[House Hearing, 116 Congress]
[From the U.S. Government Publishing Office]
CYBER CRIMINALS AND FRAUDSTERS:
HOW BAD ACTORS ARE EXPLOITING
THE FINANCIAL SYSTEM DURING
THE COVID-19 PANDEMIC
=======================================================================
VIRTUAL HEARING
BEFORE THE
SUBCOMMITTEE ON NATIONAL SECURITY,
INTERNATIONAL DEVELOPMENT AND
MONETARY POLICY
OF THE
COMMITTEE ON FINANCIAL SERVICES
U.S. HOUSE OF REPRESENTATIVES
ONE HUNDRED SIXTEENTH CONGRESS
SECOND SESSION
__________
JUNE 16, 2020
__________
Printed for the use of the Committee on Financial Services
Serial No. 116-96
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
______
U.S. GOVERNMENT PUBLISHING OFFICE
42-896 PDF WASHINGTON : 2021
HOUSE COMMITTEE ON FINANCIAL SERVICES
MAXINE WATERS, California, Chairwoman
CAROLYN B. MALONEY, New York PATRICK McHENRY, North Carolina,
NYDIA M. VELAZQUEZ, New York Ranking Member
BRAD SHERMAN, California ANN WAGNER, Missouri
GREGORY W. MEEKS, New York FRANK D. LUCAS, Oklahoma
WM. LACY CLAY, Missouri BILL POSEY, Florida
DAVID SCOTT, Georgia BLAINE LUETKEMEYER, Missouri
AL GREEN, Texas BILL HUIZENGA, Michigan
EMANUEL CLEAVER, Missouri STEVE STIVERS, Ohio
ED PERLMUTTER, Colorado ANDY BARR, Kentucky
JIM A. HIMES, Connecticut SCOTT TIPTON, Colorado
BILL FOSTER, Illinois ROGER WILLIAMS, Texas
JOYCE BEATTY, Ohio FRENCH HILL, Arkansas
DENNY HECK, Washington TOM EMMER, Minnesota
JUAN VARGAS, California LEE M. ZELDIN, New York
JOSH GOTTHEIMER, New Jersey BARRY LOUDERMILK, Georgia
VICENTE GONZALEZ, Texas ALEXANDER X. MOONEY, West Virginia
AL LAWSON, Florida WARREN DAVIDSON, Ohio
MICHAEL SAN NICOLAS, Guam TED BUDD, North Carolina
RASHIDA TLAIB, Michigan DAVID KUSTOFF, Tennessee
KATIE PORTER, California TREY HOLLINGSWORTH, Indiana
CINDY AXNE, Iowa ANTHONY GONZALEZ, Ohio
SEAN CASTEN, Illinois JOHN ROSE, Tennessee
AYANNA PRESSLEY, Massachusetts BRYAN STEIL, Wisconsin
BEN McADAMS, Utah LANCE GOODEN, Texas
ALEXANDRIA OCASIO-CORTEZ, New York DENVER RIGGLEMAN, Virginia
JENNIFER WEXTON, Virginia WILLIAM TIMMONS, South Carolina
STEPHEN F. LYNCH, Massachusetts VAN TAYLOR, Texas
TULSI GABBARD, Hawaii
ALMA ADAMS, North Carolina
MADELEINE DEAN, Pennsylvania
JESUS ``CHUY'' GARCIA, Illinois
SYLVIA GARCIA, Texas
DEAN PHILLIPS, Minnesota
Charla Ouertatani, Staff Director
Subcommittee on National Security, International
Development and Monetary Policy
EMANUEL CLEAVER, Missouri, Chairman
ED PERLMUTTER, Colorado FRENCH HILL, Arkansas, Ranking
JIM A. HIMES, Connecticut Member
DENNY HECK, Washington FRANK D. LUCAS, Oklahoma
BRAD SHERMAN, California ROGER WILLIAMS, Texas
JUAN VARGAS, California TOM EMMER, Minnesota
JOSH GOTTHEIMER, New Jersey ANTHONY GONZALEZ, Ohio
MICHAEL SAN NICOLAS, Guam JOHN ROSE, Tennessee
BEN McADAMS, Utah DENVER RIGGLEMAN, Virginia, Vice
JENNIFER WEXTON, Virginia Ranking Member
STEPHEN F. LYNCH, Massachusetts WILLIAM TIMMONS, South Carolina
TULSI GABBARD, Hawaii VAN TAYLOR, Texas
JESUS ``CHUY'' GARCIA, Illinois
C O N T E N T S
----------
Page
Hearing held on:
June 16, 2020................................................ 1
Appendix:
June 16, 2020................................................ 35
WITNESSES
Tuesday, June 16, 2020
Coleman, Kelvin, Executive Director, National Cyber Security
Alliance....................................................... 9
Jaffer, Jamil N., Founder and Executive Director, National
Security Institute, and Assistant Professor of Law and
Director, National Security Law & Policy Program, Antonin
Scalia Law School, George Mason University..................... 10
Kellermann, Tom, Head, Cybersecurity Strategy, VMware, Inc....... 5
Senn, Amanda, Chief Deputy Director, Alabama Securities
Commission, and Chair, Cybersecurity Committee, North American
Securities Administrators Association (NASAA), on behalf of
NASAA.......................................................... 7
APPENDIX
Prepared statements:
Coleman, Kelvin.............................................. 36
Jaffer, Jamil N.............................................. 41
Kellermann, Tom.............................................. 53
Senn, Amanda................................................. 57
Additional Material Submitted for the Record
Cleaver, Hon. Emanuel:
Written statement of Americans for Financial Reform.......... 68
Written statement of NAFCU................................... 69
Written statement of Third Way............................... 71
Gottheimer, Hon. Josh:
Letters of support from various organizations for the Senior
Investor Pandemic and Fraud Protection Act................. 116
Hill, Hon. French:
Written statement of the American Securities Association..... 134
Written statement of the Consumer First Coalition............ 140
Jaffer, Jamil:
Written responses to questions for the record from
Representative Hill........................................ 142
Kellermann, Tom:
Written responses to questions for the record from
Representatives Perlmutter and Hill........................ 145
CYBER CRIMINALS AND FRAUDSTERS:
HOW BAD ACTORS ARE EXPLOITING
THE FINANCIAL SYSTEM DURING
THE COVID-19 PANDEMIC
----------
Tuesday, June 16, 2020
U.S. House of Representatives,
Subcommittee on National Security,
International Development
and Monetary Policy,
Committee on Financial Services,
Washington, D.C.
The subcommittee met, pursuant to notice, at 12:01 p.m.,
via Webex, Hon. Emanuel Cleaver [chairman of the subcommittee]
presiding.
Members present: Representatives Cleaver, Perlmutter,
Himes, Heck, Sherman, Vargas, Gottheimer, Wexton, Lynch, Garcia
of Illinois; Hill, Lucas, Williams, Emmer, Gonzalez of Ohio,
Rose, Timmons, and Taylor.
Ex officio present: Representative Waters.
Chairman Cleaver. The Subcommittee on National Security,
International Development and Monetary Policy will come to
order.
Without objection, the Chair is authorized to declare a
recess of the subcommittee at any time.
Also, without objection, members of the full Financial
Services Committee who are not members of this subcommittee are
authorized to participate in today's hearing.
Members are reminded to keep their video function on at all
times, even when they are not being recognized by the Chair.
Members are also reminded that they are responsible for muting
and unmuting themselves, and to mute themselves after they have
finished speaking.
Consistent with the regulations accompanying H. Res. 965,
staff will only mute Members and witnesses as appropriate when
not recognized to avoid inadvertent background noise. Members
are reminded that all House rules relating to order and decorum
apply to this remote hearing.
Today's hearing is entitled, ``Cyber Criminals and
Fraudsters: How Bad Actors Are Exploiting the Financial System
During the COVID-19 Pandemic.''
I now recognize myself for 4 minutes for an opening
statement.
Let me, first of all, thank Lisa and the rest of the
committee staff who have worked so hard to make this and all of
our committee hearings possible.
As the pandemic continues to move through our communities
and our country, and to devastate the physical health of our
citizens, it has managed to also infect the economic health of
our nation.
Congress, through a bipartisan effort, passed the CARES
Act, which unlocked unprecedented relief to families and small
businesses, relief that, according to the Federal Reserve, may
not be enough to prevent a long and protracted economic
downturn. Nevertheless, significant investments were made to
rescue millions of working citizens.
In this time of suffering and hardship for so many, we are
seeing criminal actors here at home and around the world
redoubling their efforts to target families, financial
institutions, and even arteries of government.
Poverty and exploitation are indivisible evils. They have
been long-time sidekicks. Just last month, the FBI unsealed a
criminal indictment of what looks to be the first case of
COVID-19-related money laundering and fraud brought by the
Department of Justice. The criminal charge relates to a
healthcare provider claiming to offer free COVID tests, but
billions of Medicare dollars are being wasted.
