[Senate Hearing 115-300] [From the U.S. Government Publishing Office] S. Hrg. 115-300 PREPARING SMALL BUSINESSES FOR CYBERSECURITY SUCCESS ======================================================================= HEARING BEFORE THE COMMITTEE ON SMALL BUSINESS AND ENTREPRENEURSHIP UNITED STATES SENATE ONE HUNDRED FIFTEENTH CONGRESS SECOND SESSION __________ APRIL 25, 2018 __________ Printed for the Committee on Small Business and Entrepreneurship [GRAPHIC NOT AVAILABLE IN TIFF FORMAT] Available via the World Wide Web: http://www.govinfo.gov __________ U.S. GOVERNMENT PUBLISHING OFFICE 30-630 PDF WASHINGTON : 2018 ----------------------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Publishing Office, http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). E-mail, [email protected]. COMMITTEE ON SMALL BUSINESS AND ENTREPRENEURSHIP ONE HUNDRED FIFTEENTH CONGRESS ---------- JAMES E. RISCH, Idaho, Chairman BENJAMIN L. CARDIN, Maryland, Ranking Member MARCO RUBIO, Florida MARIA CANTWELL, Washington RAND PAUL, Kentucky JEANNE SHAHEEN, NEW HAMPSHIRE TIM SCOTT, South Carolina HEIDI HEITKAMP, North Dakota JONI ERNST, Iowa EDWARD J. MARKEY, Massachusetts JAMES M. INHOFE, Oklahoma CORY A. BOOKER, New Jersey TODD YOUNG, Indiana CHRISTOPHER A. COONS, Delaware MICHAEL B. ENZI, Wyoming MAZIE K. HIRONO, Hawaii MIKE ROUNDS, South Dakota TAMMY DUCKWORTH, Illinois JOHN KENNEDY, Louisiana Skiffington E. Holderness, Republican Staff Director Sean Moore, Democratic Staff Director C O N T E N T S ---------- Opening Statements Page Risch, Hon. James E., Chairman, and a U.S. Senator from Idaho.... 1 Cardin, Hon. Benjamin, Ranking Member, and a U.S. Senator from Maryland....................................................... 3 Witnesses Castro, Mr. Daniel, Vice President, Information Technology & Innovation Foundation, Washington, DC.......................... 5 Schrader, Mr. Russell, Executive Director, National Cyber Security Alliance, Washington, DC.............................. 15 Toews, Mr. Ben, President, Bullet Tools, Hayden, ID.............. 20 Abate, Ms. Gina Y., President and CEO, Edwards Performance Solutions, Elkridge, MD........................................ 27 Alphabetical Listing Abate, Ms. Gina Y. Testimony.................................................... 27 Prepared statement........................................... 29 Responses to questions submitted by Senators Young, Heitkamp, Hirono, and Duckworth...................................... 63 Cardin, Hon. Benjamin Opening statement............................................ 3 Castro, Mr. Daniel Testimony.................................................... 5 Prepared statement........................................... 7 Responses to questions submitted by Senators Young, Heitkamp, Hirono, and Duckworth...................................... 48 Risch, Hon. James E. Opening statement............................................ 1 Rowe, C.E. ``Tee'' Prepared statement........................................... 71 Schrader, Mr. Russell Testimony.................................................... 15 Prepared statement........................................... 17 Responses to questions submitted by Senators Young, Heitkamp, Hirono, and Duckworth...................................... 53 Toews, Mr. Ben Testimony.................................................... 20 Prepared statement........................................... 22 Responses to questions submitted by Senators Heitkamp, Hirono, and Duckworth...................................... 60 PREPARING SMALL BUSINESSES FOR CYBERSECURITY SUCCESS ---------- WEDNESDAY, APRIL 25, 2018 United States Senate, Committee on Small Business and Entrepreneurship, Washington, DC. The Committee met, pursuant to notice, at 3:30 p.m., in Room 428A, Russell Senate Office Building, Hon. James Risch, Chairman of the Committee, presiding. Present: Senators Risch, Rubio, Ernst, Inhofe, Young, Rounds, Cardin, Cantwell, Heitkamp, Markey, and Booker. OPENING STATEMENT OF HON. JAMES E. RISCH, CHAIRMAN, AND A U.S. SENATOR FROM IDAHO Chairman Risch. The Committee will come to order. Today we are going to have a hearing entitled Preparing Small Businesses for Cybersecurity Success. And I have a few remarks and then I am going to turn it over to the Ranking Member for his remarks. We will then hear from our distinguished panel. Thank you so much, all of you, for joining us. Thank you, everyone, for coming today. This is a hearing on one of the most dire threats to small business and individuals in our Nation, the increasing number of attacks by cyber criminals. The same technology that enables small businesses to do business online and compete in the global marketplace also makes their sensitive information vulnerable to phishing schemes and ransomware attacks. Small businesses are especially vulnerable as about 71 percent of data breaches occur in businesses with fewer than 100 employees. Regrettably, many of these attacks are preventable and can be tied back to missteps made by a business' employees. News of cyber attacks makes headlines each day, and we know that Russia, Iran, China, and North Korea are some of the biggest cyber hackers in the world. We have confirmation that Russia tried to interfere in our elections, and recent reports have been made public that they are compromising the information of individuals and small businesses in our country and the UK. In recent years, the Russians have completely shut down Estonia's e-commerce, waged cyber war against Ukraine's energy grid, and they are constantly seeking to destabilize other countries. Additionally, North Korea has repeatedly attacked public and private entities in attempts to steal cryptocurrency to shore up their finances in the face of economic sanctions. There are many bad actors out there and they grow in number and capability every day. Perpetrators vary from individuals to those directed by countries, putting small businesses in our country at great risk. This issue hits especially close to home in a rural State like Idaho, where e-commerce is sometimes the only way to do business. That is why I have worked on three different pieces of bipartisan legislation to offer more tools to arm small businesses against potentially devastating cyber threats. The Main Street Cybersecurity Act will require the National Institute of Standards and Technology to disseminate a small business-friendly version of its renowned Cybersecurity Framework. This will better position small businesses to protect their assets, customers, and employees. I have also introduced the Small Business Cyber Training Act to train the counselors at regional Small Business Development Centers throughout the country on educating entrepreneurs on protective cyber habits when they are first starting a new business, which will help them institute safe practices before the problem arises. And just yesterday I introduced the Small Business Cybersecurity Enhancements Act to prepare the Small Business Development Centers to receive information on cyber threats and breaches from small businesses in the field when these incidents happen. Cyber attacks are too frequently the last nail in the coffin for many small businesses, who are already facing an uphill battle to get started, get funded, and keep up with new regulations. I look forward to hearing from our witnesses today about their experiences with cyber threats and about what we can do to prevent these attacks. I would like to welcome Mr. Daniel Castro, the Vice President of Information Technology & Innovation Foundation, and the Director of its Center for Data Innovation. Prior to ITIF, Mr. Castro worked as a scientist for the Software Engineering Institute and as an IT analyst for the Government Accountability Office. We look forward to his testimony, as he is named one of FedScoop's 25 Most Influential People Under 40 in Government and Tech. I am also pleased to welcome Mr. Ben Toews from Hayden, a small town located in north Idaho. After starting with Bullet Tools, while still a student at Gonzaga University, Mr. Toews eventually worked his way up to become President of the company. He has helped Bullet Tools fend off a ransomware attack and has contributed to the company's 300 percent growth over the past five years. In addition to his full-time job, Mr. Toews is a member of the Idaho SBDC Advisory Council, assisting other small business owners and entrepreneurs. Mr. Toews, I look forward to your testimony. And, as a side note, Mr. Ranking Member, you would be interested to hear that when I sat in that seat, as the Chairman from the then majority party, I visited that business up there, and we were well entertained and enjoyed ourselves. We also welcome Russell Schrader, the Executive Director of the National Cyber Security Alliance, and we welcome Ms. Gina Abate, President and CEO of Edwards Performance Solutions. Both of these will be further introduced by the Ranking Member Cardin. Thank you for being here today with us. And now I would like to recognize Senator Cardin. OPENING STATEMENT OF HON. BENJAMIN L. CARDIN, RANKING MEMBER, AND A U.S. SENATOR FROM MARYLAND Senator Cardin. Thank you, Mr. Chairman. There are days that I am looking for some road trips, so maybe we will look at visiting. Chairman Risch. Have you ever been west of the Mississippi River? [Laughter.] Senator Cardin. Yes, a few times. A few times. Have you ever been on the Chesapeake Bay? Chairman Risch. I have. Many times. [Laughter.] Senator Cardin. Good. We have a lot in common. Chairman Risch. I drink water from there. Senator Cardin. I am glad to hear it. The Chairman is a good friend and I appreciate his leadership on this Committee, and I particularly appreciate the fact that we are holding this hearing on preparing small businesses for cybersecurity success. Cyber intrusions are a major problem, universal as well as in the United States. The Chairman is aware of this through our work on the Senate Foreign Relations Committee and his involvement on the Intelligence Committee. We know how active Russia is in cyber intrusions. North Korea, China, so many other countries. I authored a report in January that talked about Mr. Putin's designs in regards to our democratic institutions, and one of the tools he frequently uses is cyber intrusions, in order to get as much information as he possibly can to