[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]
AFTER THE BREACH: THE MONETIZATION
AND ILLICIT USE OF STOLEN DATA
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON TERRORISM
AND ILLICIT FINANCE
OF THE
COMMITTEE ON FINANCIAL SERVICES
U.S. HOUSE OF REPRESENTATIVES
ONE HUNDRED FIFTEENTH CONGRESS
SECOND SESSION
__________
MARCH 15, 2018
__________
Printed for the use of the Committee on Financial Services
Serial No. 115-81
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
__________
U.S. GOVERNMENT PUBLISHING OFFICE
31-386 PDF WASHINGTON : 2018
-----------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].
HOUSE COMMITTEE ON FINANCIAL SERVICES
JEB HENSARLING, Texas, Chairman
PATRICK T. McHENRY, North Carolina, MAXINE WATERS, California, Ranking
Vice Chairman Member
PETER T. KING, New York CAROLYN B. MALONEY, New York
EDWARD R. ROYCE, California NYDIA M. VELAZQUEZ, New York
FRANK D. LUCAS, Oklahoma BRAD SHERMAN, California
STEVAN PEARCE, New Mexico GREGORY W. MEEKS, New York
BILL POSEY, Florida MICHAEL E. CAPUANO, Massachusetts
BLAINE LUETKEMEYER, Missouri WM. LACY CLAY, Missouri
BILL HUIZENGA, Michigan STEPHEN F. LYNCH, Massachusetts
SEAN P. DUFFY, Wisconsin DAVID SCOTT, Georgia
STEVE STIVERS, Ohio AL GREEN, Texas
RANDY HULTGREN, Illinois EMANUEL CLEAVER, Missouri
DENNIS A. ROSS, Florida GWEN MOORE, Wisconsin
ROBERT PITTENGER, North Carolina KEITH ELLISON, Minnesota
ANN WAGNER, Missouri ED PERLMUTTER, Colorado
ANDY BARR, Kentucky JAMES A. HIMES, Connecticut
KEITH J. ROTHFUS, Pennsylvania BILL FOSTER, Illinois
LUKE MESSER, Indiana DANIEL T. KILDEE, Michigan
SCOTT TIPTON, Colorado JOHN K. DELANEY, Maryland
ROGER WILLIAMS, Texas KYRSTEN SINEMA, Arizona
BRUCE POLIQUIN, Maine JOYCE BEATTY, Ohio
MIA LOVE, Utah DENNY HECK, Washington
FRENCH HILL, Arkansas JUAN VARGAS, California
TOM EMMER, Minnesota JOSH GOTTHEIMER, New Jersey
LEE M. ZELDIN, New York VICENTE GONZALEZ, Texas
DAVID A. TROTT, Michigan CHARLIE CRIST, Florida
BARRY LOUDERMILK, Georgia RUBEN KIHUEN, Nevada
ALEXANDER X. MOONEY, West Virginia
THOMAS MacARTHUR, New Jersey
WARREN DAVIDSON, Ohio
TED BUDD, North Carolina
DAVID KUSTOFF, Tennessee
CLAUDIA TENNEY, New York
TREY HOLLINGSWORTH, Indiana
Shannon McGahn, Staff Director
Subcommittee on Terrorism and Illicit Finance
STEVAN PEARCE, New Mexico Chairman
ROBERT PITTENGER, North Carolina, ED PERLMUTTER, Colorado, Ranking
Vice Chairman Member
KEITH J. ROTHFUS, Pennsylvania CAROLYN B. MALONEY, New York
LUKE MESSER, Indiana JAMES A. HIMES, Connecticut
SCOTT TIPTON, Colorado BILL FOSTER, Illinois
ROGER WILLIAMS, Texas DANIEL T. KILDEE, Michigan
BRUCE POLIQUIN, Maine JOHN K. DELANEY, Maryland
MIA LOVE, Utah KYRSTEN SINEMA, Arizona
FRENCH HILL, Arkansas JUAN VARGAS, California
TOM EMMER, Minnesota JOSH GOTTHEIMER, New Jersey
LEE M. ZELDIN, New York RUBEN KIHUEN, Nevada
WARREN DAVIDSON, Ohio STEPHEN F. LYNCH, Massachusetts
TED BUDD, North Carolina
DAVID KUSTOFF, Tennessee
C O N T E N T S
----------
Page
Hearing held on:
March 15, 2018............................................... 1
Appendix:
March 15, 2018............................................... 31
WITNESSES
Thursday, March 15, 2018
Ablon, Lillian, Information Scientist, RAND Corporation.......... 5
Bernik, Joe, Chief Strategist, McAfee............................ 6
Christin, Nicolas, Associate Research Professor, Carnegie Mellon
University..................................................... 8
Lewis, James, Senior Vice President, Center for Strategic and
International Studies.......................................... 10
APPENDIX
Prepared statements:
Ablon, Lillian............................................... 32
Bernik, Joe.................................................. 50
Christin, Nicolas............................................ 57
Lewis, James................................................. 66
Additional Material Submitted for the Record
Maloney, Hon. Carolyn:
Article entitles, ``Sex, Drugs, Bitcoin: How Much Illegal
Activity Is Financed Through Cryptocurrencies''............ 73
Bernik, Joe:
Written responses to questions for the record submitted by
Representative Budd........................................ 115
AFTER THE BREACH: THE MONETIZATION
AND ILLICIT USE OF STOLEN DATA
----------
Thursday, March 15, 2018
U.S. House of Representatives,
Subcommittee on Terrorism
and Illicit Finance
Committee on Financial Services,
Washington, D.C.
The subcommittee met, pursuant to notice, at 2:03 p.m., in
room 2128, Rayburn House Office Building, Hon. Stevan Pearce
[chairman of the subcommittee] presiding.
Present: Representatives Pearce, Pittenger, Rothfus,
Williams, Poliquin, Hill, Emmer, Zeldin, Davidson, Budd,
Kustoff, Perlmutter, Maloney, Himes, Foster, Kildee, Sinema,
Vargas, Gottheimer, Kihuen, and Lynch.
Chairman Pearce. The subcommittee will come to order.
Without objection, the Chair is authorized to declare a
recess of the subcommittee at any time.
Members of the full committee, who are not members of the
Subcommittee on Terrorism and Illicit Finance, may participate
in today's hearings.
All members will have 5 legislative days within which to
submit extraneous materials to the Chair for inclusion in the
record.
This hearing is entitled, ``After the Breach: The
Monetization and Illicit Use of Stolen Data.''
I now recognize myself for 5 minutes to give an opening
statement--for 2 minutes to give an opening statement.
I want to thank everyone for joining us today.
In today's hearing, we will examine the economics of cyber
crime, the monetization of stolen data from cyber attacks, the
role the dark Web marketplaces play in helping criminals profit
from their theft, and how illicit proceeds are laundered into
our financial system.
Last month, the Council of Economic Advisors released a
report estimating that malicious cyber activity cost the U.S.
economy between $57 and $109 billion in 2016. And this cost is
expected to climb as more devices become Internet connected.
Most commonly, these cyber attacks against private and
public entities include ransomware attacks, requesting payments
in cryptocurrencies, denial of service attacks, and a business
e-mail of compromise scenarios. These attacks lead to property
destruction; business disruption; and the theft of proprietary
data, intellectual property, and sensitive financial
information.
Unfortunately, this activity is only becoming more
widespread as criminal organizations realize the low cost of
entry, the ease of using hacking tools, and the difficulty law
enforcement faces trying to apprehend the hackers.
It is estimated that in 2017, there were 610 public
breaches in the United States, triggering the exposure of 1.9
billion records.
This sensitive information, including stolen credit card
numbers and personally identifiable information, is monetized
and sold on the dark Web, often for a few dollars or less,
making cyber theft a lucrative endeavor and providing anonymity
for the criminals.
Cyber theft is particularly damaging because of the
sensitive information being stolen, including Social Security
numbers, and is difficult or sometimes impossible to change.
The victim of a breach can become a victim repeatedly as
their identity can be used to apply for credit cards,
mortgages, and other financial products over and over again.
In today's hearing, I hope to discuss how we are currently
combating cyber attacks that lead to electronic identify theft,
credit card and other types of fraud, including what tools and
partnerships are working well in the effort to detect and
disrupt criminal actors.
I would also appreciate any comments about deficiencies in
our system that may impede our ability to predict or stop
future breaches.
I would like to thank our witnesses for being here today. I
look forward to their expert testimony on these very important
issues.
Now, the Chair recognizes the gentleman from Colorado for 2
minutes for an opening statement.
Mr. Perlmutter. Thank you, Mr. Chair. And thanks to the
witnesses for joining us today, and we look forward to your
testimony.
I doubt there is a person in this room who hasn't been
effected, whether they know it or not, by a data breach. In the
Equifax breach alone, 147 million Americans were effected and
impacted.
Every day, hackers steal an additional 780,000 records. And
according to the Identity Theft Resource Center, there were a
total of 1,579 U.S. data breach incidents in 2017.
Criminals have grown more sophisticated, more organized,
and so have the markets for purchasing the stolen data. In many
cases, the cyber criminals are encouraged and supported by
governments.
In terms of state-sponsored cyber criminals, the most
pervasive actors are Russia and North Korea, both of which
heavily target financial institutions.
