[Senate Hearing 115-300]
[From the U.S. Government Publishing Office]
S. Hrg. 115-300
PREPARING SMALL BUSINESSES FOR CYBERSECURITY SUCCESS
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON SMALL BUSINESS
AND ENTREPRENEURSHIP
UNITED STATES SENATE
ONE HUNDRED FIFTEENTH CONGRESS
SECOND SESSION
__________
APRIL 25, 2018
__________
Printed for the Committee on Small Business and Entrepreneurship
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.govinfo.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
30-630 PDF WASHINGTON : 2018
-----------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].
COMMITTEE ON SMALL BUSINESS AND ENTREPRENEURSHIP
ONE HUNDRED FIFTEENTH CONGRESS
----------
JAMES E. RISCH, Idaho, Chairman
BENJAMIN L. CARDIN, Maryland, Ranking Member
MARCO RUBIO, Florida MARIA CANTWELL, Washington
RAND PAUL, Kentucky JEANNE SHAHEEN, NEW HAMPSHIRE
TIM SCOTT, South Carolina HEIDI HEITKAMP, North Dakota
JONI ERNST, Iowa EDWARD J. MARKEY, Massachusetts
JAMES M. INHOFE, Oklahoma CORY A. BOOKER, New Jersey
TODD YOUNG, Indiana CHRISTOPHER A. COONS, Delaware
MICHAEL B. ENZI, Wyoming MAZIE K. HIRONO, Hawaii
MIKE ROUNDS, South Dakota TAMMY DUCKWORTH, Illinois
JOHN KENNEDY, Louisiana
Skiffington E. Holderness, Republican Staff Director
Sean Moore, Democratic Staff Director
C O N T E N T S
----------
Opening Statements
Page
Risch, Hon. James E., Chairman, and a U.S. Senator from Idaho.... 1
Cardin, Hon. Benjamin, Ranking Member, and a U.S. Senator from
Maryland....................................................... 3
Witnesses
Castro, Mr. Daniel, Vice President, Information Technology &
Innovation Foundation, Washington, DC.......................... 5
Schrader, Mr. Russell, Executive Director, National Cyber
Security Alliance, Washington, DC.............................. 15
Toews, Mr. Ben, President, Bullet Tools, Hayden, ID.............. 20
Abate, Ms. Gina Y., President and CEO, Edwards Performance
Solutions, Elkridge, MD........................................ 27
Alphabetical Listing
Abate, Ms. Gina Y.
Testimony.................................................... 27
Prepared statement........................................... 29
Responses to questions submitted by Senators Young, Heitkamp,
Hirono, and Duckworth...................................... 63
Cardin, Hon. Benjamin
Opening statement............................................ 3
Castro, Mr. Daniel
Testimony.................................................... 5
Prepared statement........................................... 7
Responses to questions submitted by Senators Young, Heitkamp,
Hirono, and Duckworth...................................... 48
Risch, Hon. James E.
Opening statement............................................ 1
Rowe, C.E. ``Tee''
Prepared statement........................................... 71
Schrader, Mr. Russell
Testimony.................................................... 15
Prepared statement........................................... 17
Responses to questions submitted by Senators Young, Heitkamp,
Hirono, and Duckworth...................................... 53
Toews, Mr. Ben
Testimony.................................................... 20
Prepared statement........................................... 22
Responses to questions submitted by Senators Heitkamp,
Hirono, and Duckworth...................................... 60
PREPARING SMALL BUSINESSES FOR CYBERSECURITY SUCCESS
----------
WEDNESDAY, APRIL 25, 2018
United States Senate,
Committee on Small Business
and Entrepreneurship,
Washington, DC.
The Committee met, pursuant to notice, at 3:30 p.m., in
Room 428A, Russell Senate Office Building, Hon. James Risch,
Chairman of the Committee, presiding.
Present: Senators Risch, Rubio, Ernst, Inhofe, Young,
Rounds, Cardin, Cantwell, Heitkamp, Markey, and Booker.
OPENING STATEMENT OF HON. JAMES E. RISCH, CHAIRMAN, AND A U.S.
SENATOR FROM IDAHO
Chairman Risch. The Committee will come to order. Today we
are going to have a hearing entitled Preparing Small Businesses
for Cybersecurity Success. And I have a few remarks and then I
am going to turn it over to the Ranking Member for his remarks.
We will then hear from our distinguished panel. Thank you so
much, all of you, for joining us.
Thank you, everyone, for coming today. This is a hearing on
one of the most dire threats to small business and individuals
in our Nation, the increasing number of attacks by cyber
criminals. The same technology that enables small businesses to
do business online and compete in the global marketplace also
makes their sensitive information vulnerable to phishing
schemes and ransomware attacks. Small businesses are especially
vulnerable as about 71 percent of data breaches occur in
businesses with fewer than 100 employees. Regrettably, many of
these attacks are preventable and can be tied back to missteps
made by a business' employees.
News of cyber attacks makes headlines each day, and we know
that Russia, Iran, China, and North Korea are some of the
biggest cyber hackers in the world. We have confirmation that
Russia tried to interfere in our elections, and recent reports
have been made public that they are compromising the
information of individuals and small businesses in our country
and the UK.
In recent years, the Russians have completely shut down
Estonia's e-commerce, waged cyber war against Ukraine's energy
grid, and they are constantly seeking to destabilize other
countries. Additionally, North Korea has repeatedly attacked
public and private entities in attempts to steal cryptocurrency
to shore up their finances in the face of economic sanctions.
There are many bad actors out there and they grow in number
and capability every day. Perpetrators vary from individuals to
those directed by countries, putting small businesses in our
country at great risk.
This issue hits especially close to home in a rural State
like Idaho, where e-commerce is sometimes the only way to do
business. That is why I have worked on three different pieces
of bipartisan legislation to offer more tools to arm small
businesses against potentially devastating cyber threats. The
Main Street Cybersecurity Act will require the National
Institute of Standards and Technology to disseminate a small
business-friendly version of its renowned Cybersecurity
Framework. This will better position small businesses to
protect their assets, customers, and employees.
I have also introduced the Small Business Cyber Training
Act to train the counselors at regional Small Business
Development Centers throughout the country on educating
entrepreneurs on protective cyber habits when they are first
starting a new business, which will help them institute safe
practices before the problem arises.
And just yesterday I introduced the Small Business
Cybersecurity Enhancements Act to prepare the Small Business
Development Centers to receive information on cyber threats and
breaches from small businesses in the field when these
incidents happen.
Cyber attacks are too frequently the last nail in the
coffin for many small businesses, who are already facing an
uphill battle to get started, get funded, and keep up with new
regulations. I look forward to hearing from our witnesses today
about their experiences with cyber threats and about what we
can do to prevent these attacks.
I would like to welcome Mr. Daniel Castro, the Vice
President of Information Technology & Innovation Foundation,
and the Director of its Center for Data Innovation. Prior to
ITIF, Mr. Castro worked as a scientist for the Software
Engineering Institute and as an IT analyst for the Government
Accountability Office. We look forward to his testimony, as he
is named one of FedScoop's 25 Most Influential People Under 40
in Government and Tech.
I am also pleased to welcome Mr. Ben Toews from Hayden, a
small town located in north Idaho. After starting with Bullet
Tools, while still a student at Gonzaga University, Mr. Toews
eventually worked his way up to become President of the
company. He has helped Bullet Tools fend off a ransomware
attack and has contributed to the company's 300 percent growth
over the past five years. In addition to his full-time job, Mr.
Toews is a member of the Idaho SBDC Advisory Council, assisting
other small business owners and entrepreneurs. Mr. Toews, I
look forward to your testimony. And, as a side note, Mr.
Ranking Member, you would be interested to hear that when I sat
in that seat, as the Chairman from the then majority party, I
visited that business up there, and we were well entertained
and enjoyed ourselves.
We also welcome Russell Schrader, the Executive Director of
the National Cyber Security Alliance, and we welcome Ms. Gina
Abate, President and CEO of Edwards Performance Solutions. Both
of these will be further introduced by the Ranking Member
Cardin.
Thank you for being here today with us. And now I would
like to recognize Senator Cardin.
OPENING STATEMENT OF HON. BENJAMIN L. CARDIN, RANKING MEMBER,
AND A U.S. SENATOR FROM MARYLAND
Senator Cardin. Thank you, Mr. Chairman. There are days
that I am looking for some road trips, so maybe we will look at
visiting.