compromise our system of government. So we know we have major challenges in America with cyber intrusions. It is affecting our economy and it is affecting our privacy. We know that with Equifax and Target intrusions. We saw that with Facebook and the way that they handled personal information management, leaving a lot to be desired. We also know that small businesses are a prime target of cyber attacks. There are 30 million small businesses that live with the understanding that they are at risk. An SEC report said that small businesses are the principal target for cyber crime, and we also know that 58 percent of the data breach victims were small businesses. The challenge here is really why I am very pleased to have this hearing. For a small company that may not have a big staff for IT, does not have the margins to look at how to defend on cyber, and, quite frankly, probably has limited knowledge and understanding of the risks of cyber attacks, it is very difficult to be prepared against very sophisticated operators that are phishing for information, that could very well harm that company. So we know that we have a challenge as to how we can help small businesses be prepared to deal with the realities of cybersecurity today, and part of that solution has to be education and knowledge and building capacity for small businesses, and I know we are going to get into that discussion today. Mr. Chairman, I cannot let my opening statement go without bragging about the role that Maryland is playing in regards to cybersecurity. Maryland is home to the National Security Agency, the U.S. Cyber Command, NIST Cybersecurity Center of Excellence, Johns Hopkins University Applied Physics Lab, University of Maryland--I could go on and on and on. I am proud of the role that these institutions and the people who work there are playing in our national security in dealing with cybersecurity, and we have so many private companies that are now located in our state. We recognize that the small business community is the driving force for our economy. That is where most jobs are going to be created. That is where most innovation is going to take place. So it is appropriate for us to figure out how we can better defend the small business community from the threats of cyber intrusion. I welcome all four of our witnesses. The Chairman has given introductions for Mr. Castro and Mr. Schrader. Let me join in welcoming Ms. Gina Abate, the President and CEO of Edwards Performance Solutions, a certified women-owned small business in Elkridge, Maryland. Have you been to Elkridge, Maryland? Chairman Risch. I do not believe I have. Do they have elk in Maryland? Senator Cardin. Elkridge, Maryland, is a wonderful place. I pass it twice a day. I commute to Baltimore so I pass Elkridge twice a day. You are more than happy to go with me one day and we will stop by and visit. Chairman Risch. I want to see the elk. Senator Cardin. The company provides IT and cyber counseling services to commercial and government customers. She also chairs the Cybersecurity Association of Maryland. And I am pleased that we also have Russell Schrader. He is the Executive Director of the National Cyber Security Alliance, the Nation's leading nonprofit public-private partnership that promotes cybersecurity and privacy education. Previously, he was Visa's first Chief Privacy Officer, where he oversaw privacy and data security policy. So, Mr. Chairman, I think we have four very distinguished witnesses and I look forward to their testimony. Senator Markey. Mr. Chairman, can I just interject to say that I think that Senator Cardin's opening statement could actually be used as a travelogue by the Maryland Chamber of Commerce, and I just wanted to compliment him for getting in just about every---- [Overlapping speakers.] Chairman Risch. As long as we are going to go down that road, I need to tell you a little bit about the Idaho National Laboratory that is becoming one of the lead agencies in America on cybersecurity. So I hope you will be able to visit the Idaho National Lab, in Idaho Falls someday. In any event, thank you so much for coming, and we will just go right down the line, and any written testimony you will submit we will include in the record. We would ask you to keep the remarks at about five minutes, if you would, and we will go right down the line, starting with you, Mr. Castro. STATEMENT OF DANIEL CASTRO, VICE PRESIDENT, INFORMATION TECHNOLOGY & INNOVATION FOUNDATION, WASHINGTON, DC Mr. Castro. Chairman Risch, Ranking Member Cardin, members of the Committee, I appreciate the opportunity to appear before you today to discuss the opportunities to support small businesses as they seek to improve their cybersecurity practices. As you know, small businesses face significant cybersecurity threats. In 2015, 42 percent of small businesses were victims of cyber attacks. In 2017, 58 percent of the confirmed data breaches involved small businesses. Most small businesses are concerned about cybersecurity but they are not doing enough to protect themselves against these threats. One recent survey found that a third of small businesses are not taking any practice steps to protect against cyber threats, and half of them do not have a cybersecurity budget. These risks present an existential threat to some small businesses, as firms can go bankrupt from the cost of responding to a cyber attack or from the lost revenue and customers resulting from a business disruption caused by a security incident. Moreover, these attacks are a drain on the U.S. economy, costing between $57 and $109 billion in 2016. Therefore, I would like to discuss three steps Congress can take to improve cybersecurity practices. First, one challenge that small businesses face is that they do not know what types of cybersecurity products and services they should be buying, or if they do know they cannot afford them because the per-user costs are too high. So companies that sell IT security products and services often use variable pricing, based on the number of users, or they require a minimum purchase amount. So these high per-user costs make the solutions unattractive or unfeasible for many small businesses. So Congress should direct SBA to assist small businesses by establishing a cybersecurity cooperative, to create a large pool of willing buyers for various cybersecurity products and services, including cyber risk insurance. Participation in the cybersecurity co-op could be open to any small business, and depending on the level of interest, could be organized around particular regions or sectors. The co-op could identify and evaluate cybersecurity products and services for its members and negotiate better rates for its users than they could get on their own. This would be a win-win. It would help small businesses get more value for their investments and also increase adoption of best- in-class cybersecurity tools. It would also lower the cost for those selling these products and services by reducing their customer acquisition cost. Second, many small businesses cannot hire qualified cybersecurity professionals. Part of the problem, of course, is that there is fierce competition for individuals with these skills. In the United States, there are 40,000 cybersecurity jobs that go unfilled each year, and small businesses which often pay less than their larger counterparts have a hard time competing for this talent. In addition, it is often impractical for a small business to hire a dedicated, full-time cybersecurity professional. Instead, they assign these responsibilities to an employee who works on these issues on a kind of part-time basis. Unfortunately, virtually all of the cybersecurity certification programs are tailored for people who do this as their full-time job, so small business employees who only work on cybersecurity issues as part of their job do not pursue these credentials and they are often unqualified or under-qualified. To address this problem, Congress should direct SBA to develop a low-cost, vendor-neutral certification program for small business employees who serve as their designated cybersecurity expert. The curriculum for the certification should be regular review, to ensure that it is accurate, comprehensive, and up to date, and SBA could authorize the professional certification organizations to actually provide the certification to those who successfully master the material. This certification would help small businesses assess whether they have staff qualified to handle cybersecurity issues, and ensure their investments in training are actually worthwhile. And finally, small businesses will not have anyone who is properly trained--some of them will not--but these businesses still need to be able to mitigate common threats. So Congress should direct SBA to develop a free, online cybersecurity boot camp to provide small businesses the concrete steps they need to create a basic cybersecurity program to address the most critical threats facing small businesses. Participants would not be expected to come with any prior knowledge and they could repeat the boot camp as often as necessary. SBA would then be required to update the content regularly so that it contains information on both known as well as emerging threats. Right now, the SBA offers one 30-minute class, but it is of poor quality. Some of the advice in the module is simply impractical. It has things like do not click on links in email, do not reply to unsolicited emails. This class also does not cover recent cybersecurity threats like ransomware. Other government agencies, of course, offer resources, but many of their sites are not user friendly or they contain broken links. Sometimes the content is undated or outdated, most are redundant, and they overwhelm small businesses with unnecessary information. Moreover, most of the resources either describe basic objectives, things like use stronger passwords, or they simply describe cybersecurity issues and terms. I think the analogy here is this would be like Ikea providing its customers one- pagers explaining the importance of not overtightening screws and pamphlets on the dangers of collapsing bookshelves, instead of giving them the actual step-by-step instructions of how to assemble furniture. Small businesses need this more practical guidance. We need more leadership on this issue, and so I commend you