According to the Federal Trade Commission, there are nearly
1,000 reports of COVID-19-related fraud totaling over $0.5
million in my home State of Missouri. This is a fraction of the
nearly 100,000 fraud reports nationwide totaling $60 million
reported by the Commission. I would like to highlight that
these reports do not even fully capture the full landscape of
COVID-19-related fraud.
The FBI's Criminal Investigative Division notes that there
has been potentially $126 million in Paycheck Protection
Program (PPP) fraud. We are seeing a 75-percent spike in daily
cybercrimes reported by the FBI since the start of the
pandemic. The Financial Crimes Enforcement Network (FinCEN) is
doing what it can by putting out advisories warning consumers
and financial institutions of the proliferation of criminal
schemes.
Last month, FinCEN released warnings of COVID-related
medical schemes in what would be the first of several
advisories that FinCEN intends to issue concerning financial
crimes relating to the COVID-19 pandemic. However, it is
abundantly clear that our financial security systems are being
taxed right now.
The FBI, in their testimony before the Senate Judiciary
Committee last week, noted that the sheer volume of complaints
that the Internet Crime Complaint Center is receiving is
presenting a challenge for the FBI's criminal program. In
response, the FBI started a PPP Fraud Working Group with the
Department of Justice and the Small Business Administration's
Inspector General to triage the overwhelming caseload.
The thieves and fraudsters that are targeting consumers are
not just at home, but they are indeed everywhere. International
law enforcement coordinating agencies, Interpol and Europol,
have highlighted their efforts to target cross-border
criminals.
There is some positive news. We have done something to help
address this as a committee and as a Chamber. Last year, we
unanimously passed through the House the COUNTER Act. The bill
closed a number of loopholes that have allowed financial crimes
to be committed, and pulls us into the 21st Century by
positioning the U.S. to face tomorrow's challenges.
I look forward to hearing from all of you on these
important issues.
The Chair now recognizes the ranking member of the
subcommittee, the gentleman from Arkansas, Mr. Hill, for 4
minutes for an opening statement.
Mr. Hill. I thank the chairman. I appreciate you convening
this virtual hearing. And I appreciate the witnesses being with
us today to share their expertise.
Mr. Chairman, I have a letter from the American Securities
Association that I would like to enter into the record. Thank
you very much.
Chairman Cleaver. Without objection, it is so ordered.
Mr. Hill. Thank you. I appreciate our ability to innovate.
My thanks, too, to the staff for providing this foundation for
our virtual hearings.
We had a roundtable a few days ago on this topic, and I
thank the chairman for holding this formal hearing and
returning to this topic. It is an important dialogue as it
relates to our constituents: national security. And featuring
it in a hearing means that our discussion will be cataloged in
our official records.
As we continue our essential work, I do hope that in the
coming months, we are able to hold bipartisan hearings on the
following topics that I think are important before our
committee.
First of all, the Committee on Foreign Investment in the
United States (CFIUS). We are required annually to conduct
oversight on CFIUS, and we made significant reforms in the last
Congress, and I hope we can have a hearing on that.
Also, monetary policy. We will be having Federal Reserve
Chair Jay Powell before the Full Committee this week, but I
think it is important for us to look at monetary policy in the
face of the unprecedented actions taken by the Fed to expand
its balance sheet.
And finally, the international financial institutions and
how they are responding to COVID-19 across the world,
particularly in our emerging markets.
I thank the chairman for the opportunity to work on these
issues for future hearings.
Cybersecurity and the need for strong cyber protocols has
long been a topic of discussion in this committee, and the
virus has only underscored the need and showcased the
vulnerabilities that we have in certain aspects of our
financial ecosystem.
According to the FBI Internet Crime Complaint Center (IC3),
the number of cybersecurity complaints to the IC3 in the last 4
months has spiked from typically 1,000 daily before the
pandemic to as many as 4,000 incidents a day.
Furthermore, a survey conducted last month by VMware Carbon
Black, one of our witnesses today, found that 80 percent of
surveyed banks reported year-on-year increases in cyber attacks
within the financial services sector. This year, those attacks
have surged 238 percent from February to April.
As many businesses and financial institutions are adapting
to the new teleworking policies and the challenges that come
from working remotely, it is imperative that they have the
right infrastructure in place to handle new security protocols
and sensitivities.
Just last week, the FBI announced that bad actors are
seeking to exploit customers through mobile banking, and
recommended that consumers take proper precautions.
These attacks can take various shapes and infiltrate in a
variety of ways, even here in Arkansas. I noted in the
roundtable a few weeks ago that we had a PPP program that was a
fraud attempt. Fortunately, that person has been arrested and
charged with bank fraud.
I look forward to hearing from our witnesses today on how
we can best combat these accounts.
Before I close, I would like to quickly touch on China and
the threat to cybersecurity. The U.S. has been the target of
cyber attacks from nation-states and nonstate actors for over
20 years. But in the months of outbreak in the virus in the
United States, cyber espionage from China, Russia, and Iran has
spiked. Cyber threat actors are taking advantage of this crisis
to attempt to undermine the U.S. Government and probe our
systems in the private sector and public sector for weakness,
and to stoke fear and division and confusion here at home.
According to the FBI, China has been observed attempting to
identify and illicitly obtain valuable intellectual property
(IP), and public health data related to vaccine treatments and
testing from our networks throughout our country. We cannot
allow the actions of a few bad actors and foreign threats to
inhibit our financial institutions.
I thank the Chair. I yield back, and I look forward to the
discussion today.
Chairman Cleaver. Today, we welcome the testimony of,
first, Mr. Tom Kellermann. Mr. Kellermann currently serves as
the chief cybersecurity officer for VMware Carbon Black. Prior
to this, he was the CEO and founder of Strategic Cyber
Ventures, and served as the Commissioner on President Barack
Obama's Commission on Cybersecurity.
In 2003, he coauthored the book, ``Electronic Safety and
Soundness: Securing Finance in a New Age.'' And in 2017, he was
appointed as the Wilson Center's Global Fellow for Cyber
Policy. Thank you for appearing before this subcommittee.
Second, we have Mr. Kelvin Coleman. Mr. Coleman currently
serves as executive director of the National Cyber Security
Alliance, an organization focused on cybersecurity awareness
for home users, businesses, and educational institutions. Mr.
Coleman comes to this position with 20 years of experience. He
served in the White House, having worked on President Bush's
and President Obama's National Security Telecommunications
Advisory Committee and National Security Staff, the U.S.
Department of Homeland Security, as well as the private sector.
Thank you for appearing before this subcommittee.
Third, we have Ms. Amanda Senn. Ms. Senn is testifying on
behalf of the North American Securities Administrators
Association (NASAA), where she chairs their Cybersecurity
Committee. NASAA represents State and provincial security
regulators in the United States, Canada, and Mexico. NASAA
members are the closest regulators to local communities, small
businesses, and the investing public throughout North America.
Ms. Senn is also the chief deputy director of the Alabama
Securities Commission, the State securities regulator. Thank
you for appearing before this subcommittee.
And fourth, Mr. Jamil Jaffer currently serves as the
founder and executive director of the National Security
Institute. He is also assistant professor of law and the
director of the National Security Law and Policy Program at the
Antonin Scalia Law School at George Mason University.
Additionally, he is vice president of IronNet Cybersecurity, a
startup technology firm. Prior to these positions, he served as
Senior Counsel on the House Permanent Select Committee on
Intelligence under Chairman Mike Rogers, as well as Assistant
Counsel to the President in the Bush Administration. Thank you
for appearing before the subcommittee.
Witnesses are reminded that your oral testimony will be
limited to 5 minutes. A chime will go off at the end of your
time, and I ask that you respect the members' and the other
witnesses' time by wrapping up your oral testimony.
And without objection, your written statements will be made
a part of the record.
Mr. Kellermann, you are now recognized for 5 minutes to
give an oral presentation of your testimony.
STATEMENT OF TOM KELLERMANN, HEAD, CYBERSECURITY STRATEGY,
VMWARE, INC.
Mr. Kellermann. Thank you.
Chairman Cleaver, Ranking Member Hill, members of the
subcommittee, I am Tom Kellermann, head of cybersecurity
strategy for VMware, Inc. Thank you for the opportunity to
testify again before the subcommittee today.
America is grappling with a cyber insurgency, and our
financial sector is the number one target. A recent report
issued by the World Economic Forum states that the dark web
economy of scale will be the third-largest economy in the world
by 2021.
During the first 5 months of 2020 alone, cyber attacks
against the financial sector have increased by 238 percent.
This is compounded by the 900-percent increase in ransomware
attacks. Cyber criminals are capitalizing on COVID-19, and they
are doing so in tandem with the news cycle.