Chairman Risch. Have you ever been west of the Mississippi
River?
[Laughter.]
Senator Cardin. Yes, a few times. A few times. Have you
ever been on the Chesapeake Bay?
Chairman Risch. I have. Many times.
[Laughter.]
Senator Cardin. Good. We have a lot in common.
Chairman Risch. I drink water from there.
Senator Cardin. I am glad to hear it. The Chairman is a
good friend and I appreciate his leadership on this Committee,
and I particularly appreciate the fact that we are holding this
hearing on preparing small businesses for cybersecurity
success.
Cyber intrusions are a major problem, universal as well as
in the United States. The Chairman is aware of this through our
work on the Senate Foreign Relations Committee and his
involvement on the Intelligence Committee. We know how active
Russia is in cyber intrusions. North Korea, China, so many
other countries.
I authored a report in January that talked about Mr.
Putin's designs in regards to our democratic institutions, and
one of the tools he frequently uses is cyber intrusions, in
order to get as much information as he possibly can to
compromise our system of government.
So we know we have major challenges in America with cyber
intrusions. It is affecting our economy and it is affecting our
privacy. We know that with Equifax and Target intrusions. We
saw that with Facebook and the way that they handled personal
information management, leaving a lot to be desired.
We also know that small businesses are a prime target of
cyber attacks. There are 30 million small businesses that live
with the understanding that they are at risk. An SEC report
said that small businesses are the principal target for cyber
crime, and we also know that 58 percent of the data breach
victims were small businesses.
The challenge here is really why I am very pleased to have
this hearing. For a small company that may not have a big staff
for IT, does not have the margins to look at how to defend on
cyber, and, quite frankly, probably has limited knowledge and
understanding of the risks of cyber attacks, it is very
difficult to be prepared against very sophisticated operators
that are phishing for information, that could very well harm
that company.
So we know that we have a challenge as to how we can help
small businesses be prepared to deal with the realities of
cybersecurity today, and part of that solution has to be
education and knowledge and building capacity for small
businesses, and I know we are going to get into that discussion
today.
Mr. Chairman, I cannot let my opening statement go without
bragging about the role that Maryland is playing in regards to
cybersecurity. Maryland is home to the National Security
Agency, the U.S. Cyber Command, NIST Cybersecurity Center of
Excellence, Johns Hopkins University Applied Physics Lab,
University of Maryland--I could go on and on and on. I am proud
of the role that these institutions and the people who work
there are playing in our national security in dealing with
cybersecurity, and we have so many private companies that are
now located in our state.
We recognize that the small business community is the
driving force for our economy. That is where most jobs are
going to be created. That is where most innovation is going to
take place. So it is appropriate for us to figure out how we
can better defend the small business community from the threats
of cyber intrusion.
I welcome all four of our witnesses. The Chairman has given
introductions for Mr. Castro and Mr. Schrader. Let me join in
welcoming Ms. Gina Abate, the President and CEO of Edwards
Performance Solutions, a certified women-owned small business
in Elkridge, Maryland. Have you been to Elkridge, Maryland?
Chairman Risch. I do not believe I have. Do they have elk
in Maryland?
Senator Cardin. Elkridge, Maryland, is a wonderful place. I
pass it twice a day. I commute to Baltimore so I pass Elkridge
twice a day. You are more than happy to go with me one day and
we will stop by and visit.
Chairman Risch. I want to see the elk.
Senator Cardin. The company provides IT and cyber
counseling services to commercial and government customers. She
also chairs the Cybersecurity Association of Maryland.
And I am pleased that we also have Russell Schrader. He is
the Executive Director of the National Cyber Security Alliance,
the Nation's leading nonprofit public-private partnership that
promotes cybersecurity and privacy education. Previously, he
was Visa's first Chief Privacy Officer, where he oversaw
privacy and data security policy.
So, Mr. Chairman, I think we have four very distinguished
witnesses and I look forward to their testimony.
Senator Markey. Mr. Chairman, can I just interject to say
that I think that Senator Cardin's opening statement could
actually be used as a travelogue by the Maryland Chamber of
Commerce, and I just wanted to compliment him for getting in
just about every----
[Overlapping speakers.]
Chairman Risch. As long as we are going to go down that
road, I need to tell you a little bit about the Idaho National
Laboratory that is becoming one of the lead agencies in America
on cybersecurity. So I hope you will be able to visit the Idaho
National Lab, in Idaho Falls someday.
In any event, thank you so much for coming, and we will
just go right down the line, and any written testimony you will
submit we will include in the record. We would ask you to keep
the remarks at about five minutes, if you would, and we will go
right down the line, starting with you, Mr. Castro.
STATEMENT OF DANIEL CASTRO, VICE PRESIDENT, INFORMATION
TECHNOLOGY & INNOVATION FOUNDATION, WASHINGTON, DC
Mr. Castro. Chairman Risch, Ranking Member Cardin, members
of the Committee, I appreciate the opportunity to appear before
you today to discuss the opportunities to support small
businesses as they seek to improve their cybersecurity
practices.
As you know, small businesses face significant
cybersecurity threats. In 2015, 42 percent of small businesses
were victims of cyber attacks. In 2017, 58 percent of the
confirmed data breaches involved small businesses.
Most small businesses are concerned about cybersecurity but
they are not doing enough to protect themselves against these
threats. One recent survey found that a third of small
businesses are not taking any practice steps to protect against
cyber threats, and half of them do not have a cybersecurity
budget.
These risks present an existential threat to some small
businesses, as firms can go bankrupt from the cost of
responding to a cyber attack or from the lost revenue and
customers resulting from a business disruption caused by a
security incident. Moreover, these attacks are a drain on the
U.S. economy, costing between $57 and $109 billion in 2016.
Therefore, I would like to discuss three steps Congress can
take to improve cybersecurity practices.
First, one challenge that small businesses face is that
they do not know what types of cybersecurity products and
services they should be buying, or if they do know they cannot
afford them because the per-user costs are too high. So
companies that sell IT security products and services often use
variable pricing, based on the number of users, or they require
a minimum purchase amount. So these high per-user costs make
the solutions unattractive or unfeasible for many small
businesses.
So Congress should direct SBA to assist small businesses by
establishing a cybersecurity cooperative, to create a large
pool of willing buyers for various cybersecurity products and
services, including cyber risk insurance. Participation in the
cybersecurity co-op could be open to any small business, and
depending on the level of interest, could be organized around
particular regions or sectors.
The co-op could identify and evaluate cybersecurity
products and services for its members and negotiate better
rates for its users than they could get on their own. This
would be a win-win. It would help small businesses get more
value for their investments and also increase adoption of best-
in-class cybersecurity tools. It would also lower the cost for
those selling these products and services by reducing their
customer acquisition cost.
Second, many small businesses cannot hire qualified
cybersecurity professionals. Part of the problem, of course, is
that there is fierce competition for individuals with these
skills. In the United States, there are 40,000 cybersecurity
jobs that go unfilled each year, and small businesses which
often pay less than their larger counterparts have a hard time
competing for this talent.
In addition, it is often impractical for a small business
to hire a dedicated, full-time cybersecurity professional.
Instead, they assign these responsibilities to an employee who
works on these issues on a kind of part-time basis.
Unfortunately, virtually all of the cybersecurity certification
programs are tailored for people who do this as their full-time
job, so small business employees who only work on cybersecurity
issues as part of their job do not pursue these credentials and
they are often unqualified or under-qualified.
To address this problem, Congress should direct SBA to
develop a low-cost, vendor-neutral certification program for
small business employees who serve as their designated
cybersecurity expert. The curriculum for the certification
should be regular review, to ensure that it is accurate,
comprehensive, and up to date, and SBA could authorize the
professional certification organizations to actually provide
the certification to those who successfully master the
material. This certification would help small businesses assess
whether they have staff qualified to handle cybersecurity
issues, and ensure their investments in training are actually
worthwhile.
And finally, small businesses will not have anyone who is
properly trained--some of them will not--but these businesses
still need to be able to mitigate common threats. So Congress
should direct SBA to develop a free, online cybersecurity boot
camp to provide small businesses the concrete steps they need
to create a basic cybersecurity program to address the most
critical threats facing small businesses. Participants would
not be expected to come with any prior knowledge and they could
repeat the boot camp as often as necessary. SBA would then be
required to update the content regularly so that it contains
information on both known as well as emerging threats.