for holding this hearing today. Thank you for the opportunity to be here and I look forward to answering questions. [The prepared statement of Mr. Castro follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] Chairman Risch. Mr. Castro, have you communicated these same thoughts to the SBA? Mr. Castro. No. Not out of this. We did do, actually---- Chairman Risch. We will. Mr. Castro. Okay. Great. Chairman Risch. Thank you. I appreciate your testimony. Mr. Schrader, you are up next. STATEMENT OF RUSSELL SCHRADER, EXECUTIVE DIRECTOR, NATIONAL CYBER SECURITY ALLIANCE, WASHINGTON, DC Mr. Schrader. Thank you very much, Senator Risch, Ranking Member Cardin, distinguished Senators. I appreciate the invitation. I know that this is an important topic. I am the Executive Director of the National Cyber Security Alliance, founded in 2001. We are the leading neutral, nonprofit, private-public partnership devoted to strengthening America's cybersecurity through awareness and through education. We believe that cybersecurity is an economic and a security issue, as best addressed through collaboration between public and private partnership with industry, government, and consumers. We bring together stakeholders to talk about cutting-edge issues, to execute highly hands-on, effective, broad-based education programs. Currently, one of our major partners is the Department of Homeland Security and our Board of Directors, which do represent leaders in technology, financial, insurance, and hospitality industries. We have core education programs, including the National Cyber Security Awareness Month, which is October. It is co- founded and led with DHS; Data Privacy Day; STOP. THINK. CONNECT; and Lock Down Your Login, which is geared at congressional members, administration members right now; and the most recent addition to our portfolio, which is called CyberSecure Your Business, and I think that is the one that best aligns with what we are here to talk about today. Today, as you pointed out, many businesses continue to think that they are too small to be a target of a cyber attack. These businesses lack the technical, the resources, the financial, and the legal things that they need to do to protect themselves. The NCSA's goal is to help entrepreneurs and small businesses across the country improve their cybersecurity, and we use targeted workshops that are aligned with the NIST Cybersecurity Framework. We have translated that NIST Framework into simple language, and to create an introductory-level, in-person, interactive, three-hour-long workshop that we host in various cities around the country. It empowers non-technical businesses to improve their cybersecurity, and we talk to people like the local butcher, the barber, the local accountant, people who do not necessarily have any cybersecurity backgrounds, and they need to protect their highly valuable information and assets. They have some of the country's key IP, like employee and consumer data. In addition, many of these small businesses are suppliers to large companies. They are part of the vendor management program. They are part of the supply chain of large businesses as well. So our workshops are simple, they are actionable, and they have positive changes that small businesses can take to really move the needle on their own cybersecurity, and to reduce their own vulnerability to attack. What we can do is we convene State attorneys general, SBA representatives, the FBI InfraGard, local FTC offices, chambers of commerce, Better Business Bureaus, and others to put on these programs and get small businesses to fill the rooms. Those small business attendees are armed with tangible resources to better secure their physical and their online assets, and they also have the awareness of the supports that are available to them throughout the country. Now this is, right now, sponsored solely by sponsors from private industry, and these workshops are free to attend. I think seeing the trusted brands aligned alongside government agencies does send a clear message to businesses that the public and private sectors need to be joined together for the benefit. We also supplement these in-person workshops with monthly CyberSecure Your Business webinars, which are hosted on the second Tuesday of every month between 2 and 3 p.m., Eastern time. Now the NCSA applauds the Federal agencies' roles in providing small businesses with the resources and tools they need to become cyber secure. In addition, we promote these within the organizations with our own materials, and we continue to support cross-agency and cross-public-private collaborations such as the one we have, the DHS, in order to do this. But we need more support dedicated to helping businesses prepare, and I look forward to the opportunity to talk with the community in ways that NCSA works with this Committee and other stakeholders in order to improve this very useful program. And I point out, Mr. Chairman, based on the earlier conversation, that we had already scheduled one of these trainings to take place in Boise in the next coming months. We will talk about Elkridge at another time. [The prepared statement of Mr. Schrader follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] Chairman Risch. Thank you so much. Ben, you are up. STATEMENT OF BEN TOEWS, PRESIDENT, BULLET TOOLS, HAYDEN, ID Mr. Toews. Right. Chairman Risch, Ranking Member Cardin, Senators, thank you for the opportunity to testify today. My name is Ben Toews, President of Bullet Tools. My degree is in international business, not information technology. Managing the techy side of my business was a necessary evil. I created our network, got everyone connected, and did the troubleshooting and training. Once I found competent IT people I handed over the reins and never looked back. So what qualifies me to testify, now that you know I am not a computer genius? In short, having my business hacked with ransomware and surviving. Let us look at my company as a case study. Before the cyber attack, I think most would say that we were well protected. Our first line of defense was a hardware firewall, our second line of defense was a domain controller with centrally administrated usernames and passwords, and the third line of defense was Microsoft Security Essentials. Our fourth line of defense was informal training of users on good internet and email practices, and our final line of defense was an offsite backup of our financial and inventory data, on a daily basis. Immediately before the attack, we set up a new computer without antivirus software. A new user with no password then plugged it into our network. This made us vulnerable and the hackers executed ransomware that encrypted every file that the new user had access to. When we discovered the attack and saw the ransom note we used our cell phones to find online resources to help clean and restore our system. All of our shared network files were encrypted but only one user was compromised. We restored the financial and inventory backups to the network, and most of our company was back to normal in three to four hours. We were lucky. Without the offsite backup, we would have been virtually dead. We did lose some files, but none crucial to our operations. We now have additional security measures in place, along with daily offsite backups of all folders. So what lessons did we learn? I think that learning from others' mistakes is a lot less painful than making them yourself. That is why I am here to encourage you to help small businesses learn from my experience. There is an example that compares well to the situation. At the beginning of the Second World War, the British were concerned that the Luftwaffe would attack, millions of Londoners would flee, and the country would be paralyzed. Thankfully, that scenario did not play out. JT MacCurdy, in The Structure of Morale, described the effect of the blitz as splitting the population into three groups. One, the people killed by the bomb. A harsh fact: dead people do not spread panic. Two, the near misses. They feel the blast, see the destruction, it may result in shock and a preoccupation with the damage. Three, the remote misses. These people hear the sirens and explosions. For them, the experience is remote. The result? A feeling of invulnerability. Small business falls into these three categories: those that have been hacked and did not survive, those that have been hacked and survived, and those that have not been hacked. The first category is not going around advertising it, and want to forget it ever happened. The second category is likely more prepared, and unless it happened quite recently, have set up a very secure computer system, or gone back to flip phones and faxes. The last category is the remote miss group. They have heard about companies being hacked but nothing has hit close enough to get their attention. This group, the majority, is going to need the most help. Cyber criminals have realized that small, easy targets can be very lucrative. I do not believe that government programs are the best way to solve issues like cyber crime but they are very useful in creating an environment that encourages great solutions in the private sector. This is accomplished by informing and empower small businesses, and the SBDC as an excellent organization to accomplish this. The Idaho SBDC helped my company write our initial business plan, obtain funding, and weather the storms of growing a business over about 18 years. I now sit on the Advisory Board of the Idaho SBDC. The SBDC has some good resources in place to help prevent or mitigate the devastating effects of cyber attacks, including vulnerability assessments and other tools. These resources need to be actively leveraged and promoted to the small business community. I believe this should be done through public service-type announcements sent through various social media platforms targeting small businesses. I think we are all aware now that social media has the necessary info to do so. Federal agencies also need to be encouraged to collaborate with SBDCs and promote them as a resource. There are nearly 1,000 SBDC locations providing boots on the ground, coaches across the country, who can educate those at risk, as well as help equip the small businesses that provide cybersecurity services and can provide a truly scalable solution. When dealing with IT, small business owners are wary. It is hard to know what the people you hire are doing, and if they should be trusted. The solution is standardized, reputable certifications for cybersecurity professionals. I hope that my testimony will help make a difference in combating cyber attacks, and it has been an honor speaking with you today. [The prepared statement of Mr. Toews follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] Chairman Risch. Thank you, Ben. I appreciate it. And now, Ms.