flaws in
software, come back to education, and this is the sort of thing
we are trying to do with Pluralsight.
Let's try and get education out there to the people that
are building these systems and standing them up. Because so
frequently it is just such a simple little thing and had the
person understood what the ramifications of the configuration
change they're making or the code change they're making was, it
wouldn't have happened. So I would love to see more education.
Mr. Griffith. And what are the consequences? I mean, we can
all think of some. But what are the consequences of companies
exposing this kind of data?
Mr. Hunt. Really depends on the data. I mean, at sort of
the least end of the scale, very often we are seeing large
amounts of email addresses and passwords.
Now, that then often becomes a skeleton key into other
things because we know that people reuse their passwords.
So that--I almost hesitate to say that's the best that
could happen. But when we think about the worst that could
happen, well, now we start to talk about large amounts of very
personal data.
So we have been speaking about the impact of things like
the Equifax incident. South Africa just recently had an
incident which was data exposed as a backup on a publicly
facing server that had information about the entire country and
this included their national identifier, so think about a
Social Security number, which within there also includes date
of birth and gender, and now we have got a whole country saying
we literally had all of its data published on the internet and
we know that it had been obtained by other unauthorized parties
and redistributed.
But what do we do? And to me, that's sort of the worst-case
scenario, because now you got a whole country saying, how are
we going to do knowledge-based authentication when the
knowledge about the whole country has gone public?
Mr. Griffith. Now, from what I understand, when folks go
back and analyze many security instances like data breaches,
they find that somewhere along the line someone in the
organization chose convenience such as the ability to check
their personal email from their work computer, for example,
over security. Have you found that to be true as well, in your
work?
Mr. Hunt. Absolutely. I mean, the concern with
convenience--I will give you a really good analogy--is very
often I will say to people, look, we might see an application
talking to a database that has effectively server admin
rights--the most privileged user you could possibly have--and I
will say to people, why would that happen. And they say, well,
it was easy--it was much easier to give access to everything
than to start implementing fine-grained permissions. And they
are right, it is much easier. But that then leads to the
problems we have got here.
Mr. Griffith. And so, how do we make it easier to protect
things--protect that data?
Mr. Hunt. Well, again, I go back to that education side.
This is people making mistakes unknowingly, and when we see
these happen over and over again and we look at the behaviors
of the individuals, very often it is because they've never been
taught what are the ramifications of setting this configuration
or writing code that way.
Mr. Griffith. Yes. I do think we all choose convenience
from time to time when we know in our hearts we ought not.
With that, I have to yield back because my time is up and
now recognize Ms. Castor of Florida for 5 minutes of questions.
Ms. Castor. Well, thank you, Mr. Chairman.
As the Equifax breach made all too clear, there's an
astounding amount of data that is collected by companies and
especially credit bureaus.
The Equifax breach, for example, exposed the personal
information including names, Social Security numbers, birth
dates, addresses, other sensitive data of almost 150 million
Americans.
Mr. Grant, if this data is out there, should companies no
longer use this information as a component of identity
verification online?
Mr. Grant. I wouldn't say that they shouldn't use the
information anymore, but they should be smart about the ways in
which they use it and I think there needs to be a recognition,
you know, across Government and industry that these first-
generation systems that we were using, the attackers have
caught up with them.
So let's figure out where it can be valuable in a process
to establish identity or authenticate identity and where it
can't be. I think there are still tools that are out there that
are using some of this data that could be--you know, I often
talk about, you know, you have an arrow with multiple quivers
in terms of, you know, the tools that you're using.
There still may be some value. But I think we need to
recognize that it is been greatly diminished and we need to
focus on next-generation solutions.
Ms. Castor. So, Mr. Mierzwinski, a similar question. In
your testimony, you stated in reference to Social Security
numbers that, quote, ``you cannot authenticate with a number
that is also an identifier, especially one that anyone can
obtain, thanks to the data breach world that we live in.''
This seems like a good reason to prevent companies from
using the Social Security number as an authenticator. Is that
right?
Mr. Mierzwinski. Well, I think you're absolutely right,
Congresswoman, and many people don't know that the Social
Security number was invented so long ago it doesn't even have a
correct check sum number.
When you type your credit card number and make a mistake
in an online form, it knows instantly. Your Social Security
number can be completely garbled and it wouldn't know.
The first five digits actually aren't really about you.
They're about when you were born and where you got your number
more than unique. So it is a very big mistake.
I am encouraged that some of my banks know that when I've
logged on from a new machine or even a new place. But others of
my banks and other companies that I do business with don't ask
me extra questions or don't want to send me a text.
So it is uneven how companies are doing better
authentication and, to me, you have also got to penalize them
when they make a mistake.
I realize Equifax and other firms will be penalized by the
market. However, I wonder whether regulators need more
authority to penalize companies that lose our info.
Ms. Castor. So let's talk about that especially. You
mentioned the data brokers. Even outside of data breaches,
internet-connected datasets contain vast information.
A University of North Carolina study showed that data
brokers can obtain almost anything from demographic data to
financial data to travel data.
In your opinion, are there adequate safeguards in place to
limit what information data brokers collect, store, and sell
about us? It seemed in your testimony you said no, it is kind
of the ----
Mr. Mierzwinski. No, despite--and you can find many items
on the record from me criticizing the credit bureaus and the
Fair Credit Reporting Act for being too weak. It actually is
one of our stronger privacy laws. There are virtually no laws
that apply to data brokers and they are out there in a Wild
West ecosystem of digital collection and selling of information
about consumers in real time, and as I believe the vice
chairman pointed out in his opening statement, a lot more
information is being collected into their databases.
Your locational information is, for one, a new piece that
should be protected that isn't protected under many laws.
Ms. Castor. So are there any incentives currently in place
for companies to minimize the data they collect and store?
Mr. Mierzwinski. Unfortunately, I don't know that there are
enough and there--public shaming helps but regulatory
accountability would help even more, and companies just feel
that we are not their customers.
Consumers are not Equifax's customer. Mr. Smith, the ex-
CEO, said that before numerous committees over the last month.
Business is their customer. We are their product. We need to
get them to think about taking care of us, and they haven't.