Right now, the SBA offers one 30-minute class, but it is of
poor quality. Some of the advice in the module is simply
impractical. It has things like do not click on links in email,
do not reply to unsolicited emails. This class also does not
cover recent cybersecurity threats like ransomware.
Other government agencies, of course, offer resources, but
many of their sites are not user friendly or they contain
broken links. Sometimes the content is undated or outdated,
most are redundant, and they overwhelm small businesses with
unnecessary information.
Moreover, most of the resources either describe basic
objectives, things like use stronger passwords, or they simply
describe cybersecurity issues and terms. I think the analogy
here is this would be like Ikea providing its customers one-
pagers explaining the importance of not overtightening screws
and pamphlets on the dangers of collapsing bookshelves, instead
of giving them the actual step-by-step instructions of how to
assemble furniture. Small businesses need this more practical
guidance.
We need more leadership on this issue, and so I commend you
for holding this hearing today. Thank you for the opportunity
to be here and I look forward to answering questions.
[The prepared statement of Mr. Castro follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Risch. Mr. Castro, have you communicated these
same thoughts to the SBA?
Mr. Castro. No. Not out of this. We did do, actually----
Chairman Risch. We will.
Mr. Castro. Okay. Great.
Chairman Risch. Thank you. I appreciate your testimony.
Mr. Schrader, you are up next.
STATEMENT OF RUSSELL SCHRADER, EXECUTIVE DIRECTOR, NATIONAL
CYBER SECURITY ALLIANCE, WASHINGTON, DC
Mr. Schrader. Thank you very much, Senator Risch, Ranking
Member Cardin, distinguished Senators.
I appreciate the invitation. I know that this is an
important topic.
I am the Executive Director of the National Cyber Security
Alliance, founded in 2001. We are the leading neutral,
nonprofit, private-public partnership devoted to strengthening
America's cybersecurity through awareness and through
education. We believe that cybersecurity is an economic and a
security issue, as best addressed through collaboration between
public and private partnership with industry, government, and
consumers.
We bring together stakeholders to talk about cutting-edge
issues, to execute highly hands-on, effective, broad-based
education programs. Currently, one of our major partners is the
Department of Homeland Security and our Board of Directors,
which do represent leaders in technology, financial, insurance,
and hospitality industries.
We have core education programs, including the National
Cyber Security Awareness Month, which is October. It is co-
founded and led with DHS; Data Privacy Day; STOP. THINK.
CONNECT; and Lock Down Your Login, which is geared at
congressional members, administration members right now; and
the most recent addition to our portfolio, which is called
CyberSecure Your Business, and I think that is the one that
best aligns with what we are here to talk about today.
Today, as you pointed out, many businesses continue to
think that they are too small to be a target of a cyber attack.
These businesses lack the technical, the resources, the
financial, and the legal things that they need to do to protect
themselves. The NCSA's goal is to help entrepreneurs and small
businesses across the country improve their cybersecurity, and
we use targeted workshops that are aligned with the NIST
Cybersecurity Framework.
We have translated that NIST Framework into simple
language, and to create an introductory-level, in-person,
interactive, three-hour-long workshop that we host in various
cities around the country. It empowers non-technical businesses
to improve their cybersecurity, and we talk to people like the
local butcher, the barber, the local accountant, people who do
not necessarily have any cybersecurity backgrounds, and they
need to protect their highly valuable information and assets.
They have some of the country's key IP, like employee and
consumer data.
In addition, many of these small businesses are suppliers
to large companies. They are part of the vendor management
program. They are part of the supply chain of large businesses
as well.
So our workshops are simple, they are actionable, and they
have positive changes that small businesses can take to really
move the needle on their own cybersecurity, and to reduce their
own vulnerability to attack.
What we can do is we convene State attorneys general, SBA
representatives, the FBI InfraGard, local FTC offices, chambers
of commerce, Better Business Bureaus, and others to put on
these programs and get small businesses to fill the rooms.
Those small business attendees are armed with tangible
resources to better secure their physical and their online
assets, and they also have the awareness of the supports that
are available to them throughout the country.
Now this is, right now, sponsored solely by sponsors from
private industry, and these workshops are free to attend. I
think seeing the trusted brands aligned alongside government
agencies does send a clear message to businesses that the
public and private sectors need to be joined together for the
benefit.
We also supplement these in-person workshops with monthly
CyberSecure Your Business webinars, which are hosted on the
second Tuesday of every month between 2 and 3 p.m., Eastern
time.
Now the NCSA applauds the Federal agencies' roles in
providing small businesses with the resources and tools they
need to become cyber secure. In addition, we promote these
within the organizations with our own materials, and we
continue to support cross-agency and cross-public-private
collaborations such as the one we have, the DHS, in order to do
this. But we need more support dedicated to helping businesses
prepare, and I look forward to the opportunity to talk with the
community in ways that NCSA works with this Committee and other
stakeholders in order to improve this very useful program.
And I point out, Mr. Chairman, based on the earlier
conversation, that we had already scheduled one of these
trainings to take place in Boise in the next coming months. We
will talk about Elkridge at another time.
[The prepared statement of Mr. Schrader follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Risch. Thank you so much.
Ben, you are up.
STATEMENT OF BEN TOEWS, PRESIDENT, BULLET TOOLS, HAYDEN, ID
Mr. Toews. Right. Chairman Risch, Ranking Member Cardin,
Senators, thank you for the opportunity to testify today. My
name is Ben Toews, President of Bullet Tools. My degree is in
international business, not information technology. Managing
the techy side of my business was a necessary evil. I created
our network, got everyone connected, and did the
troubleshooting and training. Once I found competent IT people
I handed over the reins and never looked back.
So what qualifies me to testify, now that you know I am not
a computer genius? In short, having my business hacked with
ransomware and surviving. Let us look at my company as a case
study. Before the cyber attack, I think most would say that we
were well protected. Our first line of defense was a hardware
firewall, our second line of defense was a domain controller
with centrally administrated usernames and passwords, and the
third line of defense was Microsoft Security Essentials. Our
fourth line of defense was informal training of users on good
internet and email practices, and our final line of defense was
an offsite backup of our financial and inventory data, on a
daily basis.
Immediately before the attack, we set up a new computer
without antivirus software. A new user with no password then
plugged it into our network. This made us vulnerable and the
hackers executed ransomware that encrypted every file that the
new user had access to. When we discovered the attack and saw
the ransom note we used our cell phones to find online
resources to help clean and restore our system. All of our
shared network files were encrypted but only one user was
compromised.
We restored the financial and inventory backups to the
network, and most of our company was back to normal in three to
four hours. We were lucky. Without the offsite backup, we would
have been virtually dead. We did lose some files, but none
crucial to our operations. We now have additional security
measures in place, along with daily offsite backups of all
folders.
So what lessons did we learn? I think that learning from
others' mistakes is a lot less painful than making them
yourself. That is why I am here to encourage you to help small
businesses learn from my experience.
There is an example that compares well to the situation. At
the beginning of the Second World War, the British were
concerned that the Luftwaffe would attack, millions of
Londoners would flee, and the country would be paralyzed.
Thankfully, that scenario did not play out.
JT MacCurdy, in The Structure of Morale, described the
effect of the blitz as splitting the population into three
groups. One, the people killed by the bomb. A harsh fact: dead
people do not spread panic. Two, the near misses. They feel the
blast, see the destruction, it may result in shock and a
preoccupation with the damage. Three, the remote misses. These
people hear the sirens and explosions. For them, the experience
is remote. The result? A feeling of invulnerability.
Small business falls into these three categories: those
that have been hacked and did not survive, those that have been
hacked and survived, and those that have not been hacked. The
first category is not going around advertising it, and want to
forget it ever happened. The second category is likely more
prepared, and unless it happened quite recently, have set up a
very secure computer system, or gone back to flip phones and
faxes. The last category is the remote miss group. They have
heard about companies being hacked but nothing has hit close
enough to get their attention. This group, the majority, is
going to need the most help. Cyber criminals have realized that
small, easy targets can be very lucrative.
I do not believe that government programs are the best way
to solve issues like cyber crime but they are very useful in
creating an environment that encourages great solutions in the
private sector. This is accomplished by informing and empower
small businesses, and the SBDC as an excellent organization to
accomplish this.
The Idaho SBDC helped my company write our initial business
plan, obtain funding, and weather the storms of growing a
business over about 18 years. I now sit on the Advisory Board
of the Idaho SBDC.