--am I pronouncing it right, ``Youbate''? Ms. Abate. Abate. Chairman Risch. Abate. My staff is really good about doing phonetics. I am just not good at reading phonetics. Ms. Abate. That is okay. Chairman Risch. Welcome. We would like to hear your testimony. STATEMENT OF GINA Y. ABATE, PRESIDENT AND CEO, EDWARDS PERFORMANCE SOLUTIONS, ELKRIDGE, MD Ms. Abate. Okay. Well, thank you, Chairman Risch, Ranking Member Cardin, and members of the Committee for the opportunity to testify. The high risk of financial damages is an unprecedented challenge to small businesses, intensified by the fact that the vast majority are unprepared to properly protect their assets. Discussions with hundreds of small businesses by the Cyber Security Association of Maryland members demonstrates a clear pattern of inaction, with the most frequent explanations being, ``My business is small. I am not a target,'' ``Cybersecurity is expensive and I cannot afford it,'' and ``I am not a regulated business so I do not need to worry about it.'' Let us address these justifications. Attackers are targeting small businesses with increasing frequency and sophistication. If an attacker is able to compromise a business system, they can access that to exploit business data, attack business customers and suppliers, and may even shut down the business. For an attacker, any foothold is a good foothold. So what should a small business do to start their cybersecurity program? Every business should invest the time to understand the value of their assets, engage experts to understand the vulnerability of their IT systems, and take appropriate steps to manage their cyber risks. The more valuable their assets and the weaker their ability to detect, stop, and mitigate cyber damages, the greater the risk. The absence of regulation should not be a driver for a cybersecurity program. In fact, regulatory compliance should be an outcome of a well-structured security program, not the reason for it. Small businesses who adopt a framework, like the NIST Cybersecurity Framework, are able to implement a cybersecurity and risk program to address current regulations and those that earn the future. Cybersecurity is a continuous process, not a one-time event, and best approached using proven methods. Small businesses must implement a culture of safety, leveraging employee situational training, and low-cost tactics, like enforcing proper passwords, encrypting hard drives, and limiting user ability to load undesirable software. The concepts of the NIST Framework are straightforward, but, in practice, organizations become overwhelmed with the information. It is important to note that organizations do not need to address all cybersecurity concerns at once. In most cases, a prioritized approach is sufficient to ensure key systems and/or business units are protected before addressing secondary areas of concern. Even with the best protection tools and procedures in place, cybersecurity risk is not eliminated, so continuous monitoring is required to quickly detect malicious, undesirable, or abnormal activity. Once a breach is detected, an immediate response is critical. Businesses must have an exercised and maintained plan in place during ``peace time'' to ensure business damage is minimized, with the necessary actions and resources established to regain their client trust. It is imperative the small business community understands cybersecurity is critical to overall business success. It is not just an IT problem. The challenge lies in convincing small business of the urgency to do more in protecting their assets. The compromise of one business can often impact suppliers and customers. There is much more at stake than the failure of one business at a time. But how do we incentivize small businesses to start preparing? In Maryland, the bipartisan Cybersecurity Incentive Tax Credit Bill, Senate Bill 228, made Maryland the first State to incentivize small businesses to purchase local cybersecurity protections and investors to advance Maryland's cybersecurity companies. Those of us at CAMI are especially excited because thousands of small Maryland businesses at risk of cybersecurity damages can now get the help they need at a lower cost. I believe it will be an indicator if this type of program generates increased conversations between cyber solution providers, both products and services, and motivates small businesses to take action. So thank you again for the opportunity to testify, and I look forward to discussing this topic further. [The prepared statement of Ms. Abate follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] Chairman Risch. Thank you so much. We are going to do a round of questions now, and I will start with myself. Ben, do you have any objection to telling us a little bit about the ransomware attack that you survived? I guess you survived. Mr. Toews. Yeah, I would be happy to share whatever I can. Chairman Risch. Do it. Mr. Toews. Just like what more information would you like? Chairman Risch. Well, I do not think anyone here has any information about it, so maybe you could give us a brief description of what happened and how you got through it. Mr. Toews. Yeah. So, I mean, we, on a Friday, we essentially set up a new user, and after we set up that new user, that did not have a password and was plugged into the network, and then over the weekend, from what we can tell, they got into our system. We had ports open, because we have a voice-over-IP system, which is difficult to have it behind the firewall. And so that opened up ports for them to get into our system. We figured they probably used, I think it is called a brute force hacker system, that allows you to get--figure out who does not have a password, which users do not have a password. And then once they were in our system, they just encrypted all of the shared network files, including all of our operations and inventory and financial information. And fortunately, like I said, that was backed up. Chairman Risch. And so what--was that the end of it? I mean, did you wind up having to do some--I mean, obviously you had to go in and change the system. Mr. Toews. Yeah. We restored our system. On Monday morning, we figured it out. We had the ransom note in there. We did not pay any money. I think it was in bitcoin that they tried to get us to pay. We did not pay any money to restore our files. We just thought it was too risky. You know, what are the chances that the criminals are going to actually give you the information that they are promising you? And so we restored what we could, that had been backed up offsite, and once we restored that we were back up and running pretty quickly, and we just, honestly, lost some labor hours for specialized reports that were on our network. But all of our customer information was stored offsite, so there was not any sensitive information that was breached. Chairman Risch. Sounds like you were pretty lucky getting through it. Mr. Toews. We were very lucky. Yes, I would say so. Chairman Risch. Senator Cardin. Senator Cardin. Well, I thank all of our witnesses. I want to drill down a little bit on what the SBA can do to help. The 2017 National Defense Authorization Act included language that this Committee had reported out, that required the SBA and the Department of Homeland Security to collaborate on cyber strategies for small businesses, using the Small Business Development Centers. Mr. Schrader, you have already talked about some of the work with the Small Business Centers, or maybe Mr. Toews. One of you had talked about the use of those centers. The bill also required the two agencies to report back to our two authorizing committees with a strategy on how they are going to deal with cybersecurity. That report should have been in by the end of 2017. It has not yet been received, and our staffs are following up to do that. My question is, what can you expect could be helpful from the Small Business Administration, to help small businesses deal with being better prepared on cybersecurity? I think, Mr. Schrader, you talked a little bit about the private sector, having their conferences. That is great. I do not know how many small businesses actually take advantage of that. But there is already contact between a lot of small businesses and the SBA. Could they be more effective in getting greater knowledge to the small businesses and how they need to go about in order to understand their risk factors and take common sense ways of protecting themselves? Mr. Schrader. That is a terrific question, Senator, and, absolutely, yes. There are so many small businesses out there, small- to medium-sized businesses, as part of the supply chain, as well as entrepreneurial standalone access that know public partnership, or private entities such as NCSA can reach all of them. We need to have a lot of different things, people working in the same direction. There is so much more education that can go out there. Whether it comes from the cybersecurity education work that we are doing with Department of Homeland Security, we would happily partner with the SBA to work on some of these educational programs. We have developed a really nice adaptation of the NIST Framework that is geared to very hands-on education. Whether we move that more online, whether we are able to access more of the centers outside of Washington in order to do more of that training, we absolutely see a wonderful partnership opportunity. Because there are certain simple, actionable steps that will help never make one totally secure, but will make you much more secure than you are. For example, as you talked about in the ransomware, there was no password. You had just plugged it in on a Friday. The simple things, like put in a password, keep your patches up to date, make your passwords actually pass- phrases, look at two-factor authentication. Very simple