Ms. Castor. Mr. Grant, thank you for all of your work on
the National Strategy for Trusted Identities. The identity
ecosystem adheres to fair information practice principles, one
of which is data minimization.
This is the idea that organizations should collect only
information that is directly relevant and necessary to
accomplish the specified purpose. Is that right?
Mr. Grant. Yes.
Ms. Castor. So now it seemed to me, in this day and age,
companies want to know everything about you. I am going to ask
you the same question. What incentives are currently in place
for companies to minimize the data they collect and store?
Mr. Grant. Well, I will say concerns both about regulatory
enforcement as well as liability that they might face by having
too much data.
You know, Mr. Hunt talked before about data maximization.
When I was running the NSTIC program there was a term one of
our staffers coined, which was data promiscuity--the practice
that, you know, companies are just quite open in terms of
collecting and sharing gobs of data.
And I do think one thing you're starting to see now,
particularly when some of that data is exposed in a massive
breach, is other companies take a look at it and say, do we
actually want to have all of this data.
And so, you know, now that I am in the private sector I
spend a lot of time working with companies, advising companies
on how to minimize their risk, and I would say there are some
companies that still want to hoard data and there are some that
are realizing that it might be a liability and are actually
trying to put proactive measures in place to reduce the
footprint of data that they have on their customers and really
focus only on what they need.
So I do think a mix of regulation and liability does have
an impact in the marketplace. You know, certainly, if you look
across the ocean to what's happening in Europe right now with
the impending implementation of Europe's general data
protection regulation--GDPR--there's a lot of companies here in
the U.S. that are still going to be impacted by that and that's
also causing some firms to wake up and reevaluate in some cases
what data they collect, how they store it, how they use it.
Ms. Castor. Thank you.
Mr. Griffith. I thank the gentlelady for yielding back.
Now recognize the gentleman from New York, Mr. Collins, for
5 minutes of questions.
Mr. Collins. Thank you, Mr. Chairman.
And Mr. Hunt, I guess it is 3:00 a.m. right now so I am
hoping you got some sleep on the flight coming up from Down
Under.
I want to try to put today's hearing maybe in context just
for the everyday person. So many of us--you know, every three
months one of our credit cards is accessed in some way. Usually
we find out because we get a notification--a fraud alert from
American Express or Master Card. They've actually got some
algorithm somewhere that says, this looks unusual, or
something.
So I want to make sure I understand. That's a little--
people doing that, grabbing our credit report and stealing our
numbers is perhaps different than the data breach area, or not?
Mr. Hunt. Where it probably differs to credit cards is
there are a lot of different places where credit cards are
exposed which may not be as a result of a data breach.
I've had my wife's card compromised several different times
now and, as you say, you hear from American Express----
Mr. Collins. Because I am sure she uses it daily.
[Laughter.]
Mr. Hunt. Well, she does appear to use it regularly,
evidently. When this happens, she will, as you say, get fraud
alerts from the bank.
Now, that could have been anything from--we might have been
in a taxi in a particular location and they scribbled down the
number when they had physical access to it. You give it to
someone at a restaurant, they go behind the counter. It could
have happened in an incident like that. It could have been that
a single merchant resold the data after purchasing something
online.
Now, that's not necessarily the same as someone who was a
malicious party came along, found a vulnerability in software,
and sucked out a million different records in one go.
Mr. Collins. Yes. So I wanted to kind of make--because I
think sometimes we confuse the two and I think most of us are
impacted by somebody grabbing our credit card more than not.
Then we got to go to the inconvenience--getting a new card,
set up on autopay. You know, I probably have to do that three,
four times a year, even.
So here we are talking about data breach. So now it begs
the question, when someone is getting that, and I certainly
understand someone, if they had enough, could try to apply for,
I don't know, a mortgage or something.
But that probably doesn't impact too many Americans as much
as somebody stealing their credit cards.
So it kind of begs the question, these data brokers, as we
call them--it sounds like a business because there's guys--and
it sounds like they're--are they continuing to try to fill out,
you know, for, you know, myself, you know, there's people with
my same name, so I don't know.
Are they sorting by my last name? My first name? My middle
initial? As they find out that I, you know, just went to the
SPCA and got a new cat, you know, what's the cat's name.
You know, how are they sorting this? By Social Security
number? By address, in multiple ways, and as you said, trading
baseball cards--are they doing this for fun? And then once they
have it, and they're just out there selling it, why can't we
catch these guys?
If somebody--I think of Raymond Reddington on ``The Black
List,`` you know. He'd be the guy buying this stuff. Why can't
we find them, shut them down? And so that kind of general
questions. What would you add to that?
Mr. Hunt. I would say one point to maybe sort of
disambiguify here is when I made the comment about trading
baseball cards what I am talking about is there are a lot of
individuals out there who obtain access to data breaches and
then they redistribute them between peers--not necessarily
commercial legal entities like data brokers such as Equifax but
individuals, in many cases children, sitting in their bedroom
going, hey, I've got a data breach--you have got this one--
let's swap and we'll build up these personal collections.
Now, that is not necessarily with malicious intent but it
does lead to the redistribution and the growth of the amount of
data that's out there.
And then in terms of the data brokers, in terms of the
legally operating entities, very often they refer to data
enrichment, which is like let's just get as much data as we can
about the individuals, refine it so that we have very, very
clear pictures because that makes the product that they offer
that much more valuable.
And then whether they sort it by your Social Security
number or your name or your job title, whatever it may be, that
got significant amounts of data that they can offer people,
whatever sort of sorting or filtering mechanism they like.
Mr. Collins. So in this case, you're referring to a data
broker as a legal entity----
Mr. Hunt. Correct.
Mr. Collins [continuing]. Not a blacklister that's out
there selling it?
Mr. Hunt. That's right.
Mr. Collins. All right. So the folks that are out there
selling it on the darknet or whatever, just walk us through--we
don't have a lot of time--how are they finding their customers,
verifying it is not an FBI or somebody under cover?
Mr. Hunt. Well, they don't always get that right.
[Laughter.]
So how are they selling it? Well, very often we see data
breaches being traded on the same sorts of marketplaces that
are trading things like drugs.