The SBDC has some good resources in place to help prevent
or mitigate the devastating effects of cyber attacks, including
vulnerability assessments and other tools. These resources need
to be actively leveraged and promoted to the small business
community. I believe this should be done through public
service-type announcements sent through various social media
platforms targeting small businesses. I think we are all aware
now that social media has the necessary info to do so.
Federal agencies also need to be encouraged to collaborate
with SBDCs and promote them as a resource. There are nearly
1,000 SBDC locations providing boots on the ground, coaches
across the country, who can educate those at risk, as well as
help equip the small businesses that provide cybersecurity
services and can provide a truly scalable solution.
When dealing with IT, small business owners are wary. It is
hard to know what the people you hire are doing, and if they
should be trusted. The solution is standardized, reputable
certifications for cybersecurity professionals.
I hope that my testimony will help make a difference in
combating cyber attacks, and it has been an honor speaking with
you today.
[The prepared statement of Mr. Toews follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Risch. Thank you, Ben. I appreciate it. And now,
Ms.--am I pronouncing it right, ``Youbate''?
Ms. Abate. Abate.
Chairman Risch. Abate. My staff is really good about doing
phonetics. I am just not good at reading phonetics.
Ms. Abate. That is okay.
Chairman Risch. Welcome. We would like to hear your
testimony.
STATEMENT OF GINA Y. ABATE, PRESIDENT AND CEO, EDWARDS
PERFORMANCE SOLUTIONS, ELKRIDGE, MD
Ms. Abate. Okay. Well, thank you, Chairman Risch, Ranking
Member Cardin, and members of the Committee for the opportunity
to testify.
The high risk of financial damages is an unprecedented
challenge to small businesses, intensified by the fact that the
vast majority are unprepared to properly protect their assets.
Discussions with hundreds of small businesses by the Cyber
Security Association of Maryland members demonstrates a clear
pattern of inaction, with the most frequent explanations being,
``My business is small. I am not a target,'' ``Cybersecurity is
expensive and I cannot afford it,'' and ``I am not a regulated
business so I do not need to worry about it.''
Let us address these justifications. Attackers are
targeting small businesses with increasing frequency and
sophistication. If an attacker is able to compromise a business
system, they can access that to exploit business data, attack
business customers and suppliers, and may even shut down the
business. For an attacker, any foothold is a good foothold.
So what should a small business do to start their
cybersecurity program? Every business should invest the time to
understand the value of their assets, engage experts to
understand the vulnerability of their IT systems, and take
appropriate steps to manage their cyber risks. The more
valuable their assets and the weaker their ability to detect,
stop, and mitigate cyber damages, the greater the risk.
The absence of regulation should not be a driver for a
cybersecurity program. In fact, regulatory compliance should be
an outcome of a well-structured security program, not the
reason for it. Small businesses who adopt a framework, like the
NIST Cybersecurity Framework, are able to implement a
cybersecurity and risk program to address current regulations
and those that earn the future.
Cybersecurity is a continuous process, not a one-time
event, and best approached using proven methods. Small
businesses must implement a culture of safety, leveraging
employee situational training, and low-cost tactics, like
enforcing proper passwords, encrypting hard drives, and
limiting user ability to load undesirable software.
The concepts of the NIST Framework are straightforward,
but, in practice, organizations become overwhelmed with the
information. It is important to note that organizations do not
need to address all cybersecurity concerns at once. In most
cases, a prioritized approach is sufficient to ensure key
systems and/or business units are protected before addressing
secondary areas of concern.
Even with the best protection tools and procedures in
place, cybersecurity risk is not eliminated, so continuous
monitoring is required to quickly detect malicious,
undesirable, or abnormal activity. Once a breach is detected,
an immediate response is critical. Businesses must have an
exercised and maintained plan in place during ``peace time'' to
ensure business damage is minimized, with the necessary actions
and resources established to regain their client trust.
It is imperative the small business community understands
cybersecurity is critical to overall business success. It is
not just an IT problem. The challenge lies in convincing small
business of the urgency to do more in protecting their assets.
The compromise of one business can often impact suppliers and
customers. There is much more at stake than the failure of one
business at a time.
But how do we incentivize small businesses to start
preparing? In Maryland, the bipartisan Cybersecurity Incentive
Tax Credit Bill, Senate Bill 228, made Maryland the first State
to incentivize small businesses to purchase local cybersecurity
protections and investors to advance Maryland's cybersecurity
companies.
Those of us at CAMI are especially excited because
thousands of small Maryland businesses at risk of cybersecurity
damages can now get the help they need at a lower cost. I
believe it will be an indicator if this type of program
generates increased conversations between cyber solution
providers, both products and services, and motivates small
businesses to take action.
So thank you again for the opportunity to testify, and I
look forward to discussing this topic further.
[The prepared statement of Ms. Abate follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Risch. Thank you so much. We are going to do a
round of questions now, and I will start with myself.
Ben, do you have any objection to telling us a little bit
about the ransomware attack that you survived? I guess you
survived.
Mr. Toews. Yeah, I would be happy to share whatever I can.
Chairman Risch. Do it.
Mr. Toews. Just like what more information would you like?
Chairman Risch. Well, I do not think anyone here has any
information about it, so maybe you could give us a brief
description of what happened and how you got through it.
Mr. Toews. Yeah. So, I mean, we, on a Friday, we
essentially set up a new user, and after we set up that new
user, that did not have a password and was plugged into the
network, and then over the weekend, from what we can tell, they
got into our system. We had ports open, because we have a
voice-over-IP system, which is difficult to have it behind the
firewall. And so that opened up ports for them to get into our
system. We figured they probably used, I think it is called a
brute force hacker system, that allows you to get--figure out
who does not have a password, which users do not have a
password. And then once they were in our system, they just
encrypted all of the shared network files, including all of our
operations and inventory and financial information. And
fortunately, like I said, that was backed up.
Chairman Risch. And so what--was that the end of it? I
mean, did you wind up having to do some--I mean, obviously you
had to go in and change the system.
Mr. Toews. Yeah. We restored our system. On Monday morning,
we figured it out. We had the ransom note in there. We did not
pay any money. I think it was in bitcoin that they tried to get
us to pay. We did not pay any money to restore our files. We
just thought it was too risky. You know, what are the chances
that the criminals are going to actually give you the
information that they are promising you?
And so we restored what we could, that had been backed up
offsite, and once we restored that we were back up and running
pretty quickly, and we just, honestly, lost some labor hours
for specialized reports that were on our network. But all of
our customer information was stored offsite, so there was not
any sensitive information that was breached.
Chairman Risch. Sounds like you were pretty lucky getting
through it.
Mr. Toews. We were very lucky. Yes, I would say so.
Chairman Risch. Senator Cardin.
Senator Cardin. Well, I thank all of our witnesses. I want
to drill down a little bit on what the SBA can do to help. The
2017 National Defense Authorization Act included language that
this Committee had reported out, that required the SBA and the
Department of Homeland Security to collaborate on cyber
strategies for small businesses, using the Small Business
Development Centers.
Mr. Schrader, you have already talked about some of the
work with the Small Business Centers, or maybe Mr. Toews. One
of you had talked about the use of those centers.
The bill also required the two agencies to report back to
our two authorizing committees with a strategy on how they are
going to deal with cybersecurity. That report should have been
in by the end of 2017. It has not yet been received, and our
staffs are following up to do that.
My question is, what can you expect could be helpful from
the Small Business Administration, to help small businesses
deal with being better prepared on cybersecurity? I think, Mr.
Schrader, you talked a little bit about the private sector,
having their conferences. That is great. I do not know how many
small businesses actually take advantage of that. But there is
already contact between a lot of small businesses and the SBA.
Could they be more effective in getting greater knowledge to
the small businesses and how they need to go about in order to
understand their risk factors and take common sense ways of
protecting themselves?
Mr. Schrader. That is a terrific question, Senator, and,
absolutely, yes. There are so many small businesses out there,
small- to medium-sized businesses, as part of the supply chain,
as well as entrepreneurial standalone access that know public
partnership, or private entities such as NCSA can reach all of
them. We need to have a lot of different things, people working
in the same direction. There is so much more education that can
go out there. Whether it comes from the cybersecurity education
work that we are doing with Department of Homeland Security, we
would happily partner with the SBA to work on some of these
educational programs.