And, as we all know, as a fact, Russia used its cyber
capabilities to interfere in the 2016 election. I was glad to
hear today's news from the Department of Treasury announcing
sanctions on 19 Russian operatives and 5 organizations. Many of
whom were identified by Special Counsel Robert Mueller.
I am glad to see the Department of Treasury is beginning to
take this Russian cyber threat seriously. I hope President
Trump will understand the importance of this issue soon as
well.
With that, I thank you, Mr. Chairman, for holding this
hearing, and I look forward to today's discussion.
And I yield back.
Chairman Pearce. The gentleman yields back.
The Chair now recognizes the gentleman from North Carolina,
Mr. Pittenger, for 2 minutes.
Mr. Pittenger. Thank you, Mr. Chairman and Ranking Member
Perlmutter, for holding this hearing today. Thank you to each
of our distinguished panelists for giving their expertise to
our subcommittee this afternoon.
Cyber crimes, whether they are sponsored by states or not,
are one of our Nation's biggest and most pressing national
security threats.
In recent years, we have seen the frequency and size of
cyber crimes increase exponentially. The dark net, for online
activities and transactions, are largely untraceable. And
proliferation of cryptocurrencies has made it easier for
criminals to monetize illicit activities.
Of particular concern are easily accessible dark net
marketplaces where criminals can, with startling ease, sell or
buy stolen data and wide--and a wide variety of other illicit
cyber services.
Cyber crimes have wreaked havoc on our businesses and
upended the lives of countless Americans. Yet, we must
recognize the complex and multi-layered landscape of this
threat. We know loan actors and criminal syndicates are behind
many of these crimes but so are hostile states.
Notably, for years now, China has used strategic foreign
investment through joint ventures to acquire American companies
and access their data, intellectual property, proprietary
technologies.
Many of China's targeted transactions evaded the purview of
the outdated Committee on Foreign Investment in the United
States, commonly known as CFIUS. This is the chief body tasked
with screening foreign investments for national security risk.
To remedy this problem and safeguard our intellectual
property, data and proprietary technology, I have introduced,
with Senator Cornyn, legislation to modernize CFIUS and
strengthen its ability to identify and stop malicious foreign
investments.
The scope and landscape of illicit cyber activities is
rapidly evolving. Cyber crimes are becoming more damaging, more
frequent, more creative, and are impacting more Americans.
In many ways, we find ourselves alarmingly vulnerable in
large uncharted waters. It is imperative we address these
threats with the utmost seriousness and remain vigilant and
proactive in our efforts to combat all forms of the furious
cyber activities.
Thank you, Mr. Chairman.
I yield back the balance of my time.
Chairman Pearce. The gentleman yields back.
Today, we welcome the testimony of our panelists.
First, we have Ms. Lillian Ablon. Ms. Lillian Ablon is an
Information Scientist at the RAND Corporation. She conducts
technical and policy research on topics spanning cyber
security, emerging technologies, privacy and security in the
digital age, computer network operations, among many others.
Ms. Ablon's recent research topics include the intersection
of commercial technology companies and public policy; black-
markets for cyber crime tools and stolen data; as well as the
white-,
gray-, and black-markets for zero-day exploits, social
engineering and open source intelligence, tools, and technology
for greater cyber situational awareness and many others.
Prior to joining RAND, Ms. Ablon worked for some of the
most cutting-edge technologies and encryptos--cryptography
network exploitation and vulnerability analysis and
mathematics. She has won an Uber Black Badge at the DEF CON 21
Computer Industry Conference. And holds a bachelor's degree in
mathematics from the University of California, Berkley and a
master's degree in mathematics from John Hopkins University.
Mr. Joe Bernik has over 2 decades of experience creating
and implementing cybersecurity management programs at global
financial institutions, while serving as Chief Information
Security Officer and Head of Information Risk and Security at
ABN AMRO Bank, Fifth Third Bank, and BNY Mellon.
Mr. Bernik led global teams dedicated to protecting
customer data and complying with data-related laws,
regulations, and managing incident response programs.
Mr. Bernik started his career with the U.S. Department of
Defense. He is an avid speaker and writer and has held posts on
several industry groups, including the Federal Reserve Council
on Fraud and the Financial Services Information Sharing and
Analysis Center, and the open Web Application Security Project.
Mr. Bernik holds a bachelor's degree in information systems
from the University of Mary Washington and has completed
graduate studies in business administration at the City
University of New York.
Dr. Nicolas Christin is an Associate Research Professor at
Carnegie Mellon University, jointly appointed in the School of
Computer Science and in Engineering and Public Policy. He is
affiliated with the Institute for Software Research and a core
faculty member of CyLab of the university-wide information
security institute.
He also has courtesy appointments in the Information
Networking Institute and the Department of Electrical and
Computer Engineering. He was a researcher in the School of
Information at the University of California, Berkeley, prior to
joining Carnegie Mellon in 2005.
His research interests are in computer and information
systems security. Most of his work is at the boundary of
systems, networks, and policy research. He has most recently
focused on security analytics, online crime modeling, economic
and human aspects of computer security.
He holds a degree in engineering from a prestigious French
University and both a Master's Degree and PhD in computer
science from the University of Virginia.
Dr. James Lewis is a Senior Vice President at the Center
for Strategic and International Studies (CSIS). Before joining
CSIS, he worked at the Departments of State and Commerce as a
Foreign Service Officer and as a member of the Senior Executive
Service.
He served on several Federal Advisory Committees, including
a Chair of the Committee on Commercial Remote Sensing, as well
as a member of the Committees on Spectrum Management and
International Communications Policy, and as an adviser on the
Security Implications of Foreign Investment in the United
States.
Dr. Lewis has authored numerous publications since coming
to CSIS on a broad array of topics, including innovation space,
information technology, globalization deterrence and
surveillance. He was director for CSIS as commissioned on cyber
security and is an internationally recognized expert on
cybersecurity.
Dr. Lewis received his PhD from the University of Chicago.
Each of you will be recognized now for 5 minutes to give an
oral presentation of your testimony. Without objection, each of
your written statements will be made part of the record.
Now, Ms. Ablon, you are recognized for 5 minutes.
STATEMENT OF LILLIAN ABLON
Ms. Ablon. Good afternoon, Chairman Pearce, Ranking Member
Perlmutter, and distinguished members of the subcommittee.
Thank you for inviting me to testify.
As you mentioned, in 2017, there were more than a thousand
data breaches, exposing over a billion records of sensitive
data. To gain an understanding of what the attackers are doing
with the stolen data and how they are monetizing it, we first
need to understand who they are and what motivates them.
First, attackers, or cyber threat actors, can be grouped by
their sets of goals, motivations, and capabilities. Four groups
of note are: Cyber criminals, state-sponsored actors, cyber
terrorists, and hacktivists.
I discuss each actor in my written testimony, but the two I
would most note for this hearing are cyber criminals and state-
sponsored actors. I emphasize the distinction between these
groups as they tend to seek different types of data and use or
monetize that data in different ways.
Cyber criminals are motivated by financial gain. They care
about making money as quickly and efficiently as possible.
Often, the data that they steal ends up for sale on underground
black-markets.
State-sponsored actors advance the interests of their
particular nation's state. They tend to keep the data that they
steal for their own purposes, rather than trying to monetize it
on underground black-markets.
State-sponsored actors are believed to be responsible for
the cyber attack on Sony, the theft of millions of dollars to
the Swiss Banking software, and the data breach of millions of
records from the Office of Personnel Management (OPM).
Turning to the cyber crime black-markets. They are quite
advanced. Full of increasingly sophisticated people, products,
and places to conduct business transactions. They are resilient
in the face of takedowns and are constantly adapting to the new
tactics and techniques of law enforcement and computer security
vendors.
They are easy to enter and very easy to get involved in, at
least at the most basic level. Essentially, all you need is an
Internet connection and a device to become part of the cyber
crime ecosystem.
Participants in these markets range across all skill
levels. There are often hierarchies and specialized roles.
Administrators at the top; followed by brokers, venders, and
middlemen; and, finally, mules, the moneychangers who use
multiple methods to turn the stolen data into money.
Cyber crime markets offer a diverse slate of products for
all phases of the full cyber crime lifecycle. From initial hack
all the way through to monetizing the stolen data.
In recent years, as a service offerings, ransomware,
malware, and point-of-sale credit card schemes have become
popular.
Prices in these markets can range widely depending on
hardness of attack, sophistication of the malware, whether
something is do-it-yourself or as a service, and the freshness
of the data.
For example, credit cards stolen from Target in 2013
appeared on the black-markets within days. Those cards
initially fetched anywhere from $20 to $135, depending on the
type of card, expiration and limit.
But, eventually, they went on clearance for just a few
dollars a card. Although prices, in general, range widely,
similar products tend to go for similar amounts.
And anonymous cryptocurrencies like Bitcoin, among others,
are preferred for making transactions.
So, how did stolen data get monetized on these markets?
Cyber criminals use financial information, things like credit
card data and bank account numbers, to withdraw cash, purchase
gift cards for resale, or harness a money mule to make
fraudulent orders to purchase goods, like expensive
electronics, which can, then, be shipped overseas to be sold on
other black-markets.
They might use stolen credentials, things like usernames,
passwords and e-mail addresses, to get access to a victim's
contact list for further spam or phishing campaigns.