steps that people just need to have put out to them in an easy way that they can remember, that it is not an IT part of business, it is a day-to-day, ongoing part of the business. Senator Cardin. Mr. Castro, you mentioned some common-sense ways, including the co-op. I think the co-op is an excellent suggestion. You are sort of at the mercy of the private sector on products to buy and the price factors can be astronomical for individual small business owners. So the services of a co- op seem to make a lot of sense, in first directing you to the right type of product, and secondly, getting you a competitive price. I like that. Ms. Abate, you mentioned the fact that the Maryland legislature passed a bill that allows for credits against State income taxes in regards to locally produced cybersecurity software. It will be interesting to see how that works, because we could look at that at the national level, but I think it might be interesting to see what happens first in Maryland. These are, it seems like, common-sense approaches that could be taken. What do you need from us in order to advance some of these proposals? Mr. Castro. I think certainly SBA needs to be pointed in the right direction on some of this. They are not necessarily actively pursuing a lot of these initiatives. You know, one of the challenges, I think, is there is a lot of information that is out there on the training side, and on the education side. There is not really concentrated around what is the full curriculum, how are you either specifically educating the workers in small businesses so they know what they need to do, or how are you giving them that step-by-step guidance of walking someone through who is never going to get the training but you can show them, once, how to do the thing they need to do at that moment. And both of those are needed, and right now SBA just is not doing it. Senator Cardin. I just hope you would follow up on what is happening in Maryland. I find that fascinating, whether other states follow suit and what the experience is in our State. Ms. Abate. Yeah, I think so too, and I think part of the issue, when you look at small businesses, we have much more limited funds, correct, than a large. So what are we focused on? We are focused on how do we deliver a quality service, a quality product? How do we remain profitable? And, you know, cyber really, for a lot of these companies, has not risen to that business success, and anything we can do, through SBA or others, to help to raise it to that level--like I said, it is not just an IT problem. You can lose your business. Everything you do, all day, to be profitable and have a fabulous product is put at risk if you ignore this piece of the pie. I mean, it truly can. And I think it is just critical to raise awareness on what they need to be focused on. Chairman Risch. Thank you. Senator Inhofe. Senator Inhofe. Thank you very much, Mr. Chairman. [Off microphone.] I find it interesting that we have--there might be some relationship between--I think we probably have more small businesses, and some of the rural states do, than some of the larger states. I have one example in Norman, Oklahoma. We have a company called Astronomics. There is no reason that you guys should have ever heard of it, but it is a small business, and they specialize in designing certain kinds of telescope. Anyway, they were successful when they saw justice when a California man was convicted in a Federal court of directing distributed denial of service cyber attack in Astronomics. Now, they were successful. It worked. Now, Mr. Castro, what can we do to have more successes like this? What needs to be changed that might be something that you would like to see us do? Mr. Castro. Yeah. I think one of the most important things is really around that certification side, so that workers--so that small businesses can hire workers who have some skills, because I think so often, you know, the small business just has no real capacity to do anything, and they have no capacity to measure the skills. And there are so many classes that are out there right now, but there is no verification that, you know, you have taken the class and you have actually absorbed the knowledge. I mean, I have taken a class on juggling. I cannot juggle. And that is kind of what exists right now in the cyber certification space. Senator Inhofe. Mr. Schrader, I chaired the Environment and Public Works Committed for 12 years, and during the time of the Obama administration, and I am sure some of this Committee would disagree with this characterization. But we did just a lot of overregulation in every area, and we were successful, and this President came along and doing away with some of these regulations. As a matter of fact, there are two ways of doing away with the regulation. One is with Executive order and the other with a CRA, and our count is up to 70 now. Now, I think that is one reason that our economy has really been booming, the overregulation, of course. I think the tax bill helped too. What types of regulatory problems do you have, because that is an area where we might be--or do you have any regulatory problems? Mr. Schrader. At the NCSA we do not have regulatory problems. In fact, the NIST Framework which has been put out, and is continuing to be updated, has been very helpful in that it is voluntary and that it is scalable, and that it is something that puts out the kind of common-sense ways that the private enterprises have been able to come through and to make useful to small businesses. In our particular case, because we have a very active Board of Directors, who is very interested in pushing out this education, we have been able to move it into small businesses, and anything that would encourage further contributions, and other further ways that we can roll out this education through private means, is something that we very much like. For example, Senator, I actually had a very nice conversation with Devin Barrett and Dan Hillenbrand in your office about different ways that we would be able to work with the Administration and with yours on some of the very simple tools to be used, both within staffs here and staffs at Small Business, because each office really is, almost, a small business, and you have to take a look at everything that you are doing in order to make cybersecurity part of your everyday way of doing business. The crooks are not sleeping. The people who are coming in and trying to steal our IP are not sleeping. They are constantly going after something. You cannot have something that says ``I have checked that list off. Now I am done,'' because there are always people looking. It is an ongoing process that we always need to be watchful for. Senator Inhofe. Okay. I was here for your opening statement. Ms. Abate--is that---- Ms. Abate. That is it. Senator Inhofe [continuing]. And you commented that there is something in Maryland that was, I guess, a State agency or something, that has given help, and I did not know what you were talking about. Ms. Abate. The Cyber Security Association of Maryland, it is called CAMI, is a nonprofit, and it supports our Maryland cybersecurity companies by helping connect them with buyers of products and services, and then we also work to make sure we have the necessary workforce to be able to perform that work. Senator Inhofe. Okay. That is interesting. I would like to get to know more about that. Thank you, Mr. Chairman. Senator Rubio [presiding]. Thank you. Senator Heitkamp. Senator Heitkamp. Thank you, Mr. Chairman. This is cybersecurity day for me. I spent the morning with Assistant Secretary Jeanette Manfra over at the Department of Homeland Security, and we just came away from a hearing for Christopher Krebs to become the Under Secretary. So we are trying to gear up over at DHS. One concern that I have, probably for all of you, is that-- let me give you an example. We have a Center of Excellence in the Centers for Disease Control. They look and research various diseases. That information is utilized by all kinds of agencies, you know, whether it is the Bureau of Prisons, whether it is the Department of Human Services. One of the things that I am very concerned about is the disparate kind of jurisdiction over cyber within the government, and I believe that Mr. Krebs has a responsibility to create a center of excellence, that then can be integrated in other agencies. But this is the best way to engage the private sector. I also talk a lot about, you know, everybody wants a magic bullet that will harden the system and protect, and we are all looking for that software, all looking for that hardware, potentially, that is going to harden the system. Guess what? You know, that does not exist. It is not likely to exist. And what we really need is we need good cyber hygiene, and that is really what you all are talking about in small businesses is good cyber hygiene. What does that look like and where is the checklist? There are two ways we can do that. We can have the Department of Homeland Security or whatever agency we designate to create a center of excellence for cybersecurity that people can look at best practices. I am not saying you have to use them, but create the best practices, the best tools for educating users. You know, you are only as secure as your least secure user, in terms of a back door, ask Target about that, right? And so what do we do to create greater awareness among not just small business users but your constituents, your customers, to create better security, better cyber hygiene? And, Mr. Toews, I can assure you, coming from the University of North Dakota, I know how to pronounce your last name. And for those of you, that is a hockey joke. Wonderful, wonderful alumni of our hockey program and we are proud to--even though he is from Manitoba, and I can talk like I am from Manitoba if that will help. Anyway--eh. I should not say ``ya.'' I should say ``eh.'' But help me out here on what tools you think your small businesses, or your organizations would need to better educate your users, your customers, on how to protect themselves. I will start with you, Mr. Castro. Mr. Castro. Yeah. I mean, one of the biggest challenges right now is, you know, just so much information that is on these different websites. And so I think one of the opportunities that this Committee has is to really