Over the past 6 months, cyber defenders have seen a high
level of coordination from cyber criminals who are
demonstrating significant innovation to maintain persistent and
even counter-incident response efforts. This includes
ransomware campaigns, business email compromise scams, and
access mining.
Criminals are increasingly sharing resources and
information and reinvesting their illicit profits into the
development of new and even more destructive capabilities. The
cybercrime community has educated themselves as to the
interdependencies that exist in the financial sector, and they
have begun to commandeer these very interdependencies to
manifest criminal conspiracies.
Thirty-three percent of surveyed financial institutions
said that they have encountered, ``island hopping.'' This is an
attack where the supply chains and partners are commandeered to
target the primary financial institution. Once that bank is
compromised, the criminals use the digital infrastructure to
attack that bank's customers. It is also notable that a few
rogue nation-states are offsetting economic sanctions via
attacks on our payment systems.
The international financial system is constantly facing new
threats as technology proliferates and diversifies. There is an
increasing number of security breaches and thefts on digital
currency exchange platforms, as well as the misuse of these
platforms by cybercriminals to launder stolen money. Dark web
forums enabled by anonymous virtual currencies have created a
bazaar for criminals and organized crime to reach a global
market.
In addition to organized crime, extremist organizations are
also known to use alternative payment systems for operational
purposes and to raise funds. Many of these payment systems and
cryptocurrencies offer true or relative anonymity. This raises
the necessity of increased regulation of digital money.
In 2020, cybercrime conspiracies will become increasingly
punitive and destructive. In fact, one out of four cyber
attacks today are destructive.
Fintech firms themselves present significant operational
risks, lacking the proper incentive for proper intrusion
detection as well as ``know thy customer'' anti-money-
laundering protocols under the Bank Secrecy Act.
Given that 50 percent of all crimes now have a cyber
component, it is high time that we follow the money to create
an international e-forfeiture fund.
The modern epidemic of cybercrime and cyber espionage can
be mitigated through modernization of existing authorities to
combat cyber money laundering. Virtual currencies and other
alternative payment systems that facilitate money laundering
associated with existing cybercrimes, as well as terrorist
financing, must be held to account.
In closing, the safety and soundness of the financial
sector is dependent on proactive policy. I would like to
highlight six opportunities for legislative actions for the
subcommittee's consideration.
First, any money laundering and forfeiture regulations must
be modernized to seize the virtual currencies and digital
payments which are used in cybercrime conspiracies.
Second, I ask the House to pressure the Senate to pass the
COUNTER Act, H.R. 2514, that passed out of the House under
Chairman Cleaver's leadership.
Third, charge the Financial Stability Oversight Council
(FSOC) with the responsibility to create a framework for
regulating cryptocurrencies and developing guidelines for
strong protections against money laundering and cyber threats
to those marketplaces.
Fourth, elevate chief information security officers to
directly report to the CEOs of financial institutions.
Fifth, establish a tax credit for financial sector
companies to dedicate at least 10 percent of their IT budgets
towards cybersecurity.
And lastly, support the House passage of S.3636, the United
States Secret Service Mission Improvement and Realignment Act
of 2020, which moves the Secret Service back to its original
home at the Department of the Treasury.
Chairman Cleaver, Ranking Member Hill, thank you for the
opportunity to participate in this morning's important hearing.
I am happy to answer any questions the subcommittee may have.
[The prepared statement of Mr. Kellermann can be found on
page 53 of the appendix.]
Chairman Cleaver. Thank you, Mr. Kellermann.
Ms. Senn, you are now recognized for 5 minutes to give an
oral presentation of your testimony.
STATEMENT OF AMANDA SENN, CHIEF DEPUTY DIRECTOR, ALABAMA
SECURITIES COMMISSION, AND CHAIR, CYBERSECURITY COMMITTEE,
NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION (NASAA),
ON BEHALF OF NASAA
Ms. Senn. Good morning, Chairman Cleaver, Ranking Member
Hill, and members of the subcommittee. My name is Amanda Senn,
and I am chief deputy director of the Alabama Securities
Commission, and Chair of the Cybersecurity Committee for the
North American Securities Administrators Association, or NASAA.
I am pleased to testify today before the subcommittee on behalf
of NASAA.
States are leaders in prosecuting securities violations,
and our focus is on protecting retail investors. History has
shown that opportunistic fraudsters will use COVID-19, much as
they have in other crises, to fleece mom-and-pop investors.
Acting within the framework of NASAA, State securities
regulators have formed a task force to root out and shut down
fraud related to COVID-19. This initiative is being led by
NASAA's Enforcement Committee and includes more than 100
investigators from the vast majority of our member
jurisdictions.
The objective of this task force is to disrupt, discourage,
and deter fraudulent or illegal activities which pose threats
to investors before significant losses can occur. This task
force is proactively protecting investors against fraud through
the broad dissemination of enforcement orders, notices, and
warnings.
As the subcommittee is aware, the proliferation of
technology has changed how we solicit, manage, and communicate
with those handling our investments. For that reason, this task
force is using online investigative techniques to identify
websites and social media posts that may be offering or
promoting investment fraud or unregistered regulated
activities.
Unfortunately, though, fraudsters are evolving with
technology. For example, earlier this month, my office received
three separate reports pursuant to Alabama's financial
exploitation reporting law, which indicated individuals had
become victims of an online fraud scheme.
These victims had visited the web page of a very reputable
broker, and they discovered they were unable to log in. Upon
their attempts, they received a screen with a help button. The
individuals were instructed to call a 1-800 number, and the
person who answered the phone told the victims that the
broker's website was down because 5G towers were being placed
in California.
That person then instructed the callers to log into their
accounts with information that was provided by the suspect. The
victims logged in as instructed, and shortly thereafter, wire
transfers were initiated from their account to overseas banking
accounts.
During an interview with the firm last Friday, our case
agent learned that $1.2 million had already been stolen from
the accounts of investors. It is believed that malware was
responsible for redirecting the victims from the legitimate web
page to the fraudulent knockoff site.
To date, at least 84 victims nationwide have been impacted,
and the numbers continue to rise. At one time, this crime would
have likely been perpetrated by a person that local authorities
could readily identify through the use of subpoenas and search
warrants. In the digital age, however, regulators are
confronted with numerous evidentiary challenges which, given
limited resources, make it difficult to investigate and
prosecute these cases.
States are, however, committed to our investor protection
mission regardless of the means used to rip off our investors.
The committee has invited NASAA to share its views
regarding legislative proposals that have been posted in
connection with today's hearing. I want to just mention two.
The first is the Senior Investor Pandemic and Fraud
Protection Act. This would implement the Senior Investor
Protection Grant Program that was originally authorized by
Section 989(A) of the Dodd-Frank Act, but was never put into
effect.
This bill would also expand the scope of the grant to
include frauds related to COVID-19. And under the bill, State
regulators could apply for up to $500,000 annually in grant
funding to combat financial fraud of seniors and vulnerable
adults in cases related to the pandemic. This would extend for
a maximum of 2 years.
The grant funds could be used to hire staff to investigate
fraudulent conduct, to acquire technology and equipment, and to
train investigators and prosecutors to target COVID-19 fraud,
and also to provide important educational materials to seniors
and vulnerable adults.
NASAA strongly supports this bill, and so do at least 11
other organizations, and we urge Congress to act on it.
The second is the COVID-19 Restitution Assistance Fund for
Victims of Securities Violations Act, which would create a fund
at the SEC to provide restitution payments for individuals in
connection with securities fraud related to coronavirus if they
do not otherwise receive full restitution. As you can imagine,
in financial fraud cases, once the money is gone, often, it is
never recovered.
Some States have enacted similar legislation with great
success, and we strongly support this bill.
Thank you again for the opportunity to testify, and I will
be pleased to answer any questions you may have.
[The prepared statement of Ms. Senn may be found on page 57
of the appendix.]
Chairman Cleaver. Thank you for your testimony, Ms. Senn.
Mr. Coleman, you are now recognized for 5 minutes to give
an oral presentation of your testimony.
STATEMENT OF KELVIN COLEMAN, EXECUTIVE DIRECTOR, NATIONAL CYBER
SECURITY ALLIANCE
Mr. Coleman. Chairman Cleaver, Ranking Member Hill, and
members of the subcommittee, thank you for inviting me to
today's hearing. It is a pleasure to join Tom, Amanda, and
Jamil.
My name is Kelvin Coleman, and I am the executive director
of the National Cyber Security Alliance (NCSA). NCSA's core
mission is to build strong public-private partnerships to
create and implement broad-reaching cybersecurity, education,
and awareness initiatives.
The United States confronts a dangerous combination of both
known and unknown cyber vulnerabilities. We face adversaries
who are strong and rapidly expanding with ever-increasing cyber
capabilities to breach our networks.