Both cyber criminals and state-sponsored actors might use
credit report information. Things like addresses, States of
birth, and other personally identifiable information, like that
taken in the 2017 data breach of Equifax, to create a
comprehensive profile of a victim.
Cyber criminals could use that kind of data to create a
custom dictionary of possible passwords that can be used to
attempt to crack a victim's bank or financial account or for
identify theft purposes.
State-sponsored actors, on the other hand, might use this
information to build profiles of who to target for exploitation
or espionage campaigns or as leverage to gain other types of
information.
Unfortunately, there is no easy policy prescription to
completely stop data breaches or monetization of stolen data.
But a combination of information sharing between the public and
private sectors strengthened international cooperation between
law enforcement and increased efforts to tarnish the reputation
of these black-markets can all help.
Thank you for the opportunity to testify. I look forward to
the discussion.
[The prepared statement of Ms. Ablon can be found on page
32 of the Appendix.]
Chairman Pearce. Thank you.
Mr. Bernik, you are now recognized for 5 minutes.
STATEMENT OF JOE BERNIK
Mr. Bernik. Good afternoon, Chairman Pearce and Ranking
Member Perlmutter. Thank you for the opportunity to testify. My
name is Joe Bernik and I am the Chief Technical Strategist for
McAfee, representing the financial services sector.
We are happy that you have addressed this important issue.
The financial services sector represents a very sensitive part
of our Nation's infrastructure, and I am pleased to see the
committee addressing these issues.
According to the SCIS report, recently produced by McAfee,
banks continue to be the favorite target of criminals, as we
know, probably because the money is held in these institutions.
The banks--the attacks, however, are not always directed
directly at the banks.
We are now seeing attacks directed at the seams within the
institutions themselves. This can be seen in the instance of
the swift attack in which alleged North Korea stole or
attempted to steal over a billion dollars.
And smaller, less sophisticated organizations are more
vulnerable to this type of attack. The practice of not directly
attacking institutions, such as was the case--excuse me, such
as the case within the Equifax attack, represents a
vulnerability within the banks. They all depend on Social
Security numbers and, therefore, that type of attack has a
lasting and devastating impact on the banks themselves.
All the financial institutions rely heavily on Social
Security numbers as a form of identifier. This reliance, as you
stated, is a vulnerability as the numbers have all ultimately
been lost, resulting in the numbers being somewhat useless as a
means of identification.
The methods used are exceedingly commoditized. Malware and
phishing attacks are used across the sector. And although new
attacks, such as artificial intelligence and machine learning,
are available, we have not seen them used because, thus far,
the commoditized nature of the attacks doesn't require their
usage. So, therefore, the simple attacks continue to be the
main methods being exploited and used.
One method of attack that is of extreme importance and
urgency right now is the use of social media attacks. Social
media--the anonymous-nature of social media, allows for
criminals and nation states to use it, to manipulate markets.
I believe and we believe that this type of attack, using
social media, will continue to be prevalent and will continue
to be devastating against financial markets, given that you can
set up an identification without any kind of verification or
authentication requirements.
As far as the stolen data goes, and the question that the
community had raised, as the previous speaker said, the
information is sold on the dark Web for profit by criminals.
This information can be easily accessed. The information can be
bought for varying prices.
We have seen everything from credit card details sold for
$50, Amazon accounts sold for $9.00, passports sold for $62.
And the prices vary, depending on the markets and the--and the
freshness of the data.
However, the concern that we have, really more so than the
data that is being sold today, is the data that we have not
seen sold as of yet. Meaning the Equifax data, which I know
everyone is interested in, has not been widely made available
in any markets.
It is, therefore, assumed that this data is being collected
for other purposes. Potentially for nation state-level attacks.
So, that, obviously, the unknown-unknown nature of that type of
attack makes it all the more concerning. And we wait and--we
are waiting to see what sort of attacks will come from that
sort of data that was stolen.
Large institutions have been preparing for cyber-war or
cyber attacks for a long time. So, we have seen the sharing of
information amongst the banks with the Department of Homeland
Security, and scenarios being played out simulating cyber
attack. This has been happening for a number of years.
However, since we haven't had one of these events, these
large events, occur yet, it is--we are not sure whether we are
actually prepared for such an event when it does occur.
As far as policy recommendations go, we offer the
recommendations, obviously, to address the Social Security
issue and replace a Social Security number with a better
identifier, promote cyber security inoperability, pass national
breach legislation, and enhance information sharing, such that
all organizations can benefit from the intelligence and
information that is made available to, currently, some of the
largest organizations.
Thank you.
[The prepared statement of Mr. Bernik can be found on page
50 of the Appendix.]
Chairman Pearce. Mr. Christin, you are recognized for 5
minutes.
STATEMENT OF NICOLAS CHRISTIN
Dr. Christin. Thank you, Mr. Chairman.
Chairman Pearce, Ranking Member Perlmutter, members of the
subcommittee, thank you for hosting this important hearing
today and for giving me the opportunity to testify.
My name is Nicolas Christin. I am an Associate Research
Professor at Carnegie Mellon University, jointly appointed in
the School of Computer Science and in the Department of
Engineering and Public Policy.
My research focuses on computer security. For the past
decade, I have been studying online crime. In particular, my
research group and I have conducted a series of measurement
studies on dark Web marketplaces.
We attempt to better understand the potential economic
impact of these markets, including the role as retail channels
for stolen data. This is the topic at hand today.
In the past 25 years, online retail channels for stolen
data have evolved from dial up forums, to online chat rooms, to
specialized Web forums, to online anonymous marketplaces, also
known as dark Web marketplaces.
Business models have also become increasingly complex to
facilitate the sale and purchase of stolen data on a large
scale by less sophisticated actors.
Similar to industrial supply chains, the modern market for
stolen data shows specialization. The number of technically
savvy actors responsible for data breaches is rather small.
After the stolen data is broken down in what is suitable for
individual resale, retail-level vendors will offer the data to
the general public.
Although criminals provide services surrounding stolen
data, such as mule services, or money laundering tutorials
without directly interacting with stolen data.
Using measurements we collected between 2011 and 2017, from
most of the major online anonymous marketplaces are heightened
during the timetable, we can make four observations.
First, revenue generated by criminals engaged in monetizing
data breaches continues to pale in comparison to the potential
costs of the remedies.
In the early- to mid-2000's, although researchers estimated
that criminals made in the orders of tens of millions of
dollars per year from the sale of the required data. Meanwhile,
the societal costs of those breaches were thought to be in the
billion-dollar range.
Our measurements indicate that this asymmetry still exists
today. The overall revenue from the entire trade of illicitly
acquired data remains rather low, compared, for instance, to
the online trade of narcotics.
Stolen credit card numbers are often sold for a few dollars
each. More expensive offerings, including Social Security
numbers or date of birth, may reach in the order of a hundred
dollars apiece.
However, recovering from the damage incurred by each
individual theft is far more expensive, due to second-order
effects, such as impact on credit ratings.
Second, the dark Web marketplace ecosystem, as a whole, has
shown strong resiliency to law enforcement. Shutting down a
marketplace has, so far, mostly seemed to result in criminals
moving to a different one.
Long-term impacts on the overall illicit trade are
uncertain. Takedowns also may potentially lead some of the
actors to move the activity to less pubicly observable forums.
Third, 80 percent of the revenue is generated by 10 percent
of the vendors. A few successful individuals attract relatively
large numbers of amateurs that do not profit much, if at all,
from their activities.
These unsuccessful actors, nevertheless, contribute to the
overall problem by making the market for stolen data larger and
more complex.
Fourth, these marketplaces are international in nature. And
even when certain actors are identified, jurisdiction issues
may complicate prosecution or arrest.
These findings indicate that focusing on preventing
breaches from happening in the first place is probably more
economically efficient than attempting to disrupt retail and
distribution channels.
Prevention is also likely to be more effective than
recovering from a data breach, once it has happened.
Finally, measurements of dark Web marketplaces solely focus
on the retail end of the stolen data ecosystem. They, thus, are
an imperfect signal, particularly when it comes to tracing
stolen data back to a specific breach.
Nevertheless, these measurements give us important
information on the health and evolution of the market for
illicitly acquired data and on the monetization techniques in
use.
Thus, it is important to continue supporting these
documentation efforts, to understand the criminals' business
models, determine the most specific strategies to disrupt them
and improve overall security.
Thank you very much.
[The prepared statement of Mr. Christin can be found on
page 57 of the Appendix.]
Chairman Pearce. Thank you, sir.
Dr. Lewis, you are recognized for 5 minutes.
STATEMENT OF JAMES LEWIS
Dr. Lewis. Thank you, Mr. Chairman and Ranking Member
Perlmutter. I appreciate the opportunity to testify.
Cyber crime is big business. I think you have heard that
from all my colleagues. We have conducted three studies with
the support of McAfee to estimate the cost.
In interviews for our studies, one senior official called
this the greatest transfer of wealth in human history, while
another said it was a rounding error in a $14 trillion economy.
So, we hope to bring a little more precision to this range.
Estimating the cost of cyber crime is difficult because
data collection is willfully inadequate. Most countries don't
collect statistics on cyber crime. And many victims prefer not
to report their losses.
Our reports looked at a broad range of costs, including
recovery costs, I.P. theft and damage to brand.
Our most recent study estimated that cyber crime cost the
world between $450 and $600 billion a year, a 20 percent
increase in 2 years.