So we have seeing very prominent darkweb Web sites--the
Silk Road, Hansa Market, AlphaBay. Now, many of those services
have now been shut down but others have emerged in their place
and they operate on Tor hidden services on the darkweb, which
does make it very difficult many times to actually track them
down. So they operate illegal marketplaces and data breaches
are another commodity like heroin.
Mr. Collins. Well, I appreciate all your comments. My time
is up. I yield back, and thank you for coming up from
Australia.
Mr. Griffith. I thank the gentleman for yielding back.
I now recognize Mr. Tonko of New York for 5 minutes for
questions.
Mr. Tonko. Thank you, Mr. Chair.
In recent years, as breaches have become more common,
companies and technology have not kept pace to protect
consumers. As more breaches occur, more consumers are at risk
for identity theft and other crimes.
While progress has been made, we must do much more to,
obviously, protect consumers. Many ongoing concerns were
brought to the forefront once again with the Equifax breach.
More than 8 million New Yorkers were affected by the Equifax
breach including many of my constituents.
One constituent, who I will label as Lee from Albany, asked
Equifax, why are you using this gross misconduct to turn your
victims into customers for a paid monitoring service that you
will profit from.
Mr. Mierzwinski, can you speak to Lee's concerns that
companies are profiting off these breaches?
Mr. Mierzwinski. We think it is outrageous and we wish it
would stop. The companies have turned consumers into cash cows.
They're responsible for keeping our information safe and
keeping it accurate. They don't, and so instead they say, you
better buy this credit monitoring service at $19.95 a month,
and the marketing of these services is extremely deceptive.
Several banks have been fined by the bureau and several of the
credit bureaus have been fined by the FTC.
A third party company, Lifelock, has been fined by the FTC
and numerous State's attorneys general. After it violated the
terms of its settlement order, it was fined an additional $100
million for contempt.
So the marketing of credit monitoring is unfair, and you
don't need credit monitoring either because you can get your
credit report for free under Federal law. In seven States, you
can get a second credit report for free from each of the three
companies.
If you file a fraud alert--a 90-day fraud alert--after you
have been a victim of a breach, you could get an additional
free credit report, get them every three months, and you have
got your own free credit monitoring.
But Equifax should not be profiting. We'd like to put a
stop to it and we'd like them to not charge consumers for
freezing.
Mr. Tonko. Thank you.
And Mr. Mierzwinski, again, you discussed the privacy risks
that come along with biometrics. Can you elaborate on these
risks?
Mr. Mierzwinski. Well, very simply, I think that as we put
our biometric information into databases, it becomes another
commodity in the cloud.
It becomes another way that you can steal information about
a consumer, if you steal my fingerprints or my retina scan,
it's--you could clone yourself as me in a lot of different
ways.
I am not an expert on whether that is being done yet today,
but we are very concerned and also concerned about the civil
liberties aspects of Government agencies getting access to the
information in the databases without warrants, et cetera.
Mr. Tonko. Mm-hmm. I thank you for that.
And a 2017 New York Times article described the nightmare
that Americans face when confronted with identity theft. The
article referenced a study on identity theft and pointed out
that, and I quote, ``Last year, 15.4 million American victims
of identity theft lost $16 billion.''
The article continues, describing cases where Americans
were denied the ability to refinance their mortgages or tax
refunds were fraudulently sent to hackers and other similar
cases.
So Mr. Mierzwinski, many companies use certain information
to verify someone's identity like a full name, home address,
and Social Security number. Now with the data for nearly half
of Americans stolen, is it true that malicious actors could
retrieve those identifiers?
Mr. Mierzwinski. Absolutely malicious actors can retrieve
your information in a variety of ways. They can even retrieve
more information if they've only obtained some.
So the Yahoo breach largely obtained for the bad guys phone
numbers and email addresses. That's the way that you can then
conduct phishing and spear phishing exploits to get more
information from consumers or even call them on the phone and
say, ``I've got your Social Security number. I am going to read
part of it to you. You read the rest of it to me''--those kinds
of gimmicks--social engineering. It is easier than hacking,
actually.
Mr. Tonko. Mm-hmm. The article also makes the case that we
shouldn't necessarily get rid of using Social Security numbers
to identify someone but that we should stop using it as an
authenticating factor.
Mr. Grant, do you agree with that?
Mr. Grant. Yes. I wrote an op-ed that was published in The
Hill about a month ago that made that same point. I think we
need to understand how Social Security numbers are both an
identifier and an authenticator and essentially stop
recognizing them for use of the latter. If I call my credit
card company and they ask for the last four of my Social
Security number, my answer should be, ``Why in the world would
you think that me knowing that actually proves that I am me?``
My information has been stolen several times over. It could be
anybody who's calling in making that claim.
But as an identifier, look, identifiers are needed in the
modern economy. The Government needs a way to track how much
money I am making from both my job and my bank accounts. You
know, individual companies need an identifier as well.
Let's just treat it as something that's widely available
and I think once we acknowledge that it is not something that
is a secret, then we can start to focus on what comes next,
which are better solutions for identity verification, better
solutions for authentication that don't have the weaknesses
that the ones that we are using today have.
Mr. Tonko. Thank you.
And with that, I yield back, Mr. Chair.
Mr. Griffith. I thank the gentleman, and now recognize Mr.
Costello of Pennsylvania for 5 minutes for questioning.
Mr. Costello. Thank you, Mr. Chairman. I am going to try
this with my voice.
To all three of you, I am just going to read through a
series of questions and ask that you weigh in as appropriate.
You spoke in your testimony about the role of Social
Security numbers, both as they are used now and as they should
be used in the future.
In particular, you're both adamant that we don't need to
replace Social Security numbers, as some have suggested we need
to.
Instead, you have said that using them--or, the need to
change them, from using them as identifiers and authenticators
to using them solely as identifiers.
My questions are oriented in this fashion. Are there
barriers to moving away from Social Security numbers as both
identifiers and authenticators? For example, are there
Government regulations that require them in certain instances?
Are there private sector standards that recommend or
require their collection? And how will these organizations
begin making the change you suggested?
How expensive both in terms of time and resources would
this change be and are there any potential down sides, and if
so, what are they?