During today's hearing, we will examine cyber threats and
the bad actors who are exploiting the COVID-19 crisis. We will
have robust discussions of tools, techniques, and procedures
used by these bad actors. And we will certainly deliberate on
the products and processes we put into place to mitigate those
challenges.
And while products and processes are important, I believe
we need to focus even more on encouraging and supporting
partnerships. I am going to talk a lot about partnerships
today, and that is exactly what the National Cyber Security
Alliance focuses on.
In the words of Michael Madden of Mimecast, NCSA is the
lead in building community defense through partnerships for our
nation.
This is especially true during the COVID-19 era. Tonia
Dudley and her team at Cofense are seeing threat actors that
continue to exploit the Paycheck Protection Program and SMB
funding initiatives in several sophisticated phishing
campaigns.
Because of this type of threat and many others, NCSA, our
board companies, Federal partners, and nonprofit collaborators
have worked swiftly to provide organizations and individuals
with relevant and helpful information to help address security
and privacy concerns during the global COVID-19 outbreak. We
have built what we call the COVID Security Resource Library,
and folks have found it extraordinarily helpful.
And with the help of companies like Trend Micro and
Generali Global Assistance, we also created a COVID-19 webinar
series for small and medium-sized businesses.
Of course, bad actors were committing malicious acts before
COVID-19, and they will certainly do so after this crisis
subsides.
To deal with threats in our continuously connected society,
NCSA leads a number of other initiatives, including
Cybersecurity Awareness Month, Data Privacy Day, and the
CyberSecurity My Business program.
And while these programs and resources provide tremendous
value in the fight to protect Americans, I will say it again:
partnerships are our biggest assets. And the private sector is
incredibly important in this fight.
The Federal Government plays an equally important role in
cybersecurity and educational awareness. Chief among NCSA's
Federal partners is the Cybersecurity and Infrastructure
Security Agency (CISA). They have been very helpful in the
fight to help Americans secure their networks. And I must say,
CISA is very engaged, very responsive, and very supportive
overall.
NCSA, in coordination with our partners, has put a lot of
effort into building a more secure, interconnected world. In
the words of Kristina Dorville at AIG, bad actors are
communicating, and bad actors are coordinating, so why
shouldn't the good guys?
With that said, there is still so much to be done. Congress
should consider making game-changing investments into
cybersecurity awareness and education, investments that could
benefit the American people as well as the small and medium-
sized business community.
As Americans begin to rely more heavily on telework, bad
actors will increase their malicious activities and target
those working from home. Americans must be equipped with the
knowledge to protect themselves, their families, and their
communities. Congress can and should play an important role in
making sure Americans understand the many dangers of
inadequately securing their systems, devices, and information.
Thank you, Mr. Chairman, and I look forward to answering
the subcommittee's questions.
[The prepared statement of Mr. Coleman can be found on page
36 of the appendix.]
Chairman Cleaver. Thank you, Mr. Coleman.
Mr. Jaffer, you are now recognized for 5 minutes to give an
oral presentation of your testimony.
STATEMENT OF JAMIL N. JAFFER, FOUNDER AND EXECUTIVE DIRECTOR,
NATIONAL SECURITY INSTITUTE, AND ASSISTANT PROFESSOR OF LAW AND
DIRECTOR, NATIONAL SECURITY LAW & POLICY PROGRAM, ANTONIN
SCALIA LAW SCHOOL, GEORGE MASON UNIVERSITY
Mr. Jaffer. Thank you, Mr. Chairman. Thank you, Chairman
Cleaver, Ranking Member Hill, and members of the subcommittee,
for being here today and for inviting me to talk about the very
real threats that face our nation and the U.S. financial sector
and those of our allied nations.
As you know, the threats to our financial sector have been
real and serious for decades. They have become particularly
problematic in the context of the current pandemic.
I want to note your leadership, Mr. Chairman, for calling
out the very real threat of Iranian attacks on the United
States, including on our financial infrastructure, for
protecting our oil and natural gas pipeline infrastructure, and
for fighting actively against overt and covert disinformation
efforts online, including those that seek to divide us as a
nation.
In addition, Ranking Member Hill, I want to thank you for
your leading efforts on identity theft, for your sanctions
against Russia for its meddling in the 2016 election, and for
your efforts to press NATO to extend its security umbrella to
cover cyberspace, and ensuring that we continue to enjoy and
innovate the military superiority in the cyber arena.
I think it is critical today that we identify the very real
threats that we face as a nation in the financial sector and
take action immediately to address them. In a 2019 letter to
shareholders, the CEO of JPMorgan Chase, Jamie Dimon, noted
that the threat of cybersecurity may very well be the biggest
threat to the U.S. financial system writ large.
For the fourth year in a row, in 2019, IBM assessed that
the financial insurance sector was the most targeted sector in
our economy, with 17 percent of all attacks at the top 10 most
attacked industries.
The DNI, in January 2019, noted the attacks from North
Korea, estimating almost $1.1 billion in worldwide theft of
resources from the financial sector, including $81 million from
the New York Federal Reserve account of Bangladesh's central
bank.
And yet, given that significant threat already facing the
financial sector, we have seen a dramatic increase in financial
sector threats since the COVID pandemic began. In fact, the FBI
and the U.K.'s National Cybersecurity Center noted that they
are seeing criminal activities on a scale likely to dwarf
anything seen before, taking place at a speed that is
breathtaking, with a sheer variety of fraud that is shocking.
These are very serious threats. Carbon Black, the company
that Tom represents, saw ransomware attacks increase 148
percent in March 2020 over the baseline from just the prior
month. And the financial sector was the single largest target
of those increases in ransomware attacks, with a 38 percent
increase in attacks.
We have seen attacks in Washington State, where the
unemployment system has lost hundreds of millions of dollars in
the post-COVID environment.
And it isn't just here in the United States. In Germany,
the state of North Rhine-Westphalia lost between $35 million to
$110 million in fraudulent payments based on 3,000 fake
requests in the post-COVID environment.
We have seen reports coming out of many government
agencies, including the FBI, as well as CISA and other
agencies, and we have noted that it isn't simply an attack
limited to the United States. We have seen North Korea go
around the world.
And what was at one point $1 billion, in the DNI's
testimony, back in January 2019, by the end of 2019 had become
$2 billion, nearly a doubling of their financial sector
targeting effects. And they are doing more currently, as we
speak.
And it is not just not North Korea. We see China and Russia
active in this space. And we see other actors, as Tom
Kellermann mentioned, the actors that are nonstate actors,
including potential terrorist and extremist groups, taking
advantage of the weaknesses in our money laundering systems and
the like to exploit our systems to engage in both financial
fraud as well as movement of illicit funds.
This is a critical issue that we must confront. And as this
committee, I think there are five things that you ought to
consider.
First, Juan Zarate, and members of this committee, have
suggested that the Secret Service ought be moved back from DHS
to the Treasury Department. I think this is a positive move and
would help the Secret Service retain its role in cybersecurity.
Second, I think this committee ought to consider offering
the Treasury Department an operational role in cybersecurity,
giving them the resources and the capability to engage directly
with the financial sector and with the intelligence community
that they are already a part of to gather information, send it
back out to the community, and bring both the public and
private sectors together in this critical industry.
Third, it is important that the committee consider working
with the Treasury Department and other departments and agencies
to create what the Cyberspace Solarium Commission recommended:
a joint collaborative environment where industry and the
government could come together in real-time to share threats
and to actually collaborate on those threats, not just
information-sharing but actual real-time collaboration.
Finally, the committee ought to consider working with
Treasury and encouraging them to launch efforts with key
allies, as Juan has suggested, to recreate in the G-7 things
like the Financial Action Task Force in the anti-money-
laundering (AML) arena. AML is a critical issue in this
environment where tremendous amounts of money are being sent
around by governments and the like, and it is critical that we
take action now to address the AML concerns.
And finally, it is important that our government work
closely with NATO to expand out our efforts to protect our
allies in Europe and elsewhere around the globe.
Thank you very much, and I look forward to your questions.
[The prepared statement of Mr. Jaffer can be found on page
41 of the appendix.]
Chairman Cleaver. Thank you, Mr. Jaffer.
That is the conclusion of our witnesses' statements. I now
recognize myself for 5 minutes for questions.
I would like to spend just a little time talking about the
sheer volume of Americans who find themselves teleworking, and
the threat that poses to the financial system.
As I mentioned earlier in my opening statement, one-third
of the world's populations were in lockdown, and up to 90
percent of financial services employees, banking and insurance
companies, were working from home.
We started our conversation today, but earlier, we had a
roundtable where we talked about network security. And I
believe it was Mr. Kellermann who said that financial
institutions have had the best security in the world.
But teleworking and Russian dark web customized malware has
allowed adversaries to leverage ways around network defenses.
You noted something that I thought was interesting, and I think
we sought to address in the COUNTER Act, which is the need for
both firms and regulators to be innovative in the way they
confront these new fintech criminal techniques.