talk to SBA about how it is going to consolidate the information. When I was, you know, preparing for this hearing, one of the things I tried to do was put myself in the position of if I was a small business owner today, trying to look for this information right now, I had an attack and I was trying to respond. Could I find anything? And what I was finding was that, again, first of all, the information just is really badly organized. It is not put in a user-friendly format. But also there is just so much information. So much of it is outdated. You know, it is not serving the customer. Senator Heitkamp. And it is cumbersome. Mr. Castro. Exactly. And so, you know, really forcing SBA to confront this issue and how they are going to work with the different agencies. Clearly SBA is not going to be the center of excellence for cybersecurity, but they are the ones that are communicating it to the small businesses. Senator Heitkamp. Right. But I think, in some ways, they do not know. Mr. Schrader. Mr. Schrader. Yes. Well, first, thank you, Senator, for mentioning Assistant Secretary Manfra. She was kind enough to come to RSA---- Senator Heitkamp. She told me that. Mr. Schrader [continuing]. Last week, and on Thursday we had a panel together at eight in the morning, about increasing the diversity in the cybersecurity workforce, because it is very difficult to build up, you know, a very good, diverse workforce that is ready to jump in to fill the need that we have now. And then she was kind enough to come to a lunch with the directors and some others, and she gave about two hours of her time talking about what DHS is doing, and talking about the strong public-private partnership that we have. Senator Heitkamp. Do you agree, Mr. Schrader, that creating a center of excellence within the Department of Homeland Security, then that information being disseminated in places like SBA, could be enormously helpful? Mr. Schrader. I think that everything that we can do is helpful. As you pointed out, there is no silver bullet. There is no hardened defense. It has to be layers of defense. It has to be constantly looking at different needs. I started here talking about cybersecurity, my business, but as Assistant Secretary Manfra and I have talked about, we are also doing Lock Down Your Login, which is geared specifically to staff members here in Congress. Right now we have some posters which we will happily give out to you. But the idea is six easy tips that will help everyone here, because you are a very attractive target, for emails, your social accounts, and the rest. Senator Heitkamp. Not just us but every person in the United States wants to know how to fix this problem. And I am sorry, Mr. Toews and Ms. Abate, I have run out of time. But this is an issue that we are going to continue to have discussions on. But I really think it is important that we see all this jurisdictional, you know, what is DoD doing, what is DHS doing, what is SBA. Because everybody is coming at it with a sense of panic, when we need to sit down and have a systemic kind of--like I said, the center of excellence that then can disseminate information and get it to the local community organizations that can do seminars with, you know, at AARP, or in high schools, saying this is what you need to do to not be-- to lock the door. Thank you, Mr. Chairman, for the extra time. Chairman Risch [presiding]. Thank you. Senator Rubio. Senator Rubio. Thank you, and the thing that concerns me-- well, let me share a story with you about a company, a small company in Florida. They got hacked. Somebody got--criminals got into their system, basically stole all of their client data and information, took it all, and then basically contacted them and said, ``We know how much you can afford to pay. We have your financial information. You need to pay us. You need to pay us in bitcoin if you want all this back, or you will not be able to operate.'' And they went to the FBI, according to them--I have not talked to the FBI about this case--and the FBI basically told them, ``You should pay them because you are not going to get your data back if you do not.'' And so they did. They went out and bought, I think it was a quarter of a million dollars of bitcoin and paid them, and they got their information back, and were able to continue to operate. So they had their financials, they knew what they had in the bank and what they could afford to pay, and they based their demands on it. We will never knew who stole their money, but it is gone, and it was damaging to that company, as you can well imagine. Now if that had been someone--if we had a rash of people breaking into companies and stealing cash out of safes, you know, we would be all talking about it. In this particular case, they probably did not even want to publicize it, which is why I do not say who the business is, because their clients are probably concerned about it. We do not have a lot to do to help them, and their bigger challenges in the future--they have gotten a little better at what they are doing but they cannot afford to have the sort of IT division to protect them again in the future. And is the story I have just outlined, do you think, number one, just from the experience you have all had, is this happening more than we know? In essence, are businesses experiencing this but basically not filing a quote-unquote ``police report'' the way they would a normal theft because (a) there is nothing law enforcement can to do to help them, and (b) it is not the kind of thing they want people to know about? Do you think this is--do you think it is common and under- reported? Ms. Abate. I do. I think more and more small businesses do not want to talk about it because it does damage their reputation and it can have a really adverse effect. But, you know, the other thing is reaching out to the right law enforcement and what you need to do and having processes. This morning I was at a session. The Secret Service was there. Unbeknownst to me, they can assist and help, and we were talking about that earlier. So I think it is really important for companies to understand, when you do experience a breach, who can I reach out to and what are the best next steps? Because if they do not have a plan in place, you are in panic mode, right? I mean, your business is at risk. You have lost your data if you do not have substantial backup. So it is something, I think, that is a problem and needs to be addressed. Mr. Toews. I echo that. I think it is very under-reported. We never contacted law enforcement at all in our situation. Of course, we recovered most of the information. But we are unique in the sense that we did not have--all of our customer databases were offsite, so I am comfortable talking with you about it. But I think you are right. I think people are embarrassed and they are concerned it will have a negative impact on their business, and so they just do not talk about it. So it is an under-reported issue, but it has got to be impacting our economy. I know it is. Senator Rubio. And the follow-up, the other thing that is devastating about it is if that business happens to do work for governments, or health care, some of the information that is being stolen is proprietary health care records, billing records, the like, and in the case of government, contracts, whether it is DoD or the space industry that is trying to expand to bring in more small businesses and suppliers, the inability to meet certain criteria for cybersecurity, because of the governmental--forget about classified. Just the governmental component of it could potentially begin to disqualify smaller companies because they cannot afford to build up the cyber capability necessary to be able to service the client. And so is that also something that people are running into in the small business world, where the cost of building up the sort of IT security they need is too high and, therefore, prohibit them from certain types of work that might now, or in the future, have certain minimum IT strength requirements that they cannot afford to purchase? Mr. Castro. I will comment first. I mean, it is a challenge, I think, right now for any small business to comply with all the different Federal security regulations at the same level the agencies are expected to require, and I think agencies are struggling at the same--with the same issue. I think it is feasible to put together a cybersecurity plan. The problem is most small businesses do not have the capability. Senator Rubio. They cannot afford it. Mr. Castro. They cannot afford it and they do not have the, I think, even skill set to start putting it together. Ms. Abate. You know, I would just mention that we have actually had customers, when we have worked with them on an assessment, and looked at what needed to be done, have decided not to do work with the DoD because of the expense in complying with the 800-171. It is just not something they can justify when they weigh it. Senator Rubio. And I guess this is just a statement, and I think you guys would agree with this. If we are serious about expanding more government contracting work to small businesses, because we want to have a broader base of suppliers, then part of that program needs to be assisting companies with the costs--small companies with the costs of, and the capability of being able to meet the criteria that we require of them. In earnest, trying to attract more suppliers and small business providers to do work in the space industry or for defense, the only way that is going to happen is if we help them to meet some of these criteria that on their own they cannot afford. Mr. Schrader. Right. Some of the larger companies are, in fact, realizing that that is a problem because they realize that they have problems in the supply chain and in their vendor management, and they are looking at public and private ways to do it. For example, Federal Express came to us and made a contribution to us in order to do the cybersecurity business program. And they asked to have one of their trainings done in Memphis, where they have a lot of small business contractors, and also asked to do one in Charlotte, where they also have a significant presence. So they were very proactive. They were very good corporate citizens in realizing that they were getting a two-fer. One is they were helping small businesses