This increase can be explained by the growing
sophistication of cyber criminals, by the increase in the
number of Internet users and by improvements in the ability of
cyber criminals to monetize stolen data.
This has always been a problem for cyber crime. You can
take personally identifiable information or intellectual
property, but then turning it into actual cash can be a
challenge.
One of the reasons cyber crime continues to grow is that
criminals have become better at monetization, in part because
of the availability of cryptocurrencies. Cryptocurrencies make
cyber crime easier by increasing anonymity and by simplifying
money transfers.
Cyber crime activity on what is called the dark Web, the
hidden Web, also contributes to the growth in cyber crime. This
hidden Internet is a safe space for cyber crime.
And I was--in preparation for the testimony, I was looking
at some of these sites this morning, and I found one that
offered a money-back guarantee if you bought data from them,
stolen data. And it didn't work. They would--they would refund
your--so, it is a very sophisticated market.
Another reason for the growth as you--of the cyber crime,
as you heard, is state-sponsored cyber crime. Russia is a haven
for the most cyber--advanced cyber-criminal groups in the
world. The Kremlin sees Russian cyber criminals as a strategic
asset.
The other state that extensively supports cyber crime is
North Korea. It uses hacking by its principle intelligence
agency, the Recognizance Genera Bureau, to generate hard
currency for their regime.
So, this is a daunting set of problems. You have protected
spaces on the dark Web, innovative and dynamic cyber criminals,
cryptocurrencies in countries that provide safe havens and
support for cyber crime.
But there are actions we can take to reduce risk. As you
heard earlier, we won't be able to eliminate cyber crime, but
we can make better efforts to manage it.
This would include the U.S. and its allies, developing an
effective strategy for punishing states that support cyber
crime, greater regulation of cryptocurrencies, and expanded
efforts to disrupt criminal networks, in partnership with our
allies in other countries.
Finally, all nations would benefit from a serious effort to
collect data on cyber crimes' cost. I think that would be
helpful.
I thank the committee for the opportunity to testify and
for its work on illicit finance and for our CFIUS modernization
and look forward to any questions.
Thank you.
[The prepared statement of Mr. Lewis can be found on page
66 of the Appendix.]
Chairman Pearce. Thank you, sir.
The Chair now recognizes himself for 5 minutes for
questions.
So, I think, Dr. Lewis, I would ask you, first, that
estimating losses is hard, according to what you are saying. I
think we understand that.
Is there--what, sort of, effort is there, internationally,
to, maybe, join together countries? First of all, which country
is probably the best at intercepting and stopping the cyber
crime? And then, are there international efforts where
countries are joining together?
Dr. Lewis. Thank you, Mr. Chairman.
There is a good correlation between countries that have
strong law enforcement systems and punishment for cyber crime.
So, if you are a cyber-criminal and you live in the U.S. or
the U.K. or France or Germany, your life expectancy is probably
only about 3 years before you are caught and go to jail.
In places that have weak cyber-security laws, like Brazil
or countries--other developing countries, you see a growth in
criminal activity.
So, the effort here is to have strong cyber-security laws.
The U.S. leads in that with the Budapest Convention and to
develop new ways to cooperate on the exchange of evidence and
on the efforts to take down networks.
So, currently, there is no central place that does this.
The U.N. has a committee on crime that is trying to develop a
more common approach. But the differences among nations make it
hard to get--nations make it hard to get cooperation.
Thank you.
Chairman Pearce. Thank you.
Mr. Bernik, you had mentioned North Korea as being one of
the state actors. And then, the testimony of others indicated
Russia.
Who are the other major players, as far as state-
sanctioned, state actors?
Mr. Bernik. Another major player would be China. They have
invested a lot of resources in building capabilities and also
have been attributed to some of the most significant hacks at
recent times.
So, the Anthem hack, as you will recall, which was the big
one that occurred a few years back, where a lot of medical and
Social Security numbers were stolen. As well as the Yahoo hack
has been attributed to them.
This--these hacks and this information is being amassed for
a purpose. We just--we just don't know what that purpose is.
So, that threat and that capability that they are massing,
raises a significant amount of risk to our--to us, as a--as a--
as a country.
And, I think, that is the to-be-determined risk. What that
will look like and whether those attacks, if they occur, will
be targeted against infrastructure, banks, individuals. We
don't have the answer right now and that is--that is one of the
most concerning things, I think, for all--for all of us.
Thank you.
Chairman Pearce. Yes. And Ms. Ablon, the lack of
consequences, obviously, plays a big role in encouraging.
Are there any nations that appear to be dealing with the
lack of consequences? I don't think that we are.
So, what is your comment on that?
Ms. Ablon. Specifically for the cyber crime markets, they
are highly reliable. And so, products are what they say they
are. People do what they say they do. Trying to tarnish the
reputation is quite difficult.
In terms of specific countries that are going after it, it
is, really, on a country-by-country basis. Law enforcement,
here in the U.S., is getting better in going after cyber
criminals. Certainly, more resources would help.
But more digital natives are entering into our law
enforcement and that helps to understand the nature of cyber
crime and the technical capabilities.
And also, suspects, in the last few years, are going more
after big companies, rather than specific individuals. And that
allows cyber crime to bubble up and be more seen and giving
more opportunities for U.S. law enforcement to go after them.
Chairman Pearce. Dr. Christin, if you were contemplating
the hack into the Office of Personnel Management, what
advantage does that--how is that information viable to the
nation states? What do they use it for?
Dr. Christin. I tend to focus on economically motivated
cyber crime. And, as such, I will not, really, be able to
answer that question because it is not clear that there are
actual economic incentives to use the OPM breach.
Chairman Pearce. OK. My time is expired.
The Chair now recognizing the gentleman from Colorado, Mr.
Perlmutter, for 5 minutes.
Mr. Perlmutter. Thanks, Mr. Chair. And this is all very
interesting. And, for me, just some very basic questions.
Ms. Ablon, if you were a bad guy out there, and Dr. Lewis
talked about going to the Internet today and just skimming some
stuff.
So, how does somebody find out about the dark Web, and, if
they want to go purchase some information? Just give us a
little primer on that.
Ms. Ablon. It is pretty incredible how easy it is to get
involved in these markets.
As I mentioned in my original testimony, all you need is an
Internet connection and a device to get involved.
I have seen--certainly much of the markets are in the dark
Web. Things where you need special tools or special services to
access things like Tor, the Onion Router.
But there is plenty that can be found on the surface Web.
Things that you can Google for.
For example, I have seen Google guides on how to use a
particular exploit kit. I have watched YouTube videos on where
to find and buy stolen credit card data.
So, this kind of stuff is easily accessible and within a
few finger taps.
Mr. Perlmutter. Could I--could I get on there and query,
where does Steve Pearce live? Or give me credit card
information about Steve Pearce. Just me. Ed Perlmutter, I go
on. I want to know something. I want to pick up something on
him.
Ms. Ablon. So, in terms of just getting general fungible
data, so things that are reusable, you can certainly find that
in mass quantities. Random Social Security numbers. To find a
particular targeted person, that would require a little more
work.
Now, as I mentioned, as service offerings are increasing,
you can hire someone to try and find that particular data. Or
with enough information, try to go after a particular e-mail
account and guess the password of whoever you are trying to
target for in order to get their information.
Mr. Perlmutter. OK, thank you.
Mr. Bernik, you ticked through some major hacks. I seem to
be--so, yes, I have Anthem. You forgot J.P. Morgan, Equifax,
Target, Department of Personnel and you forgot the DNC. OK?
So, you didn't want to speculate as to--who wants this
information? What do you think they can do with it? They could
get credit card information and maybe steal something?
Mr. Bernik. Right.
Mr. Perlmutter. Let us go bigger. Let us go, one, who are
the big purchasers? Is Russia? Is North Korea? And what are--
what are--what would they do with this stuff?
Mr. Bernik. We have done a lot of studies with Dr. Lewis on
this and trying to--trying to analyze that very question.
The reality is that we are at a cyber--some say a cyber war
with these nations now. It is a cold war, if you will. It is
not--we are not full-fledged.
We are gathering the constant--they are gathering the
constant information. We are gathering this information to use
it, potentially to understand how corporations operate
individuals of interest.
They may be able to use this as leverage, by having
information about an individual, their medical conditions.
There is a lot of power in having information as--
Mr. Perlmutter. So, these states could be both the hackers
and the buyers of information?
Mr. Bernik. In some senses, they are the--right. They could
be the buyers, the aggregators of the information. They are the
perpetrators, in some--in some cases of the attacks,
themselves.
So, although we are not certain, in many cases, because
attribution--the anonymous nature of the Internet makes
attribution very difficult, as has been stated.
So, we cannot, 100 percent, guarantee that these are the
attackers. But all indicators point to them, to China, North
Korea. and, in some cases, Russia.
They are gathering this information for a--to launch
attacks against our populists, potentially, to influence, to
direct individuals to do things on their behalf, we know that.
So, I think that is what we are going to see more of in the
future. We haven't seen it yet.
Mr. Perlmutter. Dr. Lewis, you mentioned the
cryptocurrencies and the camouflage or the obscurity of these
things. Can you--can you expand on that just a little bit?
Dr. Lewis. Sure. The way that you can acquire these
currencies can make it difficult to trace back who is actually
buying them.