Mr. Kellermann, and Mr. Coleman, can you both talk a bit
about how financial institutions can improve the way in which
we can go after these financial criminals and stop these
breaches?
Mr. Kellermann. Thank you. I would be happy to address
that.
First and foremost, we need the defensive line set at the
top. The chief information security officers of the financial
institutions have been marginalized for too long, and their
perspective and their stratagems are not being enacted fully as
they compete for resources with chief information officers
(CIOs).
Second, I think more proactive cyber threat hunting must
occur not only within financial sector participants but across
the information supply chain and extend to shared service
providers. Cyber threat hunting is much like you need to make
sure no one is in the bank vault when you close the doors for
the day, not just conducting vulnerability assessments to see
if the locks are working or the alarms are working.
And then lastly, because of telework, the major security
provisions that have been but in place by banks are no longer
effective because the network security paradigm can be bypassed
by those VPN tunnels that allow access to those systems. So, I
think better forms of authentication and just-in-time
administration should be granted within those ecosystems as
well.
Chairman Cleaver. Thank you.
I have a question for Mr. Coleman, but let me just follow
up, Mr. Kellerman. You know that all of the members on this
committee live in communities. And I am wondering, what do you
suggest we do? We have many, many, many banks in our
communities. We have all kinds of financial institutions. How
do we get to them to implement some of the things that you are
presenting to us today? They are not going to participate in
our hearings, but they are struggling. What can we do
nationally to deal with this issue?
Mr. Kellermann. I think that we can incent them through tax
incentives for investment in cybersecurity as well as inspire
the regulators, whether they be State regulators or national
regulators of the Federal Financial Institutions Examination
Council (FFIEC), to incorporate this construct of cyber threat
hunting. Because with cyber threat hunting, it eliminates the
veil of plausible deniability that you may or may not have a
problem.
When you conduct a cyber threat hunt, and you identify a
bad actor inside your network, it is something that must be
acted on immediately. And so, it really provides game day film
on what the priority should be in the near term.
Chairman Cleaver. Thank you. Mr. Coleman, what can we do,
what can businesses and educational institutions do to protect
themselves and those they serve?
Mr. Coleman. Mr. Chairman, our friends at Proofpoint have
said to me that defenders don't focus on people but attackers
do, meaning 90 percent-plus of effective breaches come through
to an end user or to a person. So those breaches that happen,
90 percent of them are because of some human action or
behavior. But only about 20 percent, a little less than 20
percent of training dollars, awareness dollars actually go to
that end user.
I think we need to flip that. I think we need to encourage
businesses to put more investment into their training and
awareness. The way we do with, unfortunately, active shooter
training or inclement weather training, these other trainings
that we have, we absolutely need to do that with cybersecurity
as well.
Not so ironically, Americans are hit every single day with
these attacks and breaches. Yet, many of them, particularly in
the business community, are only getting training once, maybe
twice a year.
At the National Cyber Security Alliance, we are encouraging
people to perhaps get to the gold standard of once-a-month
training and awareness as it relates to cybersecurity because
the threats are evolving so quickly, and we need to be able to
educate those folks.
Chairman Cleaver. Thank you, Mr. Coleman. I appreciate
that.
My time is up, so I will now recognize the distinguished
ranking member of the subcommittee, Mr. Hill, for 5 minutes for
questions.
Mr. Hill. I want to thank the chairman for the hearing. I
appreciate our excellent witnesses.
Let me start with Mr. Kellermann. Thanks for coming to the
roundtable a few days ago. I wanted to follow up. We talked a
little bit about coordination with the regulators at that
roundtable. But you made a comment in your testimony today that
I thought was interesting about lack of security among
fintechs. You used the words, ``operational risk.''
Could you get more specific? Are you talking about their
AML/BSA compliance on their platforms? Are you talking about
their lack of use of APIs? Give me a little color context on
your concern about fintech applications.
Mr. Kellermann. Whereas, fintechs are the tip of the spear
vis-a-vis technological renaissance occurring in the financial
sector, we at VMWare Carbon Black have noted increased attacks
against the APIs of fintech vendors to bypass security controls
they have in place and to leverage what is called island
hopping, which is where they attempt to take over the digital
infrastructure that was built by that vendor and then use it to
attack those who implicitly trust it.
This ``island hopping'' phenomenon is my biggest concern in
this sector, is that you have these entities who are being
targeted by very professional cybercriminal crews, typically
Eastern European or Brazilian in nature, and they are using the
financial platforms that have been developed for greater
liquidity and access to financial services and the like to
target their constituencies. And so, greater attention must be
paid to the security and modernizing the security of fintech
participants.
Mr. Hill. Thank you.
Mr. Jaffer, thank you for your testimony, and I appreciate
your discussing in your detailed testimony about China and
China's threat, that in March of 2020 a Chinese hacking group
carried out one of the broadest campaigns by a Chinese cyber
espionage actor that we have observed in recent years.
Mr. Jaffer, are you concerned that China is a new and
expanded threat in the cyber arena? In the past, we have
frequently talked about North Korea, Iran, and Russia--Eastern
European players, as we just noted. How do you think China
compares to other countries when it comes to cyber attacks?
Mr. Jaffer. Thank you, Congressman Hill.
China is in the top rank of countries, if not number one of
three, along with us and Russia,, in terms of cyber
capabilities.
Now, the thing about China is they have long been focused
on intellectual property theft. They have engaged in what my
boss, the former Director of NSA, General Keith Alexander,
called the greatest transfer of wealth in human history,
literally extracting information out of the United States that
they take back to China in order to repurpose for the purpose
of creating economic benefits to their nation. That has been a
huge issue.
China is increasingly now pivoting beyond that to
intelligence collection, which they have always also done, and
they are now increasingly getting involved in financial fraud
schemes and allowing these things to take place within their
infrastructure.
China doesn't operate only through their government agents,
although they have a tremendous number of military intelligence
resources devoted to focusing on the United States. They also
operate through allowing hackers in their country to take
action against the United States and against other allies of
ours.
The key issue that we see with China today, though, is what
they are doing in terms of covert and overt misinformation and
disinformation. They have taken a page right out of the
Russians' playbook from 2016, and they are doubling down on
that.
We have seen the Chinese Foreign Ministry already talk
about the Black Lives Matter movement. It is no accident that
the Chinese are talking about that publicly. They are already
putting a million of their own people in prisons in the
Xinjiang province, and yet they are concerned about Americans.
The reality is, they are not concerned about Americans.
What they are concerned about is taking over a global
leadership role from the United States, and they will use every
means at their disposal to do it, including cyber activities,
and that is what makes them particularly dangerous in this
arena.
Mr. Hill. Thank you.
Do you see coordination between North Korea and their
efforts in cyber attacks? Of course, they are some of the most
famous with WannaCry of a few years ago and the Cosmos Bank
scheme of just a few months, maybe a year or so ago. Do you see
North Korea and China at all coordinating their efforts, or do
you see North Korea purely on its own?
Mr. Jaffer. I think North Korea generally acts on its own.
Now, that being said, the North Koreans know how much they
can get away with without pushing the Chinese over the line. If
the North Koreans go too far, whether it is with nuclear
weapons testing or cyber activities or the like, the Chinese
will get concerned and potentially take action.
North Korea has gotten smart. They have learned to play the
Russians and the Chinese offense against one another too. So
they are not simply relying on China as their only client
superpower. They are also playing with the Russians.
They have, as you have noticed, though, been fairly quiet
when it comes to their testing of nuclear weapons and missiles
recently and they have really been focused on the financial
gain they can achieve in the current environment. So that is
the big concern today for North Korea, although you can't put
away the North Korean nuclear problem, which is ever present.
Mr. Hill. Thank you so much.
I yield back, Mr. Chairman.
Chairman Cleaver. Thank you.
I now recognize Mr. Perlmutter from Colorado for 5 minutes.
Mr. Perlmutter. Thank you, Mr. Chairman.
This question is for Mr. Kellermann. A couple of years ago,
I had a bill called the Data Breach Insurance Act. And you
mentioned tax incentives to try to get companies and
individuals to beef up their cybersecurity. Can you discuss
that a little bit more, how you see incentives might work to
drive folks to the NIST protocol?
Mr. Kellermann. Yes. Thank you for asking me that.
I am a huge fan of using that carrot to motivate businesses
to view cybersecurity as a functionality of conducting business
in today's world versus an expense. Whether it is a percentage
of their IT budget that is spent on cybersecurity or whether it
is compliance with a standard like NIST or even compliance with
a standard which isn't quite a standard but a best practice
like the CIS Critical Controls, we would be better off than
where we are right now.
Frankly, there is insufficient investment and leadership in
the private sector as it relates to cybersecurity, which is why
we are dealing with this cybercrime wave.