be safer themselves and be able to compete with larger ones, but at the same time they were protecting their own business model because they would be able to do business with a supply chain with a better degree of assurance that they were dealing with people who took cybersecurity as seriously as they did. Chairman Risch. I am shocked to hear that the private sector is ahead of the Federal Government on some of this, as we all are. Thank you, Senator Rubio. Senator Markey. Senator Markey. Thank you so much. You know, this is a problem that is not small, because we see big companies constantly being hacked. And when I ask Joe Tucci, who is the CEO of EMC--they own RSA, which is kind of a standard for the entire industry, RSA--I say, ``Why are all these companies getting hacked, the big companies?'' and they say, ``Well, they do not want to buy our state-of-the-art security.'' It is a never-ending, always escalating technology versus technology, spy versus spy. Like Mad magazine, it just never ends. You just have to keep investing if you want to be protected. So if big companies do not like to do it, and then they get hacked, how hard is it for small companies, and, really, that is why this hearing is important today, because it is not--IoT is the Internet of Things but it is also IoT, Internet of Threats, because everything is going to be a threat, going down the line, because everything is going to be ultimately digitized. And we could have as many as 50 billion IoT devices, in our pockets, our homes, our businesses, by 2020, 50 billion of these devices in the United States. And so there is just going to be a vast proliferation of the ability to hack in. And we have, as you know, up in Massachusetts, my little travelogue, we have scores of cybersecurity companies now. You know, RSA is kind of a famous one but we have scores of these companies. We buy Israel's companies. Israel buys our cyber companies, because it is, for better or worse, an incredibly huge growth industry, and it is because our prosperity, our privacy, our Nation's security is all dependent upon us moving more surely into this area. And it is certainly threatens small businesses in our country, which is why I introduced the Cyber Shield Act. And so just listen to what the bill would do if it became the law. It would establish an advisory committee of cybersecurity experts from academia, industry, consumer advocacy communities, and the public to create cybersecurity benchmarks for IoT devices. And it can be baby monitors, cameras, cell phones, laptops, tablets, anything that you are using in any of your businesses. And the IoT manufacturers can then voluntarily certify that their product meets those industry-leading cybersecurity and data security benchmarks and display that certification to the public. So that would then reward the companies that are making the technologies that you want to be sure are not going to get hacked in your small business, that are going to give you the protections which you want. But in the same way when you buy a car, you can see the safety sticker. Is it one through five stars? You can look at lighting, one through five stars. You can look at it in so many other aspects of our lives. Well, cybersecurity, increasingly, is going to have to be in that case because you have to purchase the equipment, the devices that are going to make you prosperous as small businesses. So it would reward the manufacturers by adhering to the best data security practices while also ensuring that small businesses can make more informed choices. So my question for the panel is, do you think that creating cybersecurity certification regime, such as the Cyber Shield Act does for IoT devices, is helpful for small businesses when they are making purchasing decisions? Mr. Castro. I think it is a really important move to try and get the market to work better, because I think what your bill will do is it creates that transparency in the market which is sorely lacking right now. I think it is a great move. I think you might be able to do it with a little bit less of a certification regime if you maybe just required IoT vendors to disclose their security practice without assessing it. Let a third party assess it. But whether it is this advisory committee that assesses it or a third party, I think it is exactly what we need to get that kind of market transparency to work. Senator Markey. And can you talk about that flying blind quality to the marketplace, you know, if you are a small business or anyone else? Mr. Castro. Yeah. I mean, the biggest problem for a small business is they do not know who the best of the best is, right? Sometimes they go based on a brand name that they have heard, but often, you know, I used to work, you know, directly with small businesses and you go in and they were using some product they had never heard of, because, you know, their, you know, cousin recommended it, and that cousin did not know anything about security. Or, you know, they had a popup on a website tell them, you know, they had an antivirus and they better click here and download it, and they thought they were improving security and they were not. Senator Markey. Right. So that is a problem, right? I mean, if a big company cannot figure it out, or they are just too cheap and they do not want to spend every couple of years, the updated, you know, software money, then they get hacked and everyone says ``what happened?'' and then, you know, my biggest company says they did not want to pay us, you know, for the security. It is tougher for you. It is harder for you to have the money, you know, to be doing that on an ongoing basis, but at least the transparency of which one of these technologies has been given a one- through five-star rating, at least you have got some idea as to what the level of security which you have purchased for any one of these devices might be. So is it Mr. Toews--is that how you say it? Why is it ``Taves''? It is T-o-e-w-s. What country is that? Chairman Risch. You missed Heidi Heitkamp this morning. Senator Markey. Oh, did I? Oh, my God. Chairman Risch. Very interesting. Senator Markey. Yeah. But what country? Mr. Toews. Germany. Senator Markey. Germany. Mr. Toews. So the W makes a V sound---- Senator Markey. Yeah. Mr. Toews [continuing]. And O and E is trying to imitate-- -- Senator Markey. Got it. Mr. Toews [continuing]. A vowel we do not have. Senator Markey. So, see, great minds think alike. Like Heidi, I do not want to know the answer. So we are actually at the beginning of the ransomware epidemic, where cyber criminals infect their victims' computer networks with malware, denying users access to their files until a ransom is paid. And that ransomware attack could prevent a hospital from accessing its patients' medical records, a business from accessing their financial records, a police department from accessing files from ongoing investigations. And attackers have even taken aim at municipalities, like the town of Medfield, Massachusetts, which was forced to pay a $300 ransom to hackers who attacked their municipal network. And that cyber threat to anyone who connects to the internet is clear, and we need to take decisive action to deal with that. So, Mr. Toews, can you talk about what kind of protections you would like to see in order to be protected against ransomware extortion? Mr. Toews. Certainly. I would be happy to. And it is a very uncomfortable situation when you find all of your files encrypted and there is a ransom note. It is not something that you expect to happen. But I honestly think that one of the first steps we need to take is to educate small businesses more that it is a problem. I do not believe that most of them understand the gravity of the problem. They all feel like this could not happen to me. So somehow educating them, getting, like I said, a public service announcement, some way of getting the word out, maybe let them know how many companies have been hacked, maybe letting them know how many of those that we know got hacked, how many it ended in the business going out of business. That kind of information going to the small businesses, I think, would be key. And then certifying--having standardized certifications that show who reputable cybersecurity professionals are, I think would be a huge step. Maybe there are already some out there. It needs to be educated--we need to be educated on that as well. Senator Markey. Yeah. We have a company up in Massachusetts called Carbonite. Carbonite had almost no employees eight years ago and now it has 1,200 employees. So they have already dealt with ransomware for 10,000 companies in America. In other words, if you have one call to make, and it just happened 20 minutes ago, and you do not call Carbonite, you are probably making a mistake. Okay? That is my travelogue here, because they can fix it maybe within an hour, if you make the call on the right day, immediately, right? Because this is just an epidemic across the country, and you do not want to have to pay that ransom. You want to have to be able to figure this thing out immediately where it is in its earliest stages. So that is also another problem for smaller companies. You know, it is now going to become increasingly an additional expenditure which has to be made, you know, in order to deal with this as it just proliferates, because there is, ultimately--you know, there is a Dickensian quality to the internet. It is the best of wires and the worst of wire simultaneously. It can enable, it can ennoble, it can degrade, it can debase. And this sinister side of cyber space is increasingly, in industry, a bad--the bad guys, right? So that is why we are here, and we are looking forward to any recommendations you can give to us. But I do think, ultimately, we need some national standards that we just start to establish, at least information, transparency, so that the information is in the hands of the small businesses, so they are making informed consumer choices for their small businesses, to protect their company against ransomware or against any other attacks. So thank you for your testimony. I thank you, Mr. Chairman. This is a very, very important hearing. Chairman Risch. Thank you. Senator Markey, your idea about the standards in your legislation, does it contemplate an entity like UL, Underwriters Laboratories, that would somehow put their seal on---- Senator Markey. Ah. Chairman Risch. UL was successful for generations, of course. And I would ask the panel, would--does a cyber product lend itself to that kind of a certification like they would have for UL, when it comes to security, or is that something you need to think about? Mr. Castro. Some products I think it does make sense, especially when you are talking about devices. Others, you know, when it is more service-based, you know, you might look at other types of certifications like TRUSTe and others that have existed. So I do not think it is always a straightforward answer. The biggest difference is that with UL there was a straightforward testing. With cybersecurity, the testing that you can do to identify flaws is much harder. It is a bigger open space. Chairman Risch. We had a witness in--I do not think this is classified--it was in the Intel Committee, and we were having a cybersecurity hearing. And this person, who was an expert on cyber stuff said, ``We are in cyber where the Wright Brothers were on their second airplane,'' saying that, you know, the biggest problem is we do not know what we do not know. And I suspect maybe we are going to be crossing those bridges. Senator Markey. But there are--if I may, Mr.