And so, good trick would be to steal your credit card, buy
the cryptocurrency, while using your credit card, and then, it
is--it can be anonymous as to who is actually acquiring it
after that.
And you can--just as you have done with money laundering,
you can go through a number of steps to help obscure the trail.
One of the interesting things, as we all know about
Bitcoin--and Bitcoin isn't anonymous enough for cyber
criminals, so they are developing a range of new
cryptocurrencies that are even harder to track. So, this is a
gift to money laundering.
Mr. Perlmutter. OK, thank you all for your testimony.
Chairman Pearce. And if the gentleman is going to really
search my data, you probably ought to do it quick because it
is--it is about to be emptied anyway. So, move fast.
The Chair will now recognize Mr. Pittenger for 5 minutes.
Mr. Pittenger. Thank you.
Dr. Lewis, I do appreciate you mentioning CSIS in your
written testimony. As I have previously noted, Senator Cornyn
and I have introduced legislation to reform and modernize the
CSIS process.
Could you please elaborate on how the Chinese are using
joint ventures to steal our critical technologies and know how?
Dr. Lewis. Yes, thank you, Mr. Chairman. And I should
congratulate you. Didn't you have a journal op-ed?
Mr. Pittenger. Yes, sir.
Dr. Lewis. Good op-ed.
Mr. Pittenger. Thank you.
Dr. Lewis. Let me touch on two cases that are recent that
we know about that illustrate this and answer some of the
questions that came up earlier.
Just last week, or just this week, we saw the President
block Broadcom from acquiring Qualcomm. And a few months ago,
we saw CFIUS block the Ant, Chinese, Financial company's
efforts to acquire an American company.
And we can think about Chinese behavior as, really, an
intelligence activity. It is an effort to acquire data.
If you look at what the Chinese are doing, they are
investing in artificial intelligence and big data analytics in
quantum computing and quantum communications. And they may,
actually, be ahead of us there.
And they are building a global communications network,
using their telecom companies which have close links to the
states.
So, if China is building an intelligence capability, one of
the things they need to do is populate that with data. And so,
acquiring U.S. companies that would ease that acquisition of
data.
The thing that is interesting to me is we are all fairly
familiar with what CFIUS used to do. So, the first bill blocks
acquiring military technology. First of all, FINSA blocked
terrorist and Homeland Security concerns.
And now, I think it is time for modernization, as the bill
you have put forward does to think about how China uses this,
not just for military advantage but for intelligence advantage.
Mr. Pittenger. Could you, Dr. Lewis, give us some greater
detail of the types of critical technology and intellectual
property that China and other countries are trying to steal?
Dr. Lewis. Sure. And one easy way to track that is to just
look at Chinese activity in Silicon Valley.
So, a lot of attention to artificial intelligence, a lot of
attention to big data. They are also looking at sensor
technology which can be useful, both on the Internet and for
your military application.
They are looking at space technologies. So, they are
looking at autonomous vehicle technology. And when I say
looking, I should probably say looking to acquire.
So, the Chinese have identified the crucial technologies
for modern military and are seeking to use joint ventures,
greenfield efforts in the valley, acquisitions of U.S.
companies or other western companies.
And you all probably remember KUKA, the German robotics
firm, that the Chinese were able to acquire. They have a good
strategy for acquiring the technologies for a 21st century
military.
Mr. Pittenger. Thank you.
If you could just elaborate some more on how this threatens
our U.S. businesses and international security.
Dr. Lewis. Sure.
So, one of the problems is that Chinese state-supported
investment in high-tech companies crowds the market. So, if the
market can support 10 companies and the Chinese subsidize 3
more, everyone's revenue share falls down. Every company is
made weaker. Every company invests less in R&D. And that will
hurt us.
Our dependence on some Chinese technologies creates
intelligence vulnerabilities that we have seen China exploit in
other countries.
Chinese efforts to modernize its military have gone into
high gear. And when you look at anti-satellite efforts,
precision guide and admissions, economic strike, cyber attack,
they have found that China, itself, has become very strong, as
an innovator, but they still gain advantage from borrowing
other people's technology.
And I think those are the areas I would look at.
Mr. Pittenger. Yes, sir. They sought to acquire semi-
conductor companies. I think they have acquired 20 over the
last few years.
What impact, do you believe, that this has already had and
how critical and what kind of crisis are we in now to try to do
something about reforming CFIUS?
Dr. Lewis. So, China has--had creating a domestic semi-
conductor industry as a goal since it opened to the west in the
early 1980's. And they have failed, each time, despite spending
billions of dollars because it is hard to make semi-conductors.
And so, their most recent strategy is, let us just buy the
whole company. And I think CFIUS has done a good job at
blocking that.
But the Chinese are persistent. They are well resourced.
And they have not given up on this goal in more than 30 years.
The effect on the U.S. is that we could become dependent on
sensitive technologies from China that the Chinese could take
advantage of. That is a real concern. That is a supply chain
concern.
The second one is that U.S. companies could find themselves
hard pressed to continue to invest, hard pressed to innovate.
And the market could tilt away from the U.S. and toward China.
Mr. Pittenger. Thank you.
My time has expired.
Chairman Pearce. The gentleman's time has expired.
The Chair now recognizes the gentleman from Connecticut,
Mr. Himes, for 5 minutes.
Mr. Himes. Thank you, Mr. Chairman. And thank you, all, for
your testimony.
I have heard a theme reiterated today that I first heard
from Gartner which happens to be in my district in Stamford,
Connecticut.
And the point made is that there aren't a lot of new
attacks, new technology, new software, zero-day software. There
is just not a lot out there.
That most of the successful attacks are using techniques
and malware that are readily identifiable. And that the problem
is that people simply aren't using good cyber hygiene. That
they don't update their security software. That sort of thing.
Setting aside, for a moment, the question of policy, which
we have discussed here a little bit. We, as Members of
Congress, interact a lot with the--with the public and our
constituents.
I would love to just take my time to cycle through the
witnesses. And apart from the obvious, and by the obvious, use
of two-factor authentication, not using your birthdate as a
password, changing your password periodically.
Apart from the obvious, what would you suggest to us are
other measures that our constituents, that the American public
should take to try to increase the overall level of network
security and the--and the safety of their data?
Ms. Ablon. As you mentioned, there is no new attacks just
new attack surfaces. So, as things, like the Internet, if
things come up, and there are a lot more digital devices people
are not necessarily thinking about securing their thermostat,
like they are their computer.
So, there is certainly the normal cyber hygienes that can
be applied to those new attack surfaces.
I would also say that it is not possible to be 100 percent
secure. A determined attacker will get through no matter what.
So, if we can make it more expensive, in terms of time,
resources, and research for an attacker to get through, then
that can--that can be helpful.
Something--humans are the weak element. So, if we can
educate people to be aware of the kind of attacks that might be
facing them, that is something that is an obvious cyber hygiene
thing. But the more that we can do it, the better.
Mr. Himes. Mr. Bernik?
Mr. Bernik. So, we, at McAfee, would suggest that you
invest in software to protect your computer. I think it is
pretty basic, at this point. There are a lot of different
options. I had to say that, didn't I? It is the correct answer.
But beyond that, I will--
Mr. Himes. Let us take a commercial break.
Mr. Bernik. Beyond that, I would say that--don't use the
same password for everything. People just do that because it is
easy.
And, I think, people--it used to be said, don't write your
password down. People would say that. But I think they are
going to change it. Write it down. It doesn't matter.
Just don't use the same password for everything. Because
once you get attacked once, you are hacked on everything if you
use the same password which most people do.
Lock your Social Security report. If you--if you are not
applying for credit, then lock your report. Everybody should do
that. Because if they have your Social Security number, they
can probably--maybe hackers can probably do something against
your--against your credit.
So, by default, you should lock your report at all times,
if you are not applying for credit. That is basic. And that is
free.
What else? Those--I think those two--those three things,
using protection on your computer, keeping it patched and up to
date, not using the same password, and locking your Social
Security report would be--it is supposed to be your credit
report. Pardon me. Your credit report would be, in my advice,
for individuals.
Thank you.
Mr. Himes. Before we get to Mr. Christin, Mr. Bernik, since
you brought it up, what, in 20 seconds or so, is your take on
some of these password protection apps, like Dashlane and
others? Are they secure?
Mr. Bernik. Well, so, what they do is they control--use an
app you install that controls all your credentials in one place
and it is, basically, in the cloud, effectively. It is stored
in a database on the Internet. It is one key that unlocks all
keys.
I, personally, think they are useful because they let you
change and create random credentials which is more effective
than what most people do which is use one series, and they just
change the last couple of numbers. Or where they don't have to
change it, use the same password for everything.
So, I would say that they are useful tools if used
correctly. If you use a weak password or weak credential, and
you use that credential as the key, then you are, basically,
creating a disaster for yourself.
So, used the wrong way, that could be very disastrous.
Mr. Himes. Great, thank you.
And, very briefly, Dr. Christin, Dr. Lewis, anything to
add?
Dr. Christin. Yes, I would echo the previous witness, his
comments on the password materials. They are very useful and
they should be used to generate passwords, as opposed to simply
recalling them. Because computers are really good at generating
long, random unguessable strings.
That would be my main recommendation.
Mr. Himes. Thank you.
Dr. Lewis. Think about where you go online. You probably
saw in the indictments today--pardon me, in the sanctions today
that one of the tactics that cyber criminals use is what they
call waterhole attacks.