Mr. Perlmutter. Has that been exaggerated, exacerbated,
because we are now sort of in this remote telecommuting world?
Would we be better off if we were--if smaller companies and
small financial institutions were to beef up their
cybersecurity?
Mr. Kellermann. Yes, it has been exacerbated because of
telework. The security of teleworkers is far less than that of
someone who is working in a corporate environment because they
don't have all the perimeter defenses, much like a corporate
facility has greater security than your home typically.
I do think it is an imperative for those organizations to
invest more seriously in cybersecurity, but I also realize they
are small businesses and they have been dramatically impacted
by the economic recession that they are facing.
But going forward, I think most people need to appreciate
that encryption is not the sole answer, that encryption is not
bulletproof, it is not something that hackers can't get around.
When a hacker hacks your computer metaphorically, they steal
the key to unlock the encryption. So what does the encryption
really mean? But I will leave that there.
Mr. Perlmutter. Okay. I think I may have to dust off the
Data Breach Insurance Act and resubmit it over the next month
or two to try to use at least some incentive bases so that they
can beef it up, knowing full well that a bank robber, no matter
how thick the vault is, will always try to find a way to get
through that front door, back door, whatever.
Let me change the subject quickly to all of the panelists.
Mr. Jaffer was speaking about disinformation. And I am curious
if you all have seen efforts, whether it is Black Lives Matter
or vaccines or whatever it might be, given the fact we are in
this COVID-19 time in history, whether you have seen
disinformation campaigns rise.
And I will start--Mr. Kellermann, you are on my screen, so
let's start with you, and then go to Mr. Jaffer.
Mr. Kellermann. I think that our traditional Cold War
adversaries are taking advantage of the situation. The American
hegemony, the American empire you might want to call it, is the
weakest we have ever been through a combination of factors.
I explicitly don't see true evidence. I am not actually
looking for it, because I assume it is happening, frankly, but
I do see escalated cyber attack capabilities and activity
occurring not just against the financial sector, but against
the healthcare sector and a myriad of other sectors in this
regard.
Mr. Perlmutter. Mr. Jaffer, any comments?
Mr. Jaffer. Yes. Thank you, Congressman Perlmutter.
Yes, we know unquestionably that China has engaged in these
type of activities in Taiwan and interfered with their
election. We know that Russia did it in 2016 to our election.
We haven't seen specific bulletproof evidence, as Mr.
Kellermann pointed out, that they are engaged in those covert
activities today when it comes to trying to throw gas on the
fires that are already burning in this country. But we know for
a fact that they are out there saying it publicly. We see overt
activities by the Chinese and the Russians trying to meddle
with our political environment.
It is almost unquestionable that when they engage in those
type of overt activities, they are doing the same thing
covertly.
So, I think that over the next few weeks and months, and
probably over the next year, we will see the intelligence
community and the Bureau and the rest of our national security
organizations coming out with evidence to demonstrate that, in
fact, the Chinese, the Russians, and potentially the Iranians
are seeking to actively gaslight what is taking place in this
country, very real and honest debates are happening, and
attempting to manipulate those, let's call it additional chaos
and disorder in this country, in the context of the already
ongoing pandemic.
Mr. Perlmutter. Thank you for that sobering testimony in an
already difficult time.
I thank the panelists. Thanks for being part of the
roundtable, and today's hearing. And I yield back to the Chair.
Chairman Cleaver. Thank you, Mr. Perlmutter.
The Chair now recognizes the gentleman from the great State
of Texas, Mr. Williams.
Mr. Williams. Thank you, Mr. Chairman, for calling this
hearing.
And thanks to all of you for joining us in this virtual
setting for this important hearing.
As cyber criminals get more advanced, we need to make sure
our government's efforts to combat these threats are being used
as effectively as possible.
Last week, I introduced a bill with my buddy on the other
side of the aisle, Denny Heck, to transfer the Secret Service
from the Department of Homeland Security back to the Treasury
Department, as we have talked about today, where it had
previously been located almost 140 years before the September
11th terrorist attacks. This strategic realignment would help
put increased focus on the financial crimes and cybercrimes of
the Secret Service.
Juan Zarate, the first Assistant Secretary of the Treasury
for Terrorist Financing and Financial Crimes after 9/11, and
Tim Maurer, author of the book, ``Cyber Mercenaries: The State,
Hackers, and Power,'' wrote in a recent op-ed that the move
would strengthen the government's ability to protect the
financial system and build on the Trump Administration's
interagency focus on cyber threats.
This transfer is also supported by the Treasury Department,
by the Department of Homeland Security (DHS), and by the
Federal Law Enforcement Officers Association, which advocates
for the Federal law enforcement community.
So, Mr. Jaffer, could you give us your thoughts on how this
move would be beneficial to our government's ability to defend
against financial crimes?
Mr. Jaffer. Absolutely. Congressman Williams, as you well
know, the Secret Service was originally set up by Abraham
Lincoln in the aftermath of the Civil War in order to protect
the U.S. currency. Its first and primary mission was financial
crimes.
So, the idea that the Secret Service ought to be focused on
that as a primary mission and be in the place where that is the
primary role of the agency makes a lot of sense.
I support moving the Secret Service from DHS back to
Treasury, in part because it will then prioritize its
relationships, existing relationships that Treasury already has
in the cyber arena with industry today. And those are very
trusted, strong relationships. The Secret Service can build on
these.
But I think the Secret Service needs more than that. It is
not just a matter, Congressman, of moving them from one agency
to another. That is critically important. I think it will
elevate their role. But I think it is also about providing them
the resources they need to do that job, and do that job better,
and to provide them additional authorities, investigative
authorities, to really go after this crime.
The Secret Service is largely bound by the authorities they
have had historically for a long time, and those are very
useful authorities, but there is no question they will need
additional resources in this effort.
And being hidden in the larger entity that is DHS makes it
harder for them to get priority, harder for them to get
resources, and ends up making them focus on their protective
mission, which at the end of the day isn't their highest and
best value today when it comes to threats facing our financial
sector.
So, I support that effort. Juan is a good friend and
mentor, and I am glad, Congressman, that you and Mr. Heck
introduced that legislation.
Mr. Williams. Thank you. We will put you on the winning
team then, okay?
Mr. Jaffer. Yes, sir.
Mr. Williams. From hostile countries like China and Russia
to other criminals in the private sector, there will always be
people looking to exploit our country's cyber vulnerabilities.
In 2018, the Trump Administration put out the updated--the
National Cyber Strategy for the first time in 15 years. I
applaud this action by the Administration, but I am sure that
the threats facing the country are drastically different now
than just 2 years ago.
So, again, Mr. Jaffer, would you support mandating this
report be updated annually? And can you discuss how the threats
facing government entities and the private sector have evolved
over the past 2 years?
Mr. Williams. Absolutely. Congressman, as you know, the
idea that we didn't update our national cybersecurity strategy
for a decade and a half is shocking and concerning, and I am
glad the President and his team decided to put out a new
strategy.
I do think it is valuable for Congress to require the
Administration to issue the strategy on a regular basis.
Whether that is a year or every 2 or 3 years, I would leave
that to you all and the White House to figure out what the
right cadence is. But I think it does make sense to have it
updated rapidly, because obviously, we are in a constantly
changing threat environment.
Now, in particular in the United States today, the threat
has changed. You have seen what has already happened. You have
heard testimony today about the way that criminals who are very
innovative and nation-states who are very innovative take
advantage of the current moment. They are not worried about the
fact the pandemic is hurting them. They are focused on how to
come after us and our people and our finances, and they are
very focused on that.
At the end of the day, though, the government's traditional
role has been protecting the nation when it comes to all other
things from nation-states. But in cybersecurity, we actually
have the private sector on the front lines.
So I think Kelvin is exactly right, that this is all about
partnerships. We have to bring the government and industry
together. And that is why having an entity at Treasury, having
Secret Service there, but also giving them operational
capability, will help better defend the financial sector where
they are on the front line defending today, when normally it
would be our military or our law enforcement efforts at the
front line.
Mr. Williams. Okay. Quickly, COVID-19 has given cyber
criminals a new opportunity to exploit the crisis to take
advantage of hardworking Americans. Many companies and
governments have been forced to switch their operations to a
virtual setting to conduct their normal operations, just as we
are doing right now with this hearing.
So, Mr. Coleman, quickly, what advice would you give
companies adapting to these remote settings on how they can
stay safe while they are figuring out these new operating
procedures?
Mr. Coleman. Congressman, I would absolutely advise them,
do not abandon your training and awareness. That is a low-
hanging-fruit opportunity for them to make sure that their
workers are continuing to be resilient in terms of trying to
protect themselves. So, the first thing I would say is, please
do not abandon the training and awareness that they probably
had set up pre-COVID-19.
Mr. Williams. Thank you, Mr. Chairman. I yield back.
Chairman Cleaver. Thank you.