We have developed a really nice adaptation of the NIST
Framework that is geared to very hands-on education. Whether we
move that more online, whether we are able to access more of
the centers outside of Washington in order to do more of that
training, we absolutely see a wonderful partnership
opportunity.
Because there are certain simple, actionable steps that
will help never make one totally secure, but will make you much
more secure than you are. For example, as you talked about in
the ransomware, there was no password. You had just plugged it
in on a Friday. The simple things, like put in a password, keep
your patches up to date, make your passwords actually pass-
phrases, look at two-factor authentication. Very simple steps
that people just need to have put out to them in an easy way
that they can remember, that it is not an IT part of business,
it is a day-to-day, ongoing part of the business.
Senator Cardin. Mr. Castro, you mentioned some common-sense
ways, including the co-op. I think the co-op is an excellent
suggestion. You are sort of at the mercy of the private sector
on products to buy and the price factors can be astronomical
for individual small business owners. So the services of a co-
op seem to make a lot of sense, in first directing you to the
right type of product, and secondly, getting you a competitive
price. I like that.
Ms. Abate, you mentioned the fact that the Maryland
legislature passed a bill that allows for credits against State
income taxes in regards to locally produced cybersecurity
software. It will be interesting to see how that works, because
we could look at that at the national level, but I think it
might be interesting to see what happens first in Maryland.
These are, it seems like, common-sense approaches that
could be taken. What do you need from us in order to advance
some of these proposals?
Mr. Castro. I think certainly SBA needs to be pointed in
the right direction on some of this. They are not necessarily
actively pursuing a lot of these initiatives. You know, one of
the challenges, I think, is there is a lot of information that
is out there on the training side, and on the education side.
There is not really concentrated around what is the full
curriculum, how are you either specifically educating the
workers in small businesses so they know what they need to do,
or how are you giving them that step-by-step guidance of
walking someone through who is never going to get the training
but you can show them, once, how to do the thing they need to
do at that moment. And both of those are needed, and right now
SBA just is not doing it.
Senator Cardin. I just hope you would follow up on what is
happening in Maryland. I find that fascinating, whether other
states follow suit and what the experience is in our State.
Ms. Abate. Yeah, I think so too, and I think part of the
issue, when you look at small businesses, we have much more
limited funds, correct, than a large. So what are we focused
on? We are focused on how do we deliver a quality service, a
quality product? How do we remain profitable? And, you know,
cyber really, for a lot of these companies, has not risen to
that business success, and anything we can do, through SBA or
others, to help to raise it to that level--like I said, it is
not just an IT problem. You can lose your business. Everything
you do, all day, to be profitable and have a fabulous product
is put at risk if you ignore this piece of the pie. I mean, it
truly can. And I think it is just critical to raise awareness
on what they need to be focused on.
Chairman Risch. Thank you.
Senator Inhofe.
Senator Inhofe. Thank you very much, Mr. Chairman.
[Off microphone.]
I find it interesting that we have--there might be some
relationship between--I think we probably have more small
businesses, and some of the rural states do, than some of the
larger states. I have one example in Norman, Oklahoma. We have
a company called Astronomics. There is no reason that you guys
should have ever heard of it, but it is a small business, and
they specialize in designing certain kinds of telescope.
Anyway, they were successful when they saw justice when a
California man was convicted in a Federal court of directing
distributed denial of service cyber attack in Astronomics. Now,
they were successful. It worked. Now, Mr. Castro, what can we
do to have more successes like this? What needs to be changed
that might be something that you would like to see us do?
Mr. Castro. Yeah. I think one of the most important things
is really around that certification side, so that workers--so
that small businesses can hire workers who have some skills,
because I think so often, you know, the small business just has
no real capacity to do anything, and they have no capacity to
measure the skills. And there are so many classes that are out
there right now, but there is no verification that, you know,
you have taken the class and you have actually absorbed the
knowledge. I mean, I have taken a class on juggling. I cannot
juggle. And that is kind of what exists right now in the cyber
certification space.
Senator Inhofe. Mr. Schrader, I chaired the Environment and
Public Works Committed for 12 years, and during the time of the
Obama administration, and I am sure some of this Committee
would disagree with this characterization. But we did just a
lot of overregulation in every area, and we were successful,
and this President came along and doing away with some of these
regulations. As a matter of fact, there are two ways of doing
away with the regulation. One is with Executive order and the
other with a CRA, and our count is up to 70 now.
Now, I think that is one reason that our economy has really
been booming, the overregulation, of course. I think the tax
bill helped too. What types of regulatory problems do you have,
because that is an area where we might be--or do you have any
regulatory problems?
Mr. Schrader. At the NCSA we do not have regulatory
problems. In fact, the NIST Framework which has been put out,
and is continuing to be updated, has been very helpful in that
it is voluntary and that it is scalable, and that it is
something that puts out the kind of common-sense ways that the
private enterprises have been able to come through and to make
useful to small businesses.
In our particular case, because we have a very active Board
of Directors, who is very interested in pushing out this
education, we have been able to move it into small businesses,
and anything that would encourage further contributions, and
other further ways that we can roll out this education through
private means, is something that we very much like.
For example, Senator, I actually had a very nice
conversation with Devin Barrett and Dan Hillenbrand in your
office about different ways that we would be able to work with
the Administration and with yours on some of the very simple
tools to be used, both within staffs here and staffs at Small
Business, because each office really is, almost, a small
business, and you have to take a look at everything that you
are doing in order to make cybersecurity part of your everyday
way of doing business.
The crooks are not sleeping. The people who are coming in
and trying to steal our IP are not sleeping. They are
constantly going after something. You cannot have something
that says ``I have checked that list off. Now I am done,''
because there are always people looking. It is an ongoing
process that we always need to be watchful for.
Senator Inhofe. Okay. I was here for your opening
statement. Ms. Abate--is that----
Ms. Abate. That is it.
Senator Inhofe [continuing]. And you commented that there
is something in Maryland that was, I guess, a State agency or
something, that has given help, and I did not know what you
were talking about.
Ms. Abate. The Cyber Security Association of Maryland, it
is called CAMI, is a nonprofit, and it supports our Maryland
cybersecurity companies by helping connect them with buyers of
products and services, and then we also work to make sure we
have the necessary workforce to be able to perform that work.
Senator Inhofe. Okay. That is interesting. I would like to
get to know more about that. Thank you, Mr. Chairman.
Senator Rubio [presiding]. Thank you.
Senator Heitkamp.
Senator Heitkamp. Thank you, Mr. Chairman. This is
cybersecurity day for me. I spent the morning with Assistant
Secretary Jeanette Manfra over at the Department of Homeland
Security, and we just came away from a hearing for Christopher
Krebs to become the Under Secretary. So we are trying to gear
up over at DHS.
One concern that I have, probably for all of you, is that--
let me give you an example. We have a Center of Excellence in
the Centers for Disease Control. They look and research various
diseases. That information is utilized by all kinds of
agencies, you know, whether it is the Bureau of Prisons,
whether it is the Department of Human Services.
One of the things that I am very concerned about is the
disparate kind of jurisdiction over cyber within the
government, and I believe that Mr. Krebs has a responsibility
to create a center of excellence, that then can be integrated
in other agencies. But this is the best way to engage the
private sector.
I also talk a lot about, you know, everybody wants a magic
bullet that will harden the system and protect, and we are all
looking for that software, all looking for that hardware,
potentially, that is going to harden the system. Guess what?
You know, that does not exist. It is not likely to exist. And
what we really need is we need good cyber hygiene, and that is
really what you all are talking about in small businesses is
good cyber hygiene. What does that look like and where is the
checklist?
There are two ways we can do that. We can have the
Department of Homeland Security or whatever agency we designate
to create a center of excellence for cybersecurity that people
can look at best practices. I am not saying you have to use
them, but create the best practices, the best tools for
educating users. You know, you are only as secure as your least
secure user, in terms of a back door, ask Target about that,
right?
And so what do we do to create greater awareness among not
just small business users but your constituents, your
customers, to create better security, better cyber hygiene?
And, Mr. Toews, I can assure you, coming from the University of
North Dakota, I know how to pronounce your last name. And for
those of you, that is a hockey joke. Wonderful, wonderful
alumni of our hockey program and we are proud to--even though
he is from Manitoba, and I can talk like I am from Manitoba if
that will help.
Anyway--eh. I should not say ``ya.'' I should say ``eh.''