Think about where you go. Think about what you put online.
Think about what you click on. Be cautious with social media.
Do the basic hygiene. People still don't do that.
And, finally, back up your data. If you would use iCloud or
one of the other cloud services, it makes you a little more
difficult to suffer from a ransomware attack.
Mr. Himes. Thank you.
I yield back, Mr. Chairman. Thank you.
Chairman Pearce. The gentleman's time has expired.
The Chair now recognizing the gentleman from Pennsylvania,
Mr. Rothfus, for 5 minutes.
Mr. Rothfus. Thank you, Mr. Chairman.
I want to go to Dr. Lewis.
In your testimony, you said that Russia is a haven for the
most advanced cyber-criminal groups. And that they use cyber
criminals as a strategic asset.
Is the Russian government directly profiting monetarily
from cyber crime?
Dr. Lewis. It would be safe to say that members of the
Russian government profit directly from cyber crime.
Mr. Rothfus. Do we have any estimate of the revenue that
they would generate?
Dr. Lewis. We could probably come up with one. I did not
for this hearing, so it may be a question.
I don't know what the other panelists think. But we know
that this is a very profitable line of activities. So, at a
minimum, it is probably in the hundreds of millions of dollars.
Mr. Rothfus. How do state-sponsors of cyber crime recruit
or obtain the services of cyber criminals that carry out
illicit activity?
Dr. Lewis. In countries like North Korea, it is very easy
because they are members of either the military or the
intelligence services.
In places like Iran or China, and to some extent Russia,
they are hackers who come to the attention of the security
services. And it is suggested that they cooperate with the
state.
In Russia, there are both state programs to identify
potential hackers and a linkage between the security services
and cyber criminals.
So, each one is a little bit different. But if you monitor
the Internet, you can always see when somebody is doing
something bad. And then, you go to their house and say, jail or
play ball.
Mr. Rothfus. Mr. Bernik, in your testimony, you discussed
how ransomware is the fastest growing form of cyber crime. Can
you discuss the various reasons why ransomware is becoming a
more popular tool used by cyber criminals?
Mr. Bernik. Certainly. It is a very commoditized tool. The
ransomware can be purchased on the dark Web through exchanges.
It is a commercial-grade software so it is very effective.
As Dr. Lewis mentioned, there are situations where you can
get a money-back guarantee on that ransomware. So, you can pay
for it. You can pay with cryptocurrencies. So, it leverages all
the best and worst parts of the technology available to the
criminals and that is why it is effective.
And the punishment for not paying is you don't get your
data back. So, the damage is you may be out of business and you
may have lost all your personal information, depending on
whether you are a company or an individual.
This is the reason why ransomware is so fast growing and so
effective.
Mr. Rothfus. Which type of cyber attack methods are
companies and governments currently most and least equipped to
prevent?
Mr. Bernik. That is a good question.
So, as was previously mentioned, malware and ransomware has
become commoditized. The difference between them is just the
update with the latest vulnerabilities.
So, if you take a new vulnerability that just came out, say
yesterday, and you add it to an existing kit, it will be very
effective because that vulnerability will have no protection.
It is often referred to as a zero-day because there is no
protection for it, the first day.
So, that is the most dangerous scenario for any
organization where they have a missing configuration or patch
issue, as was the case in Equifax.
So, as we move the window from availability of a
vulnerability to its inclusion in a kit, the danger is greater.
Because no one--fewer companies will have the protection, if at
all.
And that is the biggest fear of these organizations. That a
destructive type zero-day attack will occur. Where they are
racing machines at fast clip--at a fast pace. And there is no,
necessarily, protection that you can have for that type of
attack.
And that would be the worse-case scenario and the one we
are least prepared for, as a country and as organizations.
Mr. Rothfus. I was intrigued when Mr. Perlmutter was
talking about looking for some data on Mr. Pearce.
This is a question I am going to ask Ms. Ablon. What--how
would--if you went out looking for the data and wanted to,
then, buy the data, what payment methods are being used to buy
this illicit data?
Are they using Bitcoin? Are they using--do they send cash
through Western Union? How do--how does one pay for data like
that?
Ms. Ablon. You can pay with it with any method. Cyber
criminals will accept money in any way that they can get it.
So, absolutely you can pay with PayPal. You can pay with
digital currencies that aren't crypto, that aren't hidden. So,
things like Web money, Western Union. You can also pay a crypto
card.
Mr. Rothfus. Are they do--you can but are they? Do we
have--do we know what they are doing?
Ms. Ablon. Yes. Yes. So, there are people that pay with
that more and more. There is crypto card--
Mr. Rothfus. With what?
Ms. Ablon. With--pay with non-cryptocurrencies.
But more and more, the trend is to go toward
cryptocurrencies because of their anonymity--anonymous
properties.
The thing about cryptocurrencies is that they are anonymous
until you get to the exchange. The crypto--the bitcoins'
exchange--the cryptocurrency exchanges is when you actually
turn the digital money into actual cash, Euros or dollars. And
that is the point where you can tie a human being to the
wallet, to the digital currencies.
That is, really, the weak point to go after.
Mr. Rothfus. My time is expired.
Chairman Pearce. Anybody that would pay a hacker for--with
a credit card is just asking for trouble, it looks like.
The Chair would recognize Mrs. Maloney for 5 minutes. Oh, I
am sorry. Ms. Sinema for 5 minutes.
Ms. Sinema. Thank you, Mr. Chairman. And thank you to our
witnesses for being here today.
Mr. Chairman, more than most, Arizonans value their privacy
and that is why we have been outraged by data breaches, like
the one in Equifax. And we are frustrated there has been so
little action by Congress, the CIPB and others to hold Equifax
accountable and prevent future breaches.
We all know this is a growing problem that requires action.
Just in the last year, there were over 1,000 breaches that
exposed over 1 billion records of sensitive data, according to
the Identify Theft Resource Center.
And that makes fraud significantly more likely which is why
we are working across the aisle to protect Arizonans from its
identity theft and financial fraud.
Arizona's 1.1 million seniors are especially at risk, which
is why I am working to pass the Senior Safe Act.
Our bill with Congressman Poliquin, of Maine trains
employees at banks, credit unions, and other financial
institutions to spot financial fraud against seniors and report
to law enforcement. Our bill was recently endorsed by AARP and
it passed the House with the support of both parties.
But seniors aren't the only ones with significantly greater
risk of financial fraud. We are also working to protect
Arizona's children from synthetic identify theft which occurs
when a criminal takes a Social Security card--or Social
Security number.
And uses it to open bank accounts and lines of credit under
a fraudulent name. This type of I.D. theft is often targeted at
children because they have no prior credit history.
In Arizona, a 17-year-old girl discovered, to her horror,
that a scammer had accumulated over $725,000 of debt in her
name. Her information was linked to 8 suspects who opened 42
accounts, including mortgages, auto loans, and credit cards.
So, targeting our kids and running up massive debts in
their name is both shameful and cowardly. We have to fight back
to ensure they have the change to build their futures.
So, we have introduced the Protecting Children From
Identify Theft Act which is a common-sense fix that modernizes
Federal fraud detection to stop criminals and protect Arizona's
kids.
Every--Arizonan deserves financial peace of mind and we are
going to get these bills signed into law.
Mr. Chairman, last month, I requested more hearings on
Equifax and these data breaches, and I am glad we are now
getting the opportunity to dig deeper into these important
issues.
So, with that, I have a question for Ms. Ablon from the
RAND Corporation. So, thank you for being here today.
The two bills that I mentioned today focus on enhancing
cooperation between Government, law enforcement, and the
private sector to catch cyber criminals and protect law-abiding
Americans.
Your testimony has noted the importance of these efforts,
and there are highlighted steps that we could be taking to
disrupt cyber crime markets, it was the clearing houses for
criminals, sell our personal and stolen information.
Identity theft operations vary in both scope and
sophistication. So, I have two questions for you. What
percentage of these illicit operations would you say directly
rely on the use of reliable cyber crime markets to be
profitable? And which Federal agency is best equipped to
infiltrate and thwart these markets?
The second question is, what additional authorities and
resources should Congress provide to crack down on these cyber
crime markets?
Ms. Ablon. I can't give a specific number of the percentage
of identity theft victims or identity theft directly related to
the cyber crime markets. However, I would posit that it is
quite high, given the accessibility, the availability, and the
reliability of the markets.
In terms of what authorities can do to crack down. I
mentioned three things in my testimony: International
cooperation, information sharing, and then tarnishing of the
reputation of the markets.
With international cooperation, this is an effective
strategy, especially as I mentioned before, these bitcoin
exchanges are the weak point in identifying who the attackers
are, who the cyber criminals are.
More and more, these bitcoin exchanges are hosted overseas,
so having good international relations with other countries can
help law enforcement in the U.S. work with law enforcement
overseas and try to get to the actual people to attribute--to
detect, attribute, and then interdict the cyber criminals.
In terms of information sharing, information sharing is
something that gets talked about a lot. As one of my RAND
colleagues has mentioned, information sharing is not a cyber-
security panacea. It won't solve all problems, however it can
be very helpful.
Information sharing between law enforcement and banks can
be useful as well as small businesses, to let them know what
they should be doing. What they should be looking for. What bad
or odd behavior looks like in order to, then, notify law
enforcement.