The Chair now recognizes the gentleman from Washington, Mr.
Heck.
Mr. Heck. Thank you, Mr. Chairman, and Ranking Member Hill.
And thank you to all of the panelists. What a spectacular and
timely topic for us to discuss.
As the Chair indicated, I represent Washington State, and
tragically, unfortunately, nobody has been hit harder by the
unemployment insurance fraud that has gone on in this country
than Washington State, perpetuated by the cybercrime group that
is based in Nigeria, known as Scattered Canary.
We don't know exactly how much they bilked us out of, but
we know for sure that somewhere between $550 million and $650
million was fraudulently paid out by our State Department of
Employment Security. Fortunately, we have been able to recover
about $330 million of whatever the total number is.
And that operation, that recovery was only made possible,
frankly, because the U.S. Secret Service was able to identify
this operation and went to work. And frankly, I want to express
publicly my appreciation to the Secret Service for this on
behalf of the taxpayers of Washington State and all Americans
for that matter.
But I am not under any illusion that it is just Scattered
Canary out there. They are part of one of who knows how many
hundreds or thousands of organizations who basically are intent
on fraudulently appropriating our money. And that is why I am
so concerned. I am very concerned.
Between the lasting damage done to the government's
investigative capacity by the Budget Control Act--and it has
been diminished--and the loss of mission focus that has been
referred to here resulting from moving the Secret Service to
the Department of Homeland Security, I think our Federal
Government remains pretty unprepared, by and large, to identify
and investigate financial cybercrimes, especially factoring in
the massive amounts of Federal resources being distributed
across the country.
And that is why I was indeed proud to join with my friend,
Representative Williams, in introducing the bipartisan and now
bicameral U.S. Secret Service Mission Improvement and
Realignment Act, which would, of course, as indicated, move the
Secret Service back from the Department of Homeland Security to
its ancestral home at Treasury.
I think, as has been indicated, that will enable it to tap
into the institutional knowledge and expertise at Treasury to
better defend us against countering fraud and cybercriminal
activity.
So, Mr. Kellermann, I want to ask you the question that Mr.
Williams asked of Mr. Jaffer. You specifically mentioned the
importance of passing the Secret Service Mission Improvement
and Realignment Act. Thank you for that. But I want to ask you,
in your own words, why do you think it is important, above and
beyond what has been indicated?
And perhaps secondarily, what do we have to lose if we
continue to keep the Secret Service housed at the Department of
Homeland Security? That is for you, Mr. Kellermann.
Mr. Kellermann. Thank you.
I have always been impressed, in my 20 years in
cybersecurity, with the efforts of the Criminal Investigative
Division (CID) of the Secret Service. They haven't been too
flashy and taken too much credit for their successes, but they
have done Herculean efforts as it relates to disrupting some of
the most advanced cybercrime conspiracies in the world,
beginning with the Eastern Europeans' cybercriminal syndicates
back in the early 2000s.
But they have always been underresourced, and they have
always been stuck in this position where some of their very
best analysts had to still provide for protection duty, which
put a strain on even then keeping the best technological talent
within their ranks.
And this was compounded when they moved over to DHS post-9/
11. I understand why, but, at the same time, I think they could
truly help us move the needle as it relates to civilizing
American cyberspace and thwarting and suppressing some of the
more advanced financial crime, cybercrime conspiracies that are
ongoing if they were back in Treasury working hand-in-hand with
FinCEN and others.
So, again, I tip my hat to you. I think this is incredibly
important legislation, and hopefully, it happens.
Mr. Heck. Thank you.
What other steps do you think need to be taken to fill or
expand or make appropriate to the measure of the challenge our
government's capacity to investigate and pursue financial
cybercrimes? Aside from just changing the organizational chart,
Mr. Kellermann, what else do we need to do?
Mr. Kellermann. I feel that they should be given the
resources to hire more personnel, number one.
Number two, they should expand the Electronic Crimes Task
Forces--or I think they are now called the Cyber Fraud Task
Forces--internationally to get greater information sharing and
partnership with various countries who have very significant
and very powerful organized crime syndicates who have adopted
this cybercrime model.
And then, lastly, when they come across an investigation
where there is a cybercrime conspiracy and it is obvious there
has been misuse of virtual currencies and alternative payment
systems, those moneys could be used to fund their endeavors or
fund the efforts to protect the financial sector from attack.
Mr. Heck. Thank you, Mr. Kellermann.
And just finally then, let me say that if Washington
State's experience is any measure of this, where in this one
instance we have lost hundreds of millions of dollars in just
one State, what we are talking about here is a proposition of
risk that is billions upon billions upon billions.
I am pleased to have joined Mr. Williams in introducing
this bill.
Thank you, Mr. Chairman, and I yield back.
Chairman Cleaver. Thank you, Mr. Heck.
The Chair now recognizes Representative Gonzalez from Ohio.
Mr. Gonzalez of Ohio. Thank you, Mr. Chairman.
And thank you to our witnesses.
Echoing Mr. Heck's comments, this has been an incredibly
enlightening and important hearing today. So, I thank the
chairman for his leadership and for our witnesses today.
I want to focus my questions primarily on Mr. Kellermann,
if you would humor me here. I want to first focus on the
attribution issue and our ability to attribute these crimes to
different folks.
In both your written testimony and in your oral statement,
you talked about how cybercriminals are evolving in both attack
sophistication and organization.
Can you shed some light specifically on the organization
side? How have cybercriminals evolved, call it, in the last 2
to 3 years, and what are you seeing as sort of the next phase
here?
Mr. Kellermann. Thank you for the opportunity.
I would cite the World Economic Forum report that there has
been an industrialization stage occurring within the economy of
scale of the dark web. There are more groups providing specific
services and capability sets. You are seeing advanced business
models specific to things like access mining.
Access mining is, as a construct, a report issued by VMware
Carbon Black over a year ago where hackers will hack systems.
If they don't really have a use for those systems, they will
profile that system, and they will say, this is Bank A's
system. They will then sell access to that system to a
traditional criminal, who would have the capacity to liquidate
that experience, per se.
In many countries, as we well know, you see this Robin Hood
experience where the best cybercriminals are insulated and
protected as long as they don't hack anything within those
sovereign boundaries and as long as they act in a patriotic
fashion. I am sure my friends in the Secret Service or in the
FBI can attest to that. But I would say that it is a true
economy of scale now, sir.
Mr. Gonzalez of Ohio. Is there any sense that these are
connected to nation-states, in particular the Chinas and
Russias of the world? How directly are the links to some of our
adversaries?
Mr. Kellermann. From my gut, I feel like there is a link
between some of these groups, but, then again, I can't verify
that. I am sure that if you had the Secret Service or the FBI
testify, maybe in a classified setting, they could speak to
that.
I think there is a big difference between, let's say, a
Russian hacker and a Chinese hacker. Chinese hackers are less
likely to target the financial sector because, frankly, we are
their number one debtor, and, frankly, we are their number one
consumer. That being said, I don't think it is the case when it
comes to Russian-speaking hackers in Eastern Europe.
Mr. Gonzalez of Ohio. Right.
And then you also talk about a dark wallet as a platform
where jihadists can avoid your customer regulations and launder
money.
My question is, technologically, do we have the ability to
shut down something like a dark wallet? Is that technologically
possible?
Mr. Kellermann. I wouldn't be an advocate of, let's say,
shutting it down. I would just challenge the developers of
these platforms to at least, when called upon, to know who your
customer is when called upon, and to be able to freeze the
assets associated with anything that has been proven to be part
of a criminal or terrorist conspiracy using cyberspace.
I think the FBI, the Secret Service, and the intelligence
communities do have the capacity to do more interesting things,
but, then again, I am just a watcher on the wall, sir. I don't
have that much expertise vis-a-vis dark wallets.
Mr. Gonzalez of Ohio. Okay. But your gut is that we do have
the capability of being more aggressive with respect to how we
go after these individuals or we monitor, to be specific.
With my last minute, another thing you talk about is the
international e-forfeiture fund, which I think is really
interesting and probably something I want to investigate with
you maybe offline when we have more time.
But, just with the minute that I have left, structurally,
how would you envision that being set up? Who would be a part
of it? And how would it sort of be managed?
And I know that is a lot for 50 seconds, but give it your
best shot.
Mr. Kellermann. We need to incent developing countries to
play ball with us. As we both know, and as most--all of us know
for that matter, the most significant entities, transnational
organizations and organized crime syndicates within these
sovereign boundaries of those countries, don't necessarily have
to play ball, and they are just as powerful as the government.
So how do you incent the government to play ball? I think
by giving them a percentage of the forfeited assets associated
with the investigation. That is why I open it up to an
international lens, because most of cybercrime emanates from
outside of the United States.
I think probably the Bank of International Settlements
might be well-suited to do this, because they already
facilitate so much in our financial sector between the tier 1
financials.