Mr. Grant. So I am happy to jump in with that first.
I think one point you raised is there are a lot of entities
that are required to collect my Social Security number.
I started a new job at Venable five months ago. They needed
to know my SSN. Any bank account that I open they need to know
my SSN. And that's for the purpose of an identifier and I don't
know that there are any real issues there with them continuing
to use that.
There are issues that are out there in terms of, you know,
particularly when opening financial accounts. I mean, one big
problem we have in this country is what, you know, many people
refer to as synthetic identity fraud--when you'll see
fraudsters try and combine a real name and a real Social
Security number that don't match and then start throwing it
into the system in an attempt to establish credit, and that's,
you know, one way that, you know, organizations are then
defrauded or people are defrauded.
I mean, so, you know, I think there's good reasons to keep
using the SSN as an identifier but we could also use better
systems to verify.
One of the things I talked about in my opening statement
was what Government could actually do as a provider of identity
verification services themselves.
The Social Security Administration knows that there's a
Jeremy Grant that has my Social Security number that matches
but if I go to open a new account at a bank today or a mobile
network operator or anybody else who's collecting it, there's
no way to electronically verify that with Social Security that
that really matches up.
There's a paper-based system that requires a wet signature.
It was a great thing 20 years ago. It is 2017 now. I think you
could actually help cut down on fraud in new account opening if
there was an electronic way for Social Security to validate
those numbers if queried.
I think where there's going to be bigger issues--you were
asking about barriers and costs and things like that--is where
we replace the Social Security numbers and authenticator.
So I can make fun of the credit card company I called last
week who asked for the last four of my Social Security number
and, obviously, there's no security value to that in 2017.
But their next question is, well, then how do I
authenticate you when I am talking to you on the phone, and
that's a much harder question. I think there's some interesting
products. There's new standards that are emerging. There's--
there are ways that you can do it. But there tends to be--the
pace of adoption tends to lag the creation of new technology.
And so I think this is actually an area where I would love
to see Government partnering with industry focus more is how
can we identify where those are--where there are promising
technologies that could replace the first-generation tools that
have, you know, started to fail and accelerate the pace of
adoption everyplace.
Mr. Mierzwinski. I agree.
Mr. Costello. That's a good answer.
Mr. Mierzwinski. Yes. Try to keep some of your time for
you.
Mr. Costello. Very good. I will yield back, Mr. Chair.
Mr. Griffith. I thank the gentleman for yielding back.
I now recognize Ms. Clarke of New York for 5 minutes for
questions.
Ms. Clarke. I thank you, Mr. Chairman. I thank our ranking
member. I thank our panelists for their expert testimony here
today.
And I wanted to bring up the National Strategy for Trusted
Identities in Cyberspace. Under President Obama, the White
House released this strategy and this spurred the public and
private sectors to collaborate on issues related to identities
and online transactions.
Mr. Grant, is it accurate that this strategy laid the
framework for privacy-enhancing technology as well as identity
solutions that must be secure and cost effective?
Mr. Grant. Well, I would say it helped. I think where NSTIC
really helped was throwing down a marker in 2011 for an
industry that, you know, hadn't really started to think about
this yet, and when I look at the impact several years later,
you know--I talked about this in my written statement--
companies that liked it came in and said, hey, ``Hey, this is a
great idea. How can we actually work with you to come up with
solutions that align with it?''
Even companies that didn't like the fact that the
Government had thrown down a marker still had to pay attention
to it because their customers were focusing on it.
So when I look at where the market is today, look, we still
have plenty of problems in the identity space. We wouldn't be
having this hearing if it wasn't the case. But I think the
strategy helped and some of the specific activities that we--
that we sponsored and funded out of NIST during the time that
there was a national program office implementing NSTIC really
helped to move the market along at a point much faster than it
would have gone otherwise and, you know, also pointed the way
to, you know, create the--you know, just pointing out basic
things like security doesn't have to be at odds with privacy.
Security doesn't have to be at odds with user experience.
Those are concepts--it is not a radical statement to make, but
there were some vendors in the space who seemed to think that
they were going to be at odds, and this helped to show that
there could be other ways.
Ms. Clarke. So what--can you elaborate a little bit more as
to what a privacy-enhancing solution may look like in the age
of data breaches?
Mr. Grant. Sure. So, you know, the concept of privacy
enhancing it is, you know, how does--how do you create
solutions that can actually give people more control over their
personal information--have more choice in terms of what
attributes they choose to share about themselves when they go
online.
And, you know, it is a catch-all term. But in terms of
practical application, I think it is, you know, something you
see today. Let's say you're logging in to a Web site with a
social provider and they now give you radio buttons that, you
know, let you choose--do I just share my name?
Do I log in anonymously or do I share--let's say it is
using Facebook Connect--a whole bunch of information about me
with that site. That's, you know, one example of giving
consumers choice in a way that's also pretty easy to select,
you know, with radio buttons, for example, that you can click
on or off. That is something that we didn't have in the
marketplace before.
I think there's other interesting approaches. You know,
people can get--we could really go down the rabbit hole in
terms of talking about privacy-enhancing encryption, which is
an area that I will say there's been a ton of R&D done but I
would say we still have barriers in the marketplace in terms of
coming up with systems that can scale.
I know there's really a commercial--a need for. We, you
know, funded a lot of research there as well and NIST continues
to do good work there today. That's probably some of the next
generation work, I think, in terms of where the market focus is
next.
Ms. Clarke. So can you tell us the benefits of a universal
two-factor authentication or similar types of technologies that
secure a user's identity?
Mr. Grant. Well, it is a universal two factor. Whether it
is universal or whether you're just using two-factor
authentication everywhere. You know, I mentioned in my opening
statement 81 percent of breaches last year were caused by
exploiting passwords.
There is a reason for that. The password is really easy to
compromise and the notion that there's such a thing as a secure
password just doesn't make sense. You know, a lot of the
attacks we see these days are spear phishing attacks where you
get something that looks like a normal login to your email
provider or your bank but it is not. It is somebody who's
inside trying to phish your user name and password.