But help me out here on what tools you think your small
businesses, or your organizations would need to better educate
your users, your customers, on how to protect themselves.
I will start with you, Mr. Castro.
Mr. Castro. Yeah. I mean, one of the biggest challenges
right now is, you know, just so much information that is on
these different websites. And so I think one of the
opportunities that this Committee has is to really talk to SBA
about how it is going to consolidate the information.
When I was, you know, preparing for this hearing, one of
the things I tried to do was put myself in the position of if I
was a small business owner today, trying to look for this
information right now, I had an attack and I was trying to
respond. Could I find anything? And what I was finding was
that, again, first of all, the information just is really badly
organized. It is not put in a user-friendly format. But also
there is just so much information. So much of it is outdated.
You know, it is not serving the customer.
Senator Heitkamp. And it is cumbersome.
Mr. Castro. Exactly. And so, you know, really forcing SBA
to confront this issue and how they are going to work with the
different agencies. Clearly SBA is not going to be the center
of excellence for cybersecurity, but they are the ones that are
communicating it to the small businesses.
Senator Heitkamp. Right. But I think, in some ways, they do
not know.
Mr. Schrader.
Mr. Schrader. Yes. Well, first, thank you, Senator, for
mentioning Assistant Secretary Manfra. She was kind enough to
come to RSA----
Senator Heitkamp. She told me that.
Mr. Schrader [continuing]. Last week, and on Thursday we
had a panel together at eight in the morning, about increasing
the diversity in the cybersecurity workforce, because it is
very difficult to build up, you know, a very good, diverse
workforce that is ready to jump in to fill the need that we
have now. And then she was kind enough to come to a lunch with
the directors and some others, and she gave about two hours of
her time talking about what DHS is doing, and talking about the
strong public-private partnership that we have.
Senator Heitkamp. Do you agree, Mr. Schrader, that creating
a center of excellence within the Department of Homeland
Security, then that information being disseminated in places
like SBA, could be enormously helpful?
Mr. Schrader. I think that everything that we can do is
helpful. As you pointed out, there is no silver bullet. There
is no hardened defense. It has to be layers of defense. It has
to be constantly looking at different needs.
I started here talking about cybersecurity, my business,
but as Assistant Secretary Manfra and I have talked about, we
are also doing Lock Down Your Login, which is geared
specifically to staff members here in Congress. Right now we
have some posters which we will happily give out to you. But
the idea is six easy tips that will help everyone here, because
you are a very attractive target, for emails, your social
accounts, and the rest.
Senator Heitkamp. Not just us but every person in the
United States wants to know how to fix this problem. And I am
sorry, Mr. Toews and Ms. Abate, I have run out of time. But
this is an issue that we are going to continue to have
discussions on. But I really think it is important that we see
all this jurisdictional, you know, what is DoD doing, what is
DHS doing, what is SBA. Because everybody is coming at it with
a sense of panic, when we need to sit down and have a systemic
kind of--like I said, the center of excellence that then can
disseminate information and get it to the local community
organizations that can do seminars with, you know, at AARP, or
in high schools, saying this is what you need to do to not be--
to lock the door.
Thank you, Mr. Chairman, for the extra time.
Chairman Risch [presiding]. Thank you. Senator Rubio.
Senator Rubio. Thank you, and the thing that concerns me--
well, let me share a story with you about a company, a small
company in Florida. They got hacked. Somebody got--criminals
got into their system, basically stole all of their client data
and information, took it all, and then basically contacted them
and said, ``We know how much you can afford to pay. We have
your financial information. You need to pay us. You need to pay
us in bitcoin if you want all this back, or you will not be
able to operate.''
And they went to the FBI, according to them--I have not
talked to the FBI about this case--and the FBI basically told
them, ``You should pay them because you are not going to get
your data back if you do not.'' And so they did. They went out
and bought, I think it was a quarter of a million dollars of
bitcoin and paid them, and they got their information back, and
were able to continue to operate. So they had their financials,
they knew what they had in the bank and what they could afford
to pay, and they based their demands on it. We will never knew
who stole their money, but it is gone, and it was damaging to
that company, as you can well imagine.
Now if that had been someone--if we had a rash of people
breaking into companies and stealing cash out of safes, you
know, we would be all talking about it. In this particular
case, they probably did not even want to publicize it, which is
why I do not say who the business is, because their clients are
probably concerned about it. We do not have a lot to do to help
them, and their bigger challenges in the future--they have
gotten a little better at what they are doing but they cannot
afford to have the sort of IT division to protect them again in
the future.
And is the story I have just outlined, do you think, number
one, just from the experience you have all had, is this
happening more than we know? In essence, are businesses
experiencing this but basically not filing a quote-unquote
``police report'' the way they would a normal theft because (a)
there is nothing law enforcement can to do to help them, and
(b) it is not the kind of thing they want people to know about?
Do you think this is--do you think it is common and under-
reported?
Ms. Abate. I do. I think more and more small businesses do
not want to talk about it because it does damage their
reputation and it can have a really adverse effect. But, you
know, the other thing is reaching out to the right law
enforcement and what you need to do and having processes.
This morning I was at a session. The Secret Service was
there. Unbeknownst to me, they can assist and help, and we were
talking about that earlier.
So I think it is really important for companies to
understand, when you do experience a breach, who can I reach
out to and what are the best next steps? Because if they do not
have a plan in place, you are in panic mode, right? I mean,
your business is at risk. You have lost your data if you do not
have substantial backup.
So it is something, I think, that is a problem and needs to
be addressed.
Mr. Toews. I echo that. I think it is very under-reported.
We never contacted law enforcement at all in our situation. Of
course, we recovered most of the information. But we are unique
in the sense that we did not have--all of our customer
databases were offsite, so I am comfortable talking with you
about it.
But I think you are right. I think people are embarrassed
and they are concerned it will have a negative impact on their
business, and so they just do not talk about it. So it is an
under-reported issue, but it has got to be impacting our
economy. I know it is.
Senator Rubio. And the follow-up, the other thing that is
devastating about it is if that business happens to do work for
governments, or health care, some of the information that is
being stolen is proprietary health care records, billing
records, the like, and in the case of government, contracts,
whether it is DoD or the space industry that is trying to
expand to bring in more small businesses and suppliers, the
inability to meet certain criteria for cybersecurity, because
of the governmental--forget about classified. Just the
governmental component of it could potentially begin to
disqualify smaller companies because they cannot afford to
build up the cyber capability necessary to be able to service
the client.
And so is that also something that people are running into
in the small business world, where the cost of building up the
sort of IT security they need is too high and, therefore,
prohibit them from certain types of work that might now, or in
the future, have certain minimum IT strength requirements that
they cannot afford to purchase?
Mr. Castro. I will comment first. I mean, it is a
challenge, I think, right now for any small business to comply
with all the different Federal security regulations at the same
level the agencies are expected to require, and I think
agencies are struggling at the same--with the same issue. I
think it is feasible to put together a cybersecurity plan. The
problem is most small businesses do not have the capability.
Senator Rubio. They cannot afford it.
Mr. Castro. They cannot afford it and they do not have the,
I think, even skill set to start putting it together.
Ms. Abate. You know, I would just mention that we have
actually had customers, when we have worked with them on an
assessment, and looked at what needed to be done, have decided
not to do work with the DoD because of the expense in complying
with the 800-171. It is just not something they can justify
when they weigh it.
Senator Rubio. And I guess this is just a statement, and I
think you guys would agree with this. If we are serious about
expanding more government contracting work to small businesses,
because we want to have a broader base of suppliers, then part
of that program needs to be assisting companies with the
costs--small companies with the costs of, and the capability of
being able to meet the criteria that we require of them. In
earnest, trying to attract more suppliers and small business
providers to do work in the space industry or for defense, the
only way that is going to happen is if we help them to meet
some of these criteria that on their own they cannot afford.
Mr. Schrader. Right. Some of the larger companies are, in
fact, realizing that that is a problem because they realize
that they have problems in the supply chain and in their vendor
management, and they are looking at public and private ways to
do it. For example, Federal Express came to us and made a
contribution to us in order to do the cybersecurity business
program. And they asked to have one of their trainings done in
Memphis, where they have a lot of small business contractors,
and also asked to do one in Charlotte, where they also have a
significant presence.