Also, sharing information with consumers about who are the
victims of data breaches of what they should be looking for as
well, can be useful for them to call their credit cards--credit
card companies or call places like Equifax or other places that
might have their identify information to shut those down so
that the cyber criminals can't monetize those or can't take
advantage of those.
Ms. Sinema. Thank you, Mr. Chairman. My time has expired.
Chairman Pearce. The gentlelady's time has expired.
The Chair now recognizes the gentleman who has been
selected as the preseason all-star from Texas, Mr. Williams.
Mr. Williams. Thank you for that introduction, Mr.
Chairman.
In 2017, more than 1.9 billion records were exposed to
public cyber breaches. As of this year, we only have--half way
into March, cyber breaches have already exposed nearly 20
million records across the Nation. Important cyber information,
including intellectual property and personal information
continues to be the target.
What is alarming to me is that terrorist and state-
sponsored regimes, like North Korea or China, are often behind
these attacks, as we talked about. They will continue to take
advantage of America's cyber-security weakness. We cannot let
that happen.
And I hope the testimony today begins to let us come up
with solutions on this pressing matter. And I want to thank
the--all of you for being here.
The first question real quick, Ms. Ablon, is what advice
would you have for everyday citizens to do if they become
victims of stolen data, ransomware, or other crimes?
Ms. Ablon. The one piece of advice I would give consumers,
who are more and more becoming victims, is to be alert. Be
aware of what is going on. Be--as Dr. Lewis mentioned, look
where you are going online.
And then, also, be a little paranoid. I think it is safe
for everyone to be a little paranoid about what--where their
data is going and their activities online.
Mr. Williams. OK, thank you.
Mr. Bernik, what lessons, in dealing with the aftermath of
mass hacking attacks, like we have seen in the last few years
in the breaches, as we have spoken, again, Equifax, Home Depot,
Target, and J.P. Morgan, has the industry learned as the result
of those attacks?
Mr. Bernik. The industry has learned to prepare more
effectively through scenarios. So--and, obviously, the sharing
of intelligence.
So, when an organization becomes aware of a threat, they
will run a scenario where they will, basically, self-assess
themselves against that threat and understand what the
implications might be should they become impacted.
Another thing they have done is prepare for the outcomes.
These are corporations now--to prepare for the outcomes of
those attacks, meaning preparing for destructive-type malware
that erases systems, creating backups, offline backups that are
separated from their online backups.
So, they are really gearing up for what they feel will be,
essentially, inevitable scenarios that will play out for them.
And that is something they learned.
Mr. Williams. Good.
Dr. Lewis, you mentioned in your testimony that
monetization is easiest for criminals when they can transfer
funds directly from the victim to the bank account.
Are there particular jurisdictions that we--that are
especially vulnerable to hosting criminal accounts like these?
Dr. Lewis. Yes, thank you. The interesting part for me here
too is, this will fall certainly within the interest of the
committee, is that it very closely parallels money laundering.
So, when you think about Malta, Cypress, some of the other
countries where you would want to do money laundering, Eastern
European banks have, in the past, been a good target.
Usually, there are multiple hops. So, it goes from your
bank account to another one and then to a third one and then,
maybe, to one of these money laundering centers.
Now, it may just disappear in the void because, at some
point, as Ms. Ablon has said--oh, I am sorry. It looks like
money laundering. It tracks very closely with how money
laundering is carrying out.
And its cryptocurrencies are changing that a little bit by
making it easier to hide the tracks of where it goes.
But if you know how money laundering works, and, of course,
the members of this committee do, that is a very similar
pattern.
Mr. Williams. OK, thank you.
Dr. Christin, you mentioned the sale of services
surrounding data breaches, like data verification and money
laundering. Could you discuss these services or steps we might
be able to take to prevent those services?
Dr. Christin. Yes, thank you.
So, for instance, an example of services, what is called
money mules, and at a high-level, very simply the way they work
is that somebody is being recruited online for a work-from-home
type of opportunity.
And the way it works is that this person is instructed to
transfer moneys from a stolen account. They don't know it is
stolen, they are just being given a number into an overseas
account or into their own account before transferring it to an
overseas account.
So, that is one of the avenues that is being used for money
laundering. Very similar to what drug dealers are using for the
transport of drugs.
To address this kind of problem, I think that, what Dr.
Lewis was mentioning earlier, in terms of putting some pressure
on certain financial institutions, is probably the best--the
best avenue.
Thank you.
Mr. Williams. Thank you. And I yield the remainder of my
time back.
Thank you, Mr. Chairman.
Chairman Pearce. The gentleman's time has expired.
The Chair would now recognize the gentlelady from New York,
Mrs. Maloney, for 5 minutes.
Mrs. Maloney. Thank you, Mr. Chairman and Mr. Ranking
Member and all the panelists. It has really been very
insightful and, actually, very disturbing.
Unfortunately, we have seen that hacking has become more--
much more lucrative because of cyber criminals and the
cryptocurrencies, like Bitcoin.
And I have this report that I want to put in the record and
share with my colleagues on ``Sex, Drugs, Bitcoin: How Much
Illegal Activity Is Financed Through Cryptocurrencies.''
And this report points out they believe 72 billion of
illegal activity is taking place on Bitcoin. And--
Chairman Pearce. Without objection.
Mrs. Maloney. --my question for all the panelists is, would
cracking down on these cryptocurrencies reduce the incentive
for cyber criminals to steal data from companies and
governments?
And this report also says that roughly 25 percent of
Bitcoin users were using and half their activity was illegal
activity. It is disturbing to see ads to buy women on the
Internet through Bitcoin and drugs and other illegal
activities.
So, I would like to--I would like to ask Mr. Nicolas
Christin your response to that question.
Dr. Christin. Thank you. I think that cryptocurrencies are
just a means of payment. And let us assume that tomorrow,
cryptocurrencies become completely illegal. I doubt that it
would actually stop the criminals in their tracks.
Because cryptocurrencies are a relatively recent
phenomenon. Bitcoin, for instance, started appearing in 2008-
2009.
And before that, we already had cyber crime. People were
just using different tools. Liberty, Reserve, WebMoney, and so
forth.
So, I don't necessarily think that clamping down on the
payment system itself, or even interdicting it, would
necessarily improve the situation very much. People would just
find other ways of getting paid.
Mrs. Maloney. Well, I want to ask you and also Mr. Lewis.
Mr. Lewis this question about nation states.
And when a nation state is behind a hack, sometimes it is
hard to figure out what it is, what they want the money for.
We know, as you have testified earlier, the--North Korea
was behind the hacks in Bangladesh for $81 million. That was
clear, they needed money. They got money.
But, in other cases, when a nation state steals data from a
company like Equifax, and then they don't sell the data on the
black-market, and it doesn't seem to appear some other place,
it really isn't clear what their motivations are.
So, when a nation state hacks into U.S. companies and
steals data but doesn't sell the data on the black-market, why
do you think--what is the explanation of why they did it? Are
they collecting data for espionage purposes?
What is the--I would like to thank Mr.--ask Mr. Christin
and Mr. Lewis and then all the panelists to answer. What is the
motive? Are they phishing?
Are they just--what are they doing when they steal? And
they don't seem to use it, or we can't track what they are
doing with it.
Dr. Christin. So, I will start to answer that by saying
that sometimes we don't even know who is the perpetrator of the
breach, so we have no idea who is behind the actual breach.
When it is not being sold, it can be for a variety of
reasons. Maybe it doesn't have an economic value but has other
types of value, leverage, espionage as you mentioned, and
others.
Very simply put, we just don't necessarily know who is
behind every single breach, and what they are using the breach
for.
Dr. Lewis. Thank you. The nature of the intelligence
business has changed dramatically in the last few years, and
data is at the center of those changes.
So, you can use digital technologies to identify persons of
interest, either for recruitment or, more importantly, for
counterintelligence purposes.
So, we are seeing a world where it is going to be much
harder to operate covertly, simply because of things like the
Equifax breach. And when I see a big breach like that and the
data doesn't appear on the market, I usually assume that it is
an espionage-related case.
Mrs. Maloney. It is a--pardon me, a what?
Dr. Lewis. An espionage-related case.
Mrs. Maloney. An espionage-related case.
Any other comments?
Ms. Ablon. I would add to that aggregating this data can be
very valuable for state-sponsored actors. For example, some
people believe that the state's same country carried out the
attacks on OPM, Anthem, and United Airlines.
And so, combining all that information would get some of
the most sensitive personal and health information, as well as
information about where people travel, to build a comprehensive
profile of who to target, who to leverage, how to leverage for
future information, or for exploitation of espionage purposes.
Mrs. Maloney. Well, when you--when you see all these--this
theft taking place, Mr. Lewis or Dr. Lewis and Mr. Christin and
others, of all the cyber crime affecting the U.S., which
percentage tends to be committed by state actors, versus
criminal actors, versus terrorist organization or other
activities? Who do you see doing this?
Starting with you, I guess, Dr. Lewis and just going down
the line.
Dr. Lewis. There have been some classified studies on this
question. In the past, China was the leader, by far, of
espionage, largely in its dealing with intellectual property.
Russia was number two, focused on financial crime.
That has changed a bit in the last few years. The Russians
are, for some reason, much--
Chairman Pearce. If I could get the panelists to--tighten
the answers up.
Dr. Lewis. The Russians have changed and focused now as
much--they still focus on financial crime but they also look at
coercion, as we know. And the Chinese have become much quieter.