If you have unphishable two-factor authentication behind
it, that attack doesn't work anymore. Although one problem we
are actually seeing in the marketplace is some of the first-
generation tools that we have seen for two-factor
authentication--things like getting a code through SMS or, you
know, through an app on your phone.
That is phishable as well. And so, you know, I keep making
the point we had solutions that were good for a while and now
the attackers have caught up with them.
Moving to unphishable authentication--you know, we have
talked in this hearing about, you know, standards bodies like
the FIDO Alliance that are coming up with solutions based on
public key crypto, which is unphishable. That, I think, is
where, you know, we need to focus there.
Ms. Clarke. Where we need to go. OK.
And just sort of in closing, you know, I am glad that we
somewhat have a roadmap to improve the security of our online
identities but it seems that more efforts are needed to
implement these effective solutions and we need to continue to
evolve, as you have stated, because we sort of get static after
a while and, of course, there are those who are out there
constantly working at how to phish and break through.
So thank you for your response today. Hopefully, we will
heed what you have shared with us today.
I yield back, Mr. Chairman.
Mr. Griffith. I thank the gentlelady for yielding back.
I now recognize Mr. Walberg of Michigan for 5 minutes of
questions.
Mr. Walberg. Thank you, Mr. Chairman, and thanks to the
panel for being here.
Mr. Hunt, I appreciate you coming all that distance. In
fact, I've often had some sinister thoughts of sending some of
these hackers, et cetera, back to Darwin, Australia, and let
them confront some of the wildlife there in that beautiful but
dangerous part of your great country. But I won't suggest that.
One of the reasons that we are having this hearing today is
to shine a light on a problem that we think is getting worse,
namely, that there is so much data available on individuals
from these various breaches that malicious actors can package
or enrich data to create very robust profiles of almost any
given person.
Is that something that you have seen or heard about and if
so is it a growing problem?
Mr. Hunt. Yes. Look, it is certainly a concerning thing
because, obviously, the more personal attributes you can gather
about an individual the richer the picture you have.
And then when it then comes to things like knowledge-based
authentication you start to build up many different attributes.
And in my written testimony I talk about the concern of
aggregating from multiple services, and they're not always data
breaches either.
So someone might take certain attributes from one data
breach--let's say a name and a birth date. They'll go to
another data breach and they may get gender and home address.
And then they'll go to open source intelligence sources
such as LinkedIn, Facebook, Twitter, and aggregate further data
attributes from there--your profile photo, your social
connections. And the real concern I have there is that even
beyond just data breaches alone there are so many sources of
information that we literally willing publish ourselves
publicly that we now have to start to work on this assumption
that so many known attributes about ourselves, which we did
previously consider to be personal attributes, are now public
and that's the concern I have. There's just so many different
sources and it is not just data breaches.
Mr. Walberg. And that's what makes it so valuable then,
that----
Mr. Hunt. Oh, absolutely, and I can see why the likes of
legally operating data aggregators are running great businesses
these days because there is so much data that they can obtain
from us.
Mr. Walberg. Yes.
Mr. Grant, as former head of NSTIC, this is likely an issue
that you're familiar with as well. Did NSTIC look at this kind
of problem and, if so, what were its conclusions and
recommendations?
Mr. Grant. So I would say we spend a lot of time looking at
it in the Trusted Identities Group and NIST continues to focus
on this.
You know, I think probably the most--well, there's a lot of
things that NIST has done in this space that's been Impactful.
But one that I would point to are the updated digital
identity guidelines. One of the NIST special publications, 800-
63-3, is the title or the code that was put out this past
summer, which was an effort led by my old office to basically
take a look at what is the modern state of solutions in terms
of what we can use for identity verification and authentication
in the marketplace and also recognize where some of the
attackers have caught up with some of the old technologies.
And so they published new guidance this past summer which I
think--you know, what's been nice about it is not just in
Government but also a number of entities in industry have
looked at this and said, this is fantastic--this is a guidebook
that we can use as we are building solutions for the private
sector to make sure that we are, you know, both taking into
account new technologies and new standards that are emerging--
things like FIDO as well as make sure that we are not using
some of the legacy solutions that just aren't as good anymore.
So, you know, certainly, in the topic of identity
verification, one of the things that the new guidelines did was
diminish the role of KBA in terms of how much you can trust it
for identity proofing.
It establishes that there's still a role for it in the
process of identity resolution, you know, trying to figure out
whether I am the Jeremy Grant who's actually applying for an
account but says you cannot use it alone for, you know, full-
blown identity verification. That was a big change from what
we've seen in the past.
So, you know, one thing I mentioned in my written testimony
some of the budget for NIST work in this area has been proposed
for a cut in 2018 at a time when everybody's looking at, you
know, where we can actually take some actions after events like
the Equifax breach. I think we, you know, are going to continue
to need more funding for research and standards in this area,
both to help Government implement better solutions as well as
the private sector.
Mr. Walberg. What updated standards are you talking about
there?
Mr. Grant. There is updated--well, I think there's other
work to be done still. So I think NIST has put out digital
identity guidelines.
I would say two things. One, attackers are always evolving
and technology is always evolving and so it is something that
should be updated I would say, you know, on a regular basis
rather than, you know, a cycle that's every 5 or 10 years,
which is often how NIST tackles the special publications.
Beyond that, I think there's other research for areas. You
know, for example, one of the questions that Mr. Hunt was asked
before was about the security of cloud services and how
entities are getting into that.
And often, again, the attack vector there when you're
guarding against big enterprise class data breaches is through
identity.
I think NIST could do a lot more work looking at enterprise
identity and how you actually manage administration,
authentication, authorization, analytics, and audit--what I
call the five A's of the identity life cycle.
There is not great guidance out there anywhere in the world
and NIST is really well poised to help enterprises apply better
identity security.
Mr. Walberg. Thank you. My time has expired.
I yield back.
Mr. Griffith. I thank the gentleman for yielding back and
now recognize Representative Jan Schakowsky of Illinois. The
gentlelady is recognized for 5 minutes.
Ms. Schakowsky. Thank you so much.
As we talk about consumer protection, which has really kind
of been my bailiwick for a very long time, I have to mention
what's going on right now at the Consumer Financial Protection
Bureau.