So they were very proactive. They were very good corporate
citizens in realizing that they were getting a two-fer. One is
they were helping small businesses be safer themselves and be
able to compete with larger ones, but at the same time they
were protecting their own business model because they would be
able to do business with a supply chain with a better degree of
assurance that they were dealing with people who took
cybersecurity as seriously as they did.
Chairman Risch. I am shocked to hear that the private
sector is ahead of the Federal Government on some of this, as
we all are.
Thank you, Senator Rubio.
Senator Markey.
Senator Markey. Thank you so much. You know, this is a
problem that is not small, because we see big companies
constantly being hacked. And when I ask Joe Tucci, who is the
CEO of EMC--they own RSA, which is kind of a standard for the
entire industry, RSA--I say, ``Why are all these companies
getting hacked, the big companies?'' and they say, ``Well, they
do not want to buy our state-of-the-art security.'' It is a
never-ending, always escalating technology versus technology,
spy versus spy. Like Mad magazine, it just never ends. You just
have to keep investing if you want to be protected.
So if big companies do not like to do it, and then they get
hacked, how hard is it for small companies, and, really, that
is why this hearing is important today, because it is not--IoT
is the Internet of Things but it is also IoT, Internet of
Threats, because everything is going to be a threat, going down
the line, because everything is going to be ultimately
digitized. And we could have as many as 50 billion IoT devices,
in our pockets, our homes, our businesses, by 2020, 50 billion
of these devices in the United States.
And so there is just going to be a vast proliferation of
the ability to hack in. And we have, as you know, up in
Massachusetts, my little travelogue, we have scores of
cybersecurity companies now. You know, RSA is kind of a famous
one but we have scores of these companies. We buy Israel's
companies. Israel buys our cyber companies, because it is, for
better or worse, an incredibly huge growth industry, and it is
because our prosperity, our privacy, our Nation's security is
all dependent upon us moving more surely into this area.
And it is certainly threatens small businesses in our
country, which is why I introduced the Cyber Shield Act. And so
just listen to what the bill would do if it became the law. It
would establish an advisory committee of cybersecurity experts
from academia, industry, consumer advocacy communities, and the
public to create cybersecurity benchmarks for IoT devices. And
it can be baby monitors, cameras, cell phones, laptops,
tablets, anything that you are using in any of your businesses.
And the IoT manufacturers can then voluntarily certify that
their product meets those industry-leading cybersecurity and
data security benchmarks and display that certification to the
public. So that would then reward the companies that are making
the technologies that you want to be sure are not going to get
hacked in your small business, that are going to give you the
protections which you want. But in the same way when you buy a
car, you can see the safety sticker. Is it one through five
stars? You can look at lighting, one through five stars. You
can look at it in so many other aspects of our lives.
Well, cybersecurity, increasingly, is going to have to be
in that case because you have to purchase the equipment, the
devices that are going to make you prosperous as small
businesses. So it would reward the manufacturers by adhering to
the best data security practices while also ensuring that small
businesses can make more informed choices.
So my question for the panel is, do you think that creating
cybersecurity certification regime, such as the Cyber Shield
Act does for IoT devices, is helpful for small businesses when
they are making purchasing decisions?
Mr. Castro. I think it is a really important move to try
and get the market to work better, because I think what your
bill will do is it creates that transparency in the market
which is sorely lacking right now. I think it is a great move.
I think you might be able to do it with a little bit less of a
certification regime if you maybe just required IoT vendors to
disclose their security practice without assessing it. Let a
third party assess it. But whether it is this advisory
committee that assesses it or a third party, I think it is
exactly what we need to get that kind of market transparency to
work.
Senator Markey. And can you talk about that flying blind
quality to the marketplace, you know, if you are a small
business or anyone else?
Mr. Castro. Yeah. I mean, the biggest problem for a small
business is they do not know who the best of the best is,
right? Sometimes they go based on a brand name that they have
heard, but often, you know, I used to work, you know, directly
with small businesses and you go in and they were using some
product they had never heard of, because, you know, their, you
know, cousin recommended it, and that cousin did not know
anything about security. Or, you know, they had a popup on a
website tell them, you know, they had an antivirus and they
better click here and download it, and they thought they were
improving security and they were not.
Senator Markey. Right. So that is a problem, right? I mean,
if a big company cannot figure it out, or they are just too
cheap and they do not want to spend every couple of years, the
updated, you know, software money, then they get hacked and
everyone says ``what happened?'' and then, you know, my biggest
company says they did not want to pay us, you know, for the
security. It is tougher for you. It is harder for you to have
the money, you know, to be doing that on an ongoing basis, but
at least the transparency of which one of these technologies
has been given a one- through five-star rating, at least you
have got some idea as to what the level of security which you
have purchased for any one of these devices might be.
So is it Mr. Toews--is that how you say it? Why is it
``Taves''? It is T-o-e-w-s. What country is that?
Chairman Risch. You missed Heidi Heitkamp this morning.
Senator Markey. Oh, did I? Oh, my God.
Chairman Risch. Very interesting.
Senator Markey. Yeah. But what country?
Mr. Toews. Germany.
Senator Markey. Germany.
Mr. Toews. So the W makes a V sound----
Senator Markey. Yeah.
Mr. Toews [continuing]. And O and E is trying to imitate--
--
Senator Markey. Got it.
Mr. Toews [continuing]. A vowel we do not have.
Senator Markey. So, see, great minds think alike. Like
Heidi, I do not want to know the answer.
So we are actually at the beginning of the ransomware
epidemic, where cyber criminals infect their victims' computer
networks with malware, denying users access to their files
until a ransom is paid. And that ransomware attack could
prevent a hospital from accessing its patients' medical
records, a business from accessing their financial records, a
police department from accessing files from ongoing
investigations. And attackers have even taken aim at
municipalities, like the town of Medfield, Massachusetts, which
was forced to pay a $300 ransom to hackers who attacked their
municipal network. And that cyber threat to anyone who connects
to the internet is clear, and we need to take decisive action
to deal with that.
So, Mr. Toews, can you talk about what kind of protections
you would like to see in order to be protected against
ransomware extortion?
Mr. Toews. Certainly. I would be happy to. And it is a very
uncomfortable situation when you find all of your files
encrypted and there is a ransom note. It is not something that
you expect to happen. But I honestly think that one of the
first steps we need to take is to educate small businesses more
that it is a problem. I do not believe that most of them
understand the gravity of the problem. They all feel like this
could not happen to me.
So somehow educating them, getting, like I said, a public
service announcement, some way of getting the word out, maybe
let them know how many companies have been hacked, maybe
letting them know how many of those that we know got hacked,
how many it ended in the business going out of business. That
kind of information going to the small businesses, I think,
would be key. And then certifying--having standardized
certifications that show who reputable cybersecurity
professionals are, I think would be a huge step. Maybe there
are already some out there. It needs to be educated--we need to
be educated on that as well.
Senator Markey. Yeah. We have a company up in Massachusetts
called Carbonite. Carbonite had almost no employees eight years
ago and now it has 1,200 employees. So they have already dealt
with ransomware for 10,000 companies in America. In other
words, if you have one call to make, and it just happened 20
minutes ago, and you do not call Carbonite, you are probably
making a mistake. Okay?
That is my travelogue here, because they can fix it maybe
within an hour, if you make the call on the right day,
immediately, right? Because this is just an epidemic across the
country, and you do not want to have to pay that ransom. You
want to have to be able to figure this thing out immediately
where it is in its earliest stages.
So that is also another problem for smaller companies. You
know, it is now going to become increasingly an additional
expenditure which has to be made, you know, in order to deal
with this as it just proliferates, because there is,
ultimately--you know, there is a Dickensian quality to the
internet. It is the best of wires and the worst of wire
simultaneously. It can enable, it can ennoble, it can degrade,
it can debase. And this sinister side of cyber space is
increasingly, in industry, a bad--the bad guys, right?
So that is why we are here, and we are looking forward to
any recommendations you can give to us. But I do think,
ultimately, we need some national standards that we just start
to establish, at least information, transparency, so that the
information is in the hands of the small businesses, so they
are making informed consumer choices for their small
businesses, to protect their company against ransomware or
against any other attacks.
So thank you for your testimony. I thank you, Mr. Chairman.
This is a very, very important hearing.
Chairman Risch. Thank you. Senator Markey, your idea about
the standards in your legislation, does it contemplate an
entity like UL, Underwriters Laboratories, that would somehow
put their seal on----
Senator Markey. Ah.