Iran and North Korea are also actors. But--
Mrs. Maloney. When you say the Russians want coercion, what
does that mean?
Chairman Pearce. The gentlelady's time has expired.
Mrs. Maloney. What are they trying--who are they trying to
coerce? I have been hacked twice by the Russians. That is why I
am curious.
Dr. Lewis. You have probably all been hacked by the
Russians.
But Russian military doctrine changed in 2010 to emphasize
a psychological warfare and online political activities. And
so, we have seen them implement that doctrine across all NATO
countries.
Chairman Pearce. The gentlelady's time has expired.
The Chair would now recognize the gentleman from Ohio, Mr.
Davidson, for 5 minutes.
Mr. Davidson. Thank you, Chairman.
I really appreciate these witnesses and I thank the
committee for doing the work to have a hearing on this topic. I
think it is vital that we get after this.
It is critical, really, first, for the American people. The
American people are sick of the vulnerability and the
helplessness that comes with knowing something like, the
Russians have probably already hacked all of you. What a
shocking statement to go public with that.
But it is not something that truly will be shocking because
not only have the Russians probably hacked us, the Chinese have
probably hacked us. And, frankly, many of the companies that we
buy from or share our data with are actively hacking, in the
sense that they know far more than the average consumer knows.
Frankly, your car has probably hacked a lot of things about
you, including your weight if you have a newer car. And it will
tell where you have been, how long you have been there. And you
aggregate the data and they might be able to speculate about
what you bought when you went in the convenience store.
So, all this is really changing the landscape in the
economy. But because of that, there are some real national
security concerns.
And, frankly, when we talk about all the ways that the data
can be used, I am curious about all the data that is collected.
And I think it is vital that, in law, that this Congress
establishes that in every case, it is your data. The individual
has a property right in their own data. In every platform, in
every way.
And they should be choosing how their data is used.
Certainly, they can give consent. Perhaps they can give consent
for compensation. But they should always be given the opt-in,
in my opinion.
But in the case of the data that is collected and it is
swept up. I am just curious, Mr. Lewis, your assessment of what
is more valuable or easier to obtain or maybe bigger, is
personally identifiable information or intellectual property?
Dr. Lewis. They are--thank you. They are both easy to
acquire but probably the bulk of the data we have seen taken,
at least in numbers, if not in value, is personally
identifiable information.
Mr. Davidson. Thank you for that.
And, Mr. Bernik, your company has built its reputation on
protecting some of this data. Lots of folks use your service or
one similar to it.
And I am just curious what sort of risk controls are
effective at protecting personally identifiable information?
Mr. Bernik. The types of controls that organizations can
implement to protect information are things like encryption,
encrypting the data, both in transit and at rest. So, when it
is being transmitted as well as when it is being stored.
And making sure that high levels of authentication are used
when information is accessed so that it is not so simple to get
access to the information at rest. Meaning you should use more
than just a user name and password.
And, I think, historically, that is all the security we
really had, in a lot of cases. Thus, we have a lot of
compromised information.
Mr. Davidson. Thank you.
And I would add that if the data is not online, then it is
harder to be accessed.
Mr. Bernik. Absolutely.
Mr. Davidson. So, it is not collected in the first place.
It is not there to be hacked.
And so, I guess, is there anything specific about that that
differentiates the risk, whether the database is a government
database or a commercial database?
Mr. Bernik. In terms of the--so, my view that I would take
on that is that organizations should only be permitted to save
this information where they have implemented certain controls.
And so, what they can't determine or demonstrate.
And that is an interesting way of looking at it. That they
have the controls, or they don't need the data, then they
shouldn't collect it.
When you go to any office of any chiropractor or anything,
they will ask you for your personal information. And you will
write it down. They will put it into a database.
The question is, do they have the ability to protect it? Do
they need it?
Those are questions that should be answered and should be
positioned by the consumer before they provide that data. But
that information didn't exist, historically.
Mr. Davidson. Thank you for that. And I would add that we
have offered the Market Data Protection Act. It passed the
House by a unanimous consent.
We are still waiting on the Senate to take action. And this
would simply require the Securities and Exchange Commission to
provide an assurance to us that they do, in fact, have the
controls in place to oversee that.
And so, the same governance that a board would expect of,
say, Equifax, I am confident the I.T. department has a little
more interaction with the board than they used to.
And I would think that would serve as good notice for
governance practices around the country, whether they are in
the Government or not. And since we don't have a chief
technology officer for each secretary.
My time has expired. Mr. Chairman, I yield.
Chairman Pearce. The gentleman's time has expired.
And the Chair will now recognize the gentleman from
Memphis, Tennessee, Mr. Kustoff, for 5 minutes.
Mr. Kustoff. Thank you, Mr. Chairman. And I do want to
thank the witnesses for being here.
Today's hearing has been both very interesting and very
concerning. I think we would agree with that.
Ms. Ablon, if I could. Today, we have certainly had several
hearings where we have talked about the use of cyber--
cryptocurrency. We have talked about that being--becoming more
predominantly preferred method of use on the--on the Web. I
think you may have testified to that, at least becoming--
turning that way.
We also know that the dark Web hosts a forum to sell and
trade illicit goods and services, fire arms, drugs, et cetera.
And we have talked about the personal information being bought
and sold in bulk.
I know a few years ago, 3 or 4 years ago, maybe 5 years
ago, there was a dark Website called Silk Road. It was shut
down. Law enforcement worked very hard to shut that down but we
have other dark Websites that have emerged in its place.
Given your work in studying how cyber criminals operate,
can you talk a little bit more--you have talked and there has
been discussion about the dark Web and online black-market
sellers. But the shutdown of Silk Road, of AlphaBay, and how
some of those other Websites actually interact with people and
how they interact with those dark Websites.
Ms. Ablon. Sure. You mentioned some great examples of law
enforcement taking down black-market Websites.
These markets, you can think of them like an Amazon or an
eBay, where you point and click and you put a thing that you
want to buy in your shopping cart. And then, you pay with money
that you might have in your wallet.
So, it is easy to do. We are all really familiar with doing
eCommerce on the surface Web, similarly as how you can do
eCommerce or by purchasing things on the dark Web.
I would offer that you noted some notable takedowns. But
taking down some of these big sites, like Silk Road, AlphaBay,
Hansa, are good but that just leaves market share for other
Websites, for other market places to come in.
So, law enforcement's efforts are like trying to drain the
ocean with a cup. Every time they take out a market place,
there is market share available and plenty of cyber criminals
and nefarious actors to jump in to take that.
Mr. Kustoff. Can you also--you went through the different
categories of bad actors. You talked about--one of the
categories was cyber-terrorist. Obviously, I am talking about
those foreign actors. Those who aren't here.
Where do they train? And do any of them train and get their
education here in the United States?
Ms. Ablon. Cyber-terrorism is an interesting category of
cyber-threat actor. It is--in general, they are--they combine
traditional terrorism and attacks via cyber-space. For an act
to be cyber-terrorism, it needs to occur through digital
domain.
At this point in time, people who are cyber-terrorists or
acts of cyber-terrorism are more akin to hacktivism. People in
the groups like Anonymous.
Now, that is not to say a question that you might think is,
well, are terrorists involved with the Internet? Are they
involved with cyber in some way?
They are. They use the Internet for a number of reasons.
To--information gathering, like learning how to build bombs.
Recruiting, meeting, and conducting--connecting with like-
minded individuals. Spreading propaganda or collecting money or
other efforts in the sense that they might be cyber criminals
online but terrorist in the--in the physical world.
Mr. Kustoff. Thank you very much.
Mr. Bernik, you testified, in relation to somebody's
question, about ways to protect yourself, in terms of
preventing stolen identity. Like you talked about locking the
credit report.
Is that analogous to freezing the credit report?
Mr. Bernik. Correct. It is the same thing.
Mr. Kustoff. Obviously, I would assume that the three
credit agencies don't want that, although they do offer that
service.
That could be onerous on people who are trying to,
obviously, take out loans, mortgage refinance, et cetera.
Is there any other middle ground? Or is that, in fact, the
most secure way to protect one's identity?
Mr. Bernik. So, in my experience, that is the easiest way.
Today, you can unlock it immediately on the Websites by pushing
a button. They have all made that--all the agencies have made
that feature available.
And in the event that you do need to take a loan out or you
do--you are going to, you just unlock it and it is
instantaneously available again.
So, it is merely a question of not allowing those kinds of
hook-ups to be done or requests to be made of you without you
first unlocking that button online and unlocking the report.
Chairman Pearce. The gentleman's time is expired.
Mr. Bernik. Thank you.
Chairman Pearce. The members are advised that there is a
vote in progress. A little over 6 minutes left in the vote.
For me, I would like to thank our witnesses for your
testimony today.
The Chair notes that some Members may have additional
questions for this panel, which they may wish to submit in
writing. Without objection, the hearing record will remain open
for 5 legislative days for Members to submit written questions
to these witnesses and to place their responses in the record.
Also, without objection, Members will have 5 legislative days
to submit extraneous materials to the Chair for inclusion in
the record.
I ask our witnesses to please respond as promptly as they
are able.
This hearing is adjourned.
[Whereupon, at 3:23 p.m., the subcommittee was adjourned.]
A P P E N D I X
March 15, 2018
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
[all]