OMB Director Mick Mulvaney is serving now as acting
director as his appointment continues to be challenged in the--
in the courts and Mr. Mulvaney has been pretty much a longtime
opponent of the CFPB and no friend of consumer protection
regulations.
He has already put a hiring freeze and a regulatory freeze
in place at the agency. So Mr. Mierzwinski, I wondered if you
could just share your thoughts on what is currently going on at
the CFPB and perhaps how it relates now to this issue also of
data protection, et cetera.
Mr. Mierzwinski. Well, thank you, Congresswoman, and of
course, the Consumer Bureau was created after the big collapse
of the economy and it was designed to be independent of the
political process that has corrupted a lot of the control of
how we protect consumers in the financial system.
By appointing--by suggesting that the head of the OMB, a
deeply political agency of the White House, could also at the
same time be the director of the independent Consumer Bureau,
we just don't think that computes and we support Director
Cordray's appointment of Leandra English as acting director.
We truly recognize the president has the authority to
eventually nominate and get someone confirmed by the Senate.
But we hope that person is qualified as a consumer advocate and
is not someone who has attacked the bureau and called it a
sick, sad joke, as the current acting director has.
The Consumer Bureau, in just 6 years of existence, has
recovered over $12 billion--about $12 billion for 29 million
Americans and has restored confidence in the financial system.
So we like--we'd like to protect it. Going forward, you
have pointed out one issue that is in conflict there is
actually data security. Interestingly, the Consumer Bureau
gained authority over Equifax when it sells credit reports
through the Fair Credit Reporting Act.
But the Gramm-Leach-Bliley Act under the Federal Trade
Commission still controls on data security for a number of
nonbanks including the credit bureaus. That's a real problem.
Ms. Schakowsky. Yes, although before he left, Chairman
Cordray said that he thought that there ought to be embedded
regulators at Equifax and companies--and the other companies.
Mr. Mierzwinski. Well, actually, he does have the authority
or he did have. The bureau still retains the authority to
supervise Equifax in the same manner that bank regulators
including the bureau supervise banks, meaning the ability to be
there in an embedded basis and look for problems before they
get bad and also to look at the toxic--not the toxic but the
secret sauce that the company uses to generate its credit
scores.
There are a lot of things that the bureau can and should
do. But there is this one little piece of Gramm-Leach-Bliley
that says the Federal Trade Commission is still the regulator
for when you have a breach, when you have to notify.
The Federal Trade Commission rule still has not created a
notification standard at the Federal level and this is
something people may not be aware of. The Federal Trade
Commission under Gramm-Leach-Bliley cannot impose a penalty for
the first violation of the data security rules.
The bureau can and any bank regulator can impose a penalty
for any first violation by companies they regulate. The Federal
Trade Commission cannot.
Ms. Schakowsky. So regardless of how big the breach is, how
many people are affected, they do not have the authority?
Mr. Mierzwinski. Not under their statute and not under
their regulations. They've never done it so I don't believe
they have the authority and it is been confirmed to me by
former staff there.
Ms. Schakowsky. Oh, I see. Do I have time?
Well, let me see if I can get to one last question and that
is about credit freezes. So the long-term risk from data
breaches underscores the need for strong data security and
breach notification legislation such as the--I have a bill
called the Secure and Protect America's Data Act that I
introduced with Ranking Member Pallone, several other members
of this committee.
So, again, Mr. Mierzwinski, when a company fails to protect
consumers' data, then where does that leave the consumer? And
let me just add also in the wake of the Equifax breach you have
talked about making credit freezes free for consumers. How
would that help?
Mr. Mierzwinski. Well, how--making credit freezes free
would give us control of our own data, and by the way, that has
almost become a bipartisan issue.
The next step is to make credit freezes the default on
switch. Make the consumer information always protected until
the consumer agrees to turn it on.
Ms. Schakowsky. So the----
Mr. Mierzwinski. The opposite of the current situation.
Ms. Schakowsky. OK. Thank you so much. I yield back.
Mr. Mierzwinski. Thank you.
Mr. Griffith. Appreciate the gentlelady yielding back.
I now recognize the gentlelady from Indiana, Mrs. Brooks.
Mrs. Brooks. Thank you, Mr. Chairman, and thank you to all
of our witnesses for being here.
I am a former Federal prosecutor--former U.S. attorney that
worked on and prosecuted identity theft cases between 2001 and
2007. So this is certainly not something new.
I haven't heard very much, quite frankly though, about
going after the bad guys, and we are talking about the hackers
and I want to learn a little bit more.
And Mr. Hunt, when you talked about the analogy of it is
like shopping for heroin or so forth on the darknet and so
forth, could you please talk with me a little bit more? Because
I haven't been in that world, quite frankly, since '07 and
really want to learn a little bit more about the buyers, the
sellers, and how do they purchase it, select their buyers and
sellers.
Do they earn reputations on the darknet? Can you tell us a
little bit, and then for yourself and maybe Mr. Grant a little
bit about what kind of cooperation you have engaged in with law
enforcement.
Mr. Hunt?
Mr. Hunt. I think we can sort of speak to the last part of
the question first, which is around reputation, so how do
people establish a reputation.
One of the quite intriguing things when you do see these
dark market marketplaces or darkweb marketplaces is that in
many ways they look very familiar.
They look like an eBay, for example, and there are buyers
and sellers on there that have a reputation that they gain over
a series of trades. Now, of course, the difference is they're
not buying iPhones or consumer electronics. It is, literally,
drugs, data breaches, and so on.
So that's sort of the first part of the answer. The
establish a reputation. In terms of then identifying who those
parties are, one of the difficulties we have with privacy and
anonymity tools is whilst they're very good for maintaining
privacy and anonymity for people that want to do good things,
they're also very good at maintaining privacy and anonymity for
people doing bad things.
Now, we have seen a number of these marketplaces taken down
over time but, obviously, they are much harder to track down.
I guess to the other points, one of the things that sort of
concerns us is that there is a thriving marketplace for this
data and there are, I guess, various shades of gray in terms of
who finds this data attractive.
That's, clearly, criminals--those who literally want to go
out and mount identity theft attacks. They find this data
attractive.