Chairman Risch. UL was successful for generations, of
course. And I would ask the panel, would--does a cyber product
lend itself to that kind of a certification like they would
have for UL, when it comes to security, or is that something
you need to think about?
Mr. Castro. Some products I think it does make sense,
especially when you are talking about devices. Others, you
know, when it is more service-based, you know, you might look
at other types of certifications like TRUSTe and others that
have existed. So I do not think it is always a straightforward
answer.
The biggest difference is that with UL there was a
straightforward testing. With cybersecurity, the testing that
you can do to identify flaws is much harder. It is a bigger
open space.
Chairman Risch. We had a witness in--I do not think this is
classified--it was in the Intel Committee, and we were having a
cybersecurity hearing. And this person, who was an expert on
cyber stuff said, ``We are in cyber where the Wright Brothers
were on their second airplane,'' saying that, you know, the
biggest problem is we do not know what we do not know. And I
suspect maybe we are going to be crossing those bridges.
Senator Markey. But there are--if I may, Mr.--there are
companies like Carbonite. There are, really, RSA, which is a
subdivision now of Dell, which has purchased EMC, which now has
RSA in it. If you go to the state-of-the-art company, they are
fierce competitors against the Russians, or against any other,
you know, criminal----
Chairman Risch. The problem----
Senator Markey [continuing]. But you have to pay for it in
order to get it done, and they can actually attract the most
talented people in the government to go and work for them,
because they can pay so much more.
Chairman Risch. The problem is, is the average buyer,
consumer, does not know that stuff. I know some pretty
sophisticated people that have gone out and bought Kaspersky
Laboratory products. Anybody ever heard of them?
Senator Markey. Yeah. Can I say this? Woburn,
Massachusetts, yeah. I am just being a Ben Cardin.
Chairman Risch. Thank you very much.
Senator Markey. Yeah. But that is not, maybe, the best
example for us to be advertising.
Senator Cardin. I think this is very important, your bill.
There is some work being done at NIST in regards to this field,
but I do not think we have what you are trying to do, Senator
Markey. But it is something we need to be able to get better
conformity.
And what you have indicated, about not reporting this, is
common. Rarely is this reported, which points out another
problem, because if we are trying to counter this and we do not
get that information to some law enforcement investigative
authority, then it makes it even more challenging for us to
root out those that should be held criminally accountable for
the type of activities that they are doing.
So I think you are pointing out some real significant
issues, and all of you have come up with proposals, which we
thank. I mean, that is what I like from hearings, specific
proposals. So I think you have given us a lot of really good
ideas.
Senator Markey. And if I may, I think your UL idea is a
good idea. It is a good way of thinking about it.
Chairman Risch. It is a good way of thinking about it. I do
not know if it works or not.
Senator Cantwell.
Senator Markey. Yeah, but I can I just say to Mr. Castro--
--
Chairman Risch. Senator Markey has been taking up all your
time.
Senator Markey. I have been filibustering so you had time
to get here, okay? That has been my responsibility.
I just want to say to you, Mr. Castro, given what happened
in Cuba last week and how responsible we will be to you, you
are the most powerful Castro in the world now, so let us know
what you think.
Chairman Risch. Moving right along, Senator Cantwell.
Senator Cantwell. Well, Thank you, Mr. Chairman, and thank
you for having this hearing. It is such an important hearing
because we want our small businesses to be able to keep pace
with the level of advancements, and certainly with the level of
attacks on our infrastructure as it relates to cyber attacks,
we want our small businesses to have every opportunity.
I know my colleague was here earlier talking about cyber
hygiene, and one thing we have been able to do in the Pacific
Northwest is working with our industry sectors, actually and
our Guard and Reserve has come up with that cyber hygiene list
of things that we expect all businesses to do.
What would it take for--what do you think we should be
specifically focusing on that would help small businesses
participate in those kinds of discussions and to better reveal
information about what kinds of attacks you might have already
been experiencing, given that nobody really wants to come
forward and say that, because of vulnerabilities to your
business?
Chairman Risch. Well, who is the hero here?
Mr. Castro. I will start it. I think, you know, a lot of
small businesses do not have a lot of time to spend on this
issue, so, you know, you always have to, when we are talking
about how can we help them, is giving them very concrete,
actionable steps.
The New York Times did something great recently, where they
had a seven-day financial health program. Every day you signed
up for it you got an email that said, you know, spend an hour
and do these specific things. You know, look at your credit
card statements. Use this tool to figure out what you are
overpaying for. That is the kind of direct, hands-on feedback
we need to give small businesses.
The average small business is not going to be able to do--
you know, they are not going to be able to sit down and think
about the cybersecurity threats and, you know, take a tip
about, you know, secure your passwords, and think through all
the ways that could apply. They need very concrete direction
that says, you know, log into your Wi-Fi router and make sure
you have been labeled WPA security. That kind of specific
feedback. And I think, you know, we can do that, but that is
not what we have been doing so far.
Senator Cantwell. Okay.
Mr. Schrader. The other part is it has to be ongoing,
right, because with UL you have a UL sticker on your lamp. You
plug the lamp in and you know that the lamp is going to be safe
when you plug it in. But in the case of small businesses, they
are constantly adding, they are upgrading, there are patches to
be fixed, there are new ways that they are bringing in new
software, new hardware, which is the issue that you had, Ben.
And so basically you have to have a recency effect as well
as an education effect. It has to be something that they
constantly think of as they go through their day-to-day
business, keeping their software up to date, changing their
passwords when they change their--you know, their employees,
being a little bit of a socially aware of the kind of social
engineering that happens to big and small firms, in order to
get people to, you know, to download things or to reveal
passwords.
So it is an ongoing education process. It is not like we
will ever be able to say, ``We have hit the bottom of the list.
Thank you very much. That is solved. Let us move on.'' And we
do not want that to be, because we want to encourage more
entrepreneurship. We want to encourage them to be able to
compete into the supply chain and to grow into bigger
companies.
Senator Cantwell. It is amazing that Equifax was just--
there was an available patch, you know, an Apache patch that
somebody just did not download. Like somebody made a really big
mistake by not implementing that solution. So I hear your point
about constant information.
That is why--I do not know if it is because we had so many
people in our Guard and Reserve that were in the software
industry or just that we have a big footprint there, but this
effort on a cyber hygiene list, I just feel--I mean, look. I
mean, now the threat is not necessarily somebody sticking a sub
in U.S. waters or basically flying a plane into U.S. airspace.
It is state-owned actors hacking systems.
So I actually think the Guard and Reserve could play this
ongoing dialogue for us about what are the 10 things people
should be on the lookout for? What are the 10 cyber hygiene
things that could be deployed? But anyway, they are doing that
in our State, and it is a good partnership with industry.
Mr. Schrader. That is interesting, because a partnership
that the National Cyber Security Alliance has with DHS, in
October we sponsor Cyber Security Awareness Month, where it is
a constant drum on different aspects of how we will go and get
the word out on different things, and we will do follow-ups in
different areas, Data Privacy Day, and then some other.
We are doing, right now, something called Spring Clean Your
Machine. Just as, you know, my grandma used to push around the
sofas and pull down the curtains and open up all the windows
and spring-clean the whole place. Do that with your machine.
Delete the apps that you do not use. Upgrade your pass phrases.
Figure out who is looking at your location data. The little
simple things and reminders that are helpful along the way.
Senator Cantwell. Great. Thank you, Mr. Chairman.
Chairman Risch. Okay. Thank you very much. Ben, have you
got anything more for the good of the order?
Senator Cardin. Just to thank our witnesses and to point
out the challenges we have. You could do everything right and
you still can get attacked. Supply chain issues, so many
different things going on. So we have to have a greater
understanding and knowledge in the small business community so
they can take reasonable steps, and we need to figure out best
strategy.
Chairman Risch. Thank you very much. Thank you all for
spending your time with us. I think this has been one of the
more productive hearings I have been in, in quite a while. It
has given us a lot to think about. Some of the suggestions that
have been made here, we will do our best to try to implement.
What I am going to do is I am going to keep the record open
until 5:00 on Friday. If any of you have anything more for the
record, please feel free to submit. Any members who want to
submit questions for the record, we will do it that way.
So with that, thank you again. This hearing is adjourned.
[Whereupon, at 4:51 p.m., the Committee was adjourned.]
APPENDIX MATERIAL SUBMITTED
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
[all]