--there are companies like Carbonite. There are, really, RSA, which is a subdivision now of Dell, which has purchased EMC, which now has RSA in it. If you go to the state-of-the-art company, they are fierce competitors against the Russians, or against any other, you know, criminal---- Chairman Risch. The problem---- Senator Markey [continuing]. But you have to pay for it in order to get it done, and they can actually attract the most talented people in the government to go and work for them, because they can pay so much more. Chairman Risch. The problem is, is the average buyer, consumer, does not know that stuff. I know some pretty sophisticated people that have gone out and bought Kaspersky Laboratory products. Anybody ever heard of them? Senator Markey. Yeah. Can I say this? Woburn, Massachusetts, yeah. I am just being a Ben Cardin. Chairman Risch. Thank you very much. Senator Markey. Yeah. But that is not, maybe, the best example for us to be advertising. Senator Cardin. I think this is very important, your bill. There is some work being done at NIST in regards to this field, but I do not think we have what you are trying to do, Senator Markey. But it is something we need to be able to get better conformity. And what you have indicated, about not reporting this, is common. Rarely is this reported, which points out another problem, because if we are trying to counter this and we do not get that information to some law enforcement investigative authority, then it makes it even more challenging for us to root out those that should be held criminally accountable for the type of activities that they are doing. So I think you are pointing out some real significant issues, and all of you have come up with proposals, which we thank. I mean, that is what I like from hearings, specific proposals. So I think you have given us a lot of really good ideas. Senator Markey. And if I may, I think your UL idea is a good idea. It is a good way of thinking about it. Chairman Risch. It is a good way of thinking about it. I do not know if it works or not. Senator Cantwell. Senator Markey. Yeah, but I can I just say to Mr. Castro-- -- Chairman Risch. Senator Markey has been taking up all your time. Senator Markey. I have been filibustering so you had time to get here, okay? That has been my responsibility. I just want to say to you, Mr. Castro, given what happened in Cuba last week and how responsible we will be to you, you are the most powerful Castro in the world now, so let us know what you think. Chairman Risch. Moving right along, Senator Cantwell. Senator Cantwell. Well, Thank you, Mr. Chairman, and thank you for having this hearing. It is such an important hearing because we want our small businesses to be able to keep pace with the level of advancements, and certainly with the level of attacks on our infrastructure as it relates to cyber attacks, we want our small businesses to have every opportunity. I know my colleague was here earlier talking about cyber hygiene, and one thing we have been able to do in the Pacific Northwest is working with our industry sectors, actually and our Guard and Reserve has come up with that cyber hygiene list of things that we expect all businesses to do. What would it take for--what do you think we should be specifically focusing on that would help small businesses participate in those kinds of discussions and to better reveal information about what kinds of attacks you might have already been experiencing, given that nobody really wants to come forward and say that, because of vulnerabilities to your business? Chairman Risch. Well, who is the hero here? Mr. Castro. I will start it. I think, you know, a lot of small businesses do not have a lot of time to spend on this issue, so, you know, you always have to, when we are talking about how can we help them, is giving them very concrete, actionable steps. The New York Times did something great recently, where they had a seven-day financial health program. Every day you signed up for it you got an email that said, you know, spend an hour and do these specific things. You know, look at your credit card statements. Use this tool to figure out what you are overpaying for. That is the kind of direct, hands-on feedback we need to give small businesses. The average small business is not going to be able to do-- you know, they are not going to be able to sit down and think about the cybersecurity threats and, you know, take a tip about, you know, secure your passwords, and think through all the ways that could apply. They need very concrete direction that says, you know, log into your Wi-Fi router and make sure you have been labeled WPA security. That kind of specific feedback. And I think, you know, we can do that, but that is not what we have been doing so far. Senator Cantwell. Okay. Mr. Schrader. The other part is it has to be ongoing, right, because with UL you have a UL sticker on your lamp. You plug the lamp in and you know that the lamp is going to be safe when you plug it in. But in the case of small businesses, they are constantly adding, they are upgrading, there are patches to be fixed, there are new ways that they are bringing in new software, new hardware, which is the issue that you had, Ben. And so basically you have to have a recency effect as well as an education effect. It has to be something that they constantly think of as they go through their day-to-day business, keeping their software up to date, changing their passwords when they change their--you know, their employees, being a little bit of a socially aware of the kind of social engineering that happens to big and small firms, in order to get people to, you know, to download things or to reveal passwords. So it is an ongoing education process. It is not like we will ever be able to say, ``We have hit the bottom of the list. Thank you very much. That is solved. Let us move on.'' And we do not want that to be, because we want to encourage more entrepreneurship. We want to encourage them to be able to compete into the supply chain and to grow into bigger companies. Senator Cantwell. It is amazing that Equifax was just-- there was an available patch, you know, an Apache patch that somebody just did not download. Like somebody made a really big mistake by not implementing that solution. So I hear your point about constant information. That is why--I do not know if it is because we had so many people in our Guard and Reserve that were in the software industry or just that we have a big footprint there, but this effort on a cyber hygiene list, I just feel--I mean, look. I mean, now the threat is not necessarily somebody sticking a sub in U.S. waters or basically flying a plane into U.S. airspace. It is state-owned actors hacking systems. So I actually think the Guard and Reserve could play this ongoing dialogue for us about what are the 10 things people should be on the lookout for? What are the 10 cyber hygiene things that could be deployed? But anyway, they are doing that in our State, and it is a good partnership with industry. Mr. Schrader. That is interesting, because a partnership that the National Cyber Security Alliance has with DHS, in October we sponsor Cyber Security Awareness Month, where it is a constant drum on different aspects of how we will go and get the word out on different things, and we will do follow-ups in different areas, Data Privacy Day, and then some other. We are doing, right now, something called Spring Clean Your Machine. Just as, you know, my grandma used to push around the sofas and pull down the curtains and open up all the windows and spring-clean the whole place. Do that with your machine. Delete the apps that you do not use. Upgrade your pass phrases. Figure out who is looking at your location data. The little simple things and reminders that are helpful along the way. Senator Cantwell. Great. Thank you, Mr. Chairman. Chairman Risch. Okay. Thank you very much. Ben, have you got anything more for the good of the order? Senator Cardin. Just to thank our witnesses and to point out the challenges we have. You could do everything right and you still can get attacked. Supply chain issues, so many different things going on. So we have to have a greater understanding and knowledge in the small business community so they can take reasonable steps, and we need to figure out best strategy. Chairman Risch. Thank you very much. Thank you all for spending your time with us. I think this has been one of the more productive hearings I have been in, in quite a while. It has given us a lot to think about. Some of the suggestions that have been made here, we will do our best to try to implement. What I am going to do is I am going to keep the record open until 5:00 on Friday. If any of you have anything more for the record, please feel free to submit. Any members who want to submit questions for the record, we will do it that way. So with that, thank you again. This hearing is adjourned. [Whereupon, at 4:51 p.m., the Committee was adjourned.] APPENDIX MATERIAL SUBMITTED [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] [all]