One of the things that worries me a little bit more is that
it is also an attractive piece of information for more
mainstream legitimate organizations who are looking to gain
access to this data so that they can figure out which of their
customers are protected.
So we are now seeing very mainstream online web properties
that many of us know and use on a daily basis that will tell
people when they have appeared in a data breach and some of
these are actually purchasing information in order to gain
access to that to protect their customers.
And, frankly, that--I am a little bit torn with that
because I understand the desire to protect their consumers but
I also worry about the incentives that provides those who are
breaking into systems.
Mrs. Brooks. Mr. Grant, anything you want to add?
Mr. Grant. Not too much. I mean, my--look, law enforcement
is quite important. It is--I think as Mr. Hunt pointed out, it
is becoming quite hard to attract people down in part because
of the international nature of, you know, many of the criminal
rings that are actually running all of these, you know,
marketplaces and what not.
I would agree in terms of what, you know, Mr. Hunt said as
well in terms of the same tools that can protect us and keep us
anonymous can also be protecting them. So there are definitely
challenges there.
Mrs. Brooks. Has there also been evidence that nation-
states besides entities, individuals, criminal organizations
are involved in this as well?
Mr. Grant. Absolutely. I mean, that's something we haven't
talked about much. I am sure most of us in this room were
victims of the OPM breach, which I guess I appreciate that the
Government is giving me credit monitoring services for this.
I don't think that the government of China is looking to
establish credit in my name. They're interested in looking
through the 75 pages or so of my SF-86 and figuring out if they
can compromise me because I have a top-secret clearance.
But this is certainly something that has been quite
interesting to other nation-states who are looking to execute
attacks, you know, both for those purposes as well as just for,
you know, getting into basic accounts.
Again, if we are protecting access to an account with only
something like static KBA and they've now stolen the answers to
those questions, well, then you can get into them and do things
with them.
You know, likewise, Mr. Mierzwinski talked before about,
you know, some of the risks of biometrics. All of my
fingerprints are now sitting in another country somewhere
because of the OPM breach, which means I wouldn't feel
particularly comfortable using anything that's doing remote
match fingerprint to secure anything that I care about.
That said, I am really comfortable with using a fingerprint
on my phone because you have to come get my device out of my
hands first before you can compromise it.
Mrs. Brooks. Mr. Mierzwinski mentioned that the credit
monitoring services maybe have been not very honest in their
practices.
Do you agree that when we receive these requests after
we've been a target of a breach that people should or should
not be accepting those services by the company?
Mr. Grant. You know, I don't think it hurts to accept them.
Whether you pay for them is another question that I think----
Mrs. Brooks. Right.
Mr. Grant [continuing]. You know, folks are asking right
now. Look, I think they are helpful because it is good to know
if something is happening. It is good to be able to monitor
your account.
Whether you need to pay for it is another question. From,
you know, the Government perspective as a victim of the OPM
breach I don't know what value it offers me other than it is
nice thing to have to be able to keep close watch on my credit.
So it--you know, value in the service, yes. Whether, you
know, I want to pay for it as a consumer that's another
question.
Mrs. Brooks. Thank you. Thank you all for your work.
Yield back.
Mr. Griffith. Thank you.
I now recognize the gentleman from Georgia, Mr. Carter, for
5 minutes of questioning.
Mr. Carter. Thank you, Mr. Chairman, and thank all of you
for being here and for your efforts to get here. Appreciate it
very much.
This is, obviously, very, very important to all of us. I
want to start with you, Mr. Grant, and just ask you if you can,
and please dumb it down for me, if you will, what are trust
marks? Can you just explain that to me?
Mr. Grant. Trust marks--sure. Best example of a trust mark
is the Visa logo that's on two credit cards in my wallet.
So that if I go down to the cafeteria here afterwards and
have lunch with Troy or Ed, the cafeteria doesn't really care
which credit card I pay with. I got one issued by Capital One
and one issued by Chase.
Because it is got that Visa trust mark on it, which stands
for a bunch of standards and operating rules that govern
everything from how that card's authenticated at the point of
sale terminal, what security is in place, how long it takes for
my bank to pay the cafeteria for my lunch, what transaction
rate that they're actually going to pay in terms of, you know,
the fee for processing that, and some would argue most
importantly if--let's say Vice Chairman Griffith steals my
credit card and buys lunch for the committee and I contest that
with my bank--what am I liable for and what's the merchant
liable for.
So the trust mark is essentially something that represents
all those standards and operating rules that in the credit card
network everybody who's an issuing bank has to follow and
everybody else has to follow.
In the identity space, one argument--this was a lot of the
focus of NSTIC is that we need to create something similar to
the Visa network before identity, which is that I could have
the issuer be my State DMV or the Social Security
Administration, my bank, my mobile network operator.
It could be an advocacy group like the NRA or the ACLU or
U.S. PIRG, who all could validate my identity a certain way,
issue me a credential that I could use everywhere and the
reason it would be trusted is because it has that trust mark.
Mr. Carter. Well, that's really what I am getting at
because as I understand it, the Trusted Identities Group has
actually farmed out, if you will, pilot projects and the
Georgia Tech Research Institute has actually come up with the
emphasis on the machine-readable trust marks, and it is been
very successful and the results have been positive,
particularly when it was--when it was over a trusted framework
and that would encourage greater trust.
How can this be implemented in industry? How can we use
this?
Mr. Grant. So I don't think--you know, a little bit of
background on the GTRI pilot that was one of the ones that I
selected for funding when I was, you know, running the NSTIC
program and the idea was, you know, how can you do something
for identity that's, you know, similar to what you see in
financial services.
I would say, you know, where it has gone as a pilot, it was
a great--look, it is a pilot. It is a proof of concept,
basically. It isn't something that's been picked up yet by
industry.
What I can say, though, is that work is being looked at
by--I don't want to break confidentiality with anybody I am,
you know, doing work with now.
Mr. Carter. Right. Right.
Mr. Grant. But some bigger players that matter in the
ecosystem who are actually looking at taking that similar
concept and actually developing a, you know, broader federated
identity system that could be led by the private sector for
making it easier for consumers to identify themselves.
The idea would be to basically leverage work that's being
done there already with I can actually say some financial
services.
Since banks know you, thanks to the Know Your Customer
rules that they go through and you might trust your bank--not
everybody does but some might--how could they vouch for you
other places when you're looking to open up a new account.
Mr. Carter. Right. But do you agree that this is kind of
the route we ought to be going?
Mr. Grant. I think--yes, I think it is a big part of the
solution. I don't know that trust marks are going to solve
everything. You know, look, so we did some good things with
NSTIC.
One of the things we didn't do is solve all the problems
and it is because it is really complicated and there's a whole
bunch of, you know, whether it is legal barriers, technical
barriers, how do you create something that's really easy for
consumers to use. There's issues that are out there.
For as much as everybody loves to beat up on KBA and what
the credit bureaus do, there's a reason it is been used so much
in the market for years because that for many people it is
work.
Mr. Carter. Right.
Mr. Grant. I am applying for a new credit card. I can do
something instantly. When I went to lease a new car for my wife
a year ago, I was able to get quick credit.
So I don't want to suggest we throw the baby out with the
bath water because there's problems. It is more realizing where
attackers have caught up and how do we develop better
solutions.
Mr. Carter. OK.
Mr. Hunt, any--any comments on trust marks and how it can
be implemented into the private sector?
Mr. Hunt. I think I would probably defer back to Mr. Grant
as the expert on trust marks there.
Mr. Carter. Right. Right.
Were there any other new technologies that you find
interesting and perhaps that have some potential?
Mr. Hunt. I think ultimately we are going to see an
augmentation of different practices. I mean, many people, for
example, say, well look, is the answer biometrics or is the
answer physical tokens.
And where we are getting to now is I think an
acknowledgement that we can't rely on one single knowledge-
based authentication attribute, for example--that we do have
many other things available to us now that we didn't have, say,
two, decades ago.
We have ubiquitous mobile devices with internet
connectivity. We have SMS. We have other forms of identifiers
like physical YubiKey tokens, for example. And I think the
right strategy moving forward is going to be the right
augmentation of those under the right scenarios, depending on
the trust level that you need to establish.
Mr. Carter. Great. Thank you all again, and I yield back.
Mr. Griffith. I thank the gentleman for yielding back. I do
have a couple of follow-up questions just to try to clarify
some things. Staff did a nice job, as they always do, in
educating me beforehand. But, Mr. Grant, you used the term
public encrypto.
Mr. Grant. No, public key crypto.
Mr. Griffith. Oh. And what does that mean?
Mr. Grant. Well, so there's--we can get really geeky
talking about cryptography now--there's essentially two ways
you can manage cryptographic keys.
One is called symmetric-key, which is when I got a key and
you know the key, and I have to present the key to you for it
to match. It is a lot--similar to the way passwords work.
The other is what's commonly known as asymmetric public key
cryptography, or PKI for public key infrastructure. It is what
the Defense Department as well as the Federal Government had
been using for years, in many cases in lieu of passwords, in
order to, you know, come up with unphishable authentication to
protect Federal networks and systems.
At the end of the day, the concept is rather than each
entity having the same key, I get a key pair, and the public
key is known to everybody but the private key is only residing
with me.
It can be in my mobile phone. It could be in my computer.
It can be on a device like the YubiKey, which is--that Mr. Hunt
mentioned which is a FIDO standard token, and when I am logging
in someplace, I am basically asked to sign a cryptographic
challenge where my public key is presented but the only way I
can get in is if I have the corresponding private key with me
physically.
And so the--we could really go into the details of it in
ways that would make everybody's head explode. It is not--this
is actually one of the problems with--about the adoption of
technology, by the way.
It has been very complicated. But I think the most
important point to keep in mind is it is a way to deliver
unphishable authentication. It is not based on shared secrets.
And when I talk about how attackers have caught up not only
to passwords but also things like SMS codes or other one-time
passwords that are only good for 30 seconds, you know, that 30
seconds is still enough for a moderately skilled attacker to
phish my authentication code.
Asymmetric public key crypto is where we should be building
authentication solutions in the future so that we don't have
phishable authentication.
Mr. Griffith. All right. I appreciate that.
Mr. Hunt, you travelled a long way. Is there anything that
you had a burning desire to tell us that you haven't had an
opportunity already to do so?
Mr. Hunt. I think that the other thing I would add,
obviously, I am very interested in how do we stem the flood of
data breaches that we are seeing. And, you know, the things
that really come to my mind that I would love to see
implemented I mentioned education.
So we are making lots of fundamental little mistakes.
Another thing that's very important is making the disclosure of
these incidents much easier.
So I myself have been in this situation many times where
someone has sent me data from an organization and just the
ability to disclose it to the company, to find the right person
who will listen, who will take it seriously, is enormously
difficult.
So I am very supportive of some of the initiatives we are
seeing like bug bounties. So, for example, companies like
BugCrowd are running many bug bounties where you as an
organization can say if someone finds something wrong with my
systems, I would like to know about it and I will likely pay a
reward for that. And it is done legally, ethically, and it
encourages the right behaviors.
And I guess, finally, we'd also like to see more in the way
of penalties because at the moment there's not enough
accountability when things do go wrong, and I think we are all
very curious to see how things like GDPR, which Mr. Grant
mentioned earlier, how that plays out when it comes into effect
in Europe in May where potentially an organization can be fined
up to 4 percent of their annual gross revenue.
Now, that starts to sting and we really hope that that
actually drives more positive behaviors in the industry.
Mr. Griffith. All right. I appreciate that.
Mr. Tonko? Ms. Castor?
Appreciate you all being here. This has been very
informative. I suspect it'll be one of the more popular reruns
on CSPAN, for those folks who are really into this, and I have
learned so much.
Thank you all for your time today and I appreciate it.
And with that, got to go to my script so I don't leave
anything out. I would remind Members that they have 10 business
days to submit questions for the record and I ask that the
witnesses all agree to respond promptly to those questions.
Do I need to say anything else? All right. Got all that
business--housekeeping taken care of.
With that, the subcommittee is adjourned. Thank you.
[Whereupon, at 11:47 a.m., the subcommittee was adjourned.]
[Material submitted for inclusion in the record follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]