Mr. Gonzalez of Ohio. Great. Thank you for your insight. We
will reach out after this for more depth.
Thank you, Mr. Chairman. I yield back.
Chairman Cleaver. Thank you.
The Chair now recognizes the gentleman from California, Mr.
Sherman.
Mr. Sherman. Thank you, and thanks for putting on this
virtual hearing.
My first question is for Mr. Kellermann. Included as one of
the subjects of today's hearing is a bill that I introduced,
the Internet Fraud Prevention Act, which addresses the issue of
business email compromise and especially real estate wire
fraud.
And the way it typically works in a real estate situation
is, you are dealing with somebody who saved their money to buy
a house. This would be the one time in their life that they
actually send $50,000 or $100,000 somewhere. And you hack their
email account, know that they are, in fact, buying a house, and
you convince them that when they are supposed to wire that
downpayment, it is supposed to go to account number ``12345''
in order to get to their escrow agent, when, in fact, the
escrow agent or the attorney involved has a different account
number.
And the reason this occurs is when you are supposed to wire
money in this country, you only wire it to a number and not to
the name of the entity that you are trying to send the money
to.
In the U.K., they are implementing a payee matching system
where, when you wire money, you are going to wire it to an
account number that has to be in the name of whom you actually
intend to get the money, and the U.K. regulator believes this
will reduce this kind of fraud by 90 percent.
My bill would require the Federal Reserve to perform a
cost-benefit analysis for implementing a similar program in the
United States. Would you agree that this is a good approach in
order to focus on this issue and prevent people from wiring
money to the wrong account?
Mr. Kellermann. I do. I do think that it necessitates a
cost-benefit analysis. But that being said, any obstacle that
we can put in the way of a fraudster is an obstacle worth
having.
My mom is a real estate agent, so I hear about this a lot.
Mr. Sherman. Thank you.
Ms. Senn, the next one is for you. I am the Chair of our
Investor Protection, Entrepreneurship, and Capital Markets
Subcommittee, as my colleagues know, and I am concerned about
the threat of cryptocurrency-based fraud.
In 2019, just a few months ago, in December, the NASAA
identified cryptocurrency as one of the top 5 threats to
investors in 2020. Today in your testimony, you note that among
the schemes being identified by your organization, this COVID-
19 Enforcement Task Force, many involve cryptocurrency or
promote investments that are outside the stock market.
The SEC has resisted identifying cryptocurrencies, at least
Bitcoin and Ethereum, as securities, and so they say, ``Hey, it
is not our business, it is not a security, we have an `S' in
our name, that stands for security,'' and of course they apply
the Howey test, I believe that a lack of an SEC registration
requirement makes cryptocurrencies attractive to those who have
investment scams.
What do you think Congress can do, and what can the States
do to correct this system where, if investors want to invest in
a real company that really is providing jobs, they have the
protection of the SEC and the State commissioners as well, but,
for cryptocurrency, they don't get much protection?
Ms. Senn. Thank you, Congressman Sherman.
We do have a regulatory framework in place under the Howey
test to regulate investments in cryptocurrency. And on a State
level and through NASAA, back in 2018, we initiated a
cryptocurrency sweep, and it was a massive public awareness
campaign where we notified the public that, hey, guys, these
things are out here, they are initial coin offerings, they are
investment-related, be aware there are lots of fraudulent
offerings, as with any currency as well, but especially in the
crypto space, because people don't understand it. Investors are
still learning the digital assets if they want to invest
properly in that.
But we have a regulatory framework for investment in
cryptocurrency. I do believe that, collectively, the States can
be more proactive in promoting the types of frauds that are
prevalent--
Mr. Sherman. If I can interrupt, the SEC clings to this
idea that Bitcoin and Ether are not securities, and, therefore,
they don't have jurisdiction. Do the State securities
commissioners believe they have jurisdiction in those who are
selling Bitcoin and Ethereum?
Ms. Senn. If the cryptocurrency is being offered as an
investment, or with a view toward an investment--yes, sir. I
know.
Mr. Sherman. If every--
Ms. Senn. We also have many transmitters laws.
Mr. Sherman. Everybody who buys Bitcoin is buying it with
the prospect of it going up. Every cryptocurrency enthusiast
who hears a rate, and invests in it, believes it is going to go
up.
I believe my time has expired, so I yield back.
Ms. Senn. I am in agreement.
Chairman Cleaver. The Chair now recognizes Representative
Rose from Tennessee.
Mr. Rose?
We will move on to Mr. Taylor from Texas.
Mr. Taylor. Thank you. I really appreciate you putting this
hearing together, and I think it is important information. I am
reminded of something that Frederick the Great said long ago:
``He who defends everything defends nothing.''
Part of the issue here I think in this whole discussion is
prioritizing resources. And I have heard a lot about where we
need to prioritize resources and not prioritize resources. And
I guess something that I have been thinking about is in--and I
know there has been a mention of the AML/BSA program that
financial institutions pursue in trying to find anti-money-
laundering and, with the Bank Secrecy Act, trying to find
problems in terms of prioritizing.
I guess I will just kind of ask a broad question: Have you
seen people wasting resources, wasting the effort, or they are
trying to do the right thing, but they are headed down the
wrong path in terms of what they are doing? I will throw that
out, just experiences from the field. What have you seen that
you think, gosh, that is a waste of time and effort?
Mr. Coleman, do you want to take a crack at that?
Mr. Coleman. Congressman, fortunately, I have not
experienced that in cybersecurity. Most of the time it is the
exact opposite in terms of trying to help people understand the
urgency of investing or taking action throughout normal times,
let alone a disaster.
Jon Check from Raytheon, whom I work with, often talks
about how bad actors will take advantage of a disaster, manmade
or natural, a situation like we are in now, Congressman. And so
getting companies, businesses, individuals to act during those
times is difficult enough, let alone during peacetime.
So, no, I haven't necessarily seen where people are going
down the wrong path or wasting time. Actually, it is the
opposite in terms of trying to encourage them to go forward.
Mr. Taylor. Anybody else want to take a stab at that one
and talk about prioritization and making sure resources are
being used intelligently?
Mr. Jaffer. Congressman, I think one place that you might
look is oftentimes, you see a company go out and buy every tool
they can out there. And they put a lot of them on the shelves
and they don't utilize them.
So one thing that we can do is really encourage companies
to identify the best out there in the field and buy that
capability, use that capability. And if you are not going to
use it, don't buy it. If you don't have the capacity to take
care of it right now, don't invest in it at this time. I think
it prioritizes that, and that way is a sensible approach for
institutions.
I also want to associate myself with Mr. Kellermann's
remarks earlier about providing carrots to industry to take
advantage of cybersecurity protection, and so I think that
giving tax incentives is the right way to go.
A different approach would be to regulate and to tell
people exactly what to do and what not to do. The problem with
that in my mind is that it creates a check-box mentality, and
in a field where things are changing so rapidly, sir, I think
it is a mistake to require the type of regulations that would
be very specific and detailed and ultimately cause people to
just check the box and not actually gain on security gains.
Mr. Taylor. In my own experience, I was on a bank board for
12 years, and we acquired a product which automated the
verification of checks that were written fraudulently. And so,
by automating that, we were able to reduce resources in that
effort and actually be more effective. We actually saw
reduction in our fraud at our bank. But we also were then able
to put more resources into other counter-fraud efforts.
And so I think making the right investment, as you say, a
part of that is knowing where the efficiency is to be gained
and then, in turn, understanding where we can actually go get
those efficiencies.
And I look forward to working further on this issue.
Cybersecurity is increasingly becoming a concern in our country
because we are automating more, and the more we automate, the
more we turn to systems and computers to do things, the more
stuff is on the web, the more vulnerable we become or the more
we have to defend it.
With that, Mr. Chairman, I yield back.
Chairman Cleaver. The gentleman yields back.
The Chair now recognizes the gentleman from New Jersey, Mr.
Gottheimer.
Mr. Gottheimer. Thank you so much, Chairman Cleaver and
Ranking Member Hill, for calling this hearing, and to all of
our witnesses for being here today.
TransUnion, one of the big three credit bureaus, runs a
weekly survey that shows that 29 percent of consumers say they
have been targets of digital fraud related to COVID-19. On top
of that, AARP's Fraud Watch Network recently reported that
there has been a steep increase in scams targeting the elderly
and other vulnerable communities.
These nefarious actors, both domestic and international,
are using the pandemic and preying on people's fragile states
in these uncertain times to target their hard-earned retirement
accounts, their unemployment checks, and other savings.
Ms. Senn, from your perspective of working directly to
prevent cybercrime as the Chair of the Cybersecurity Committee
for the NASAA, do you agree that seniors are disproportionately
the victims of cybercriminals? And what challenges do law
enforcement run into while trying to prevent this population
from falling victim to frauds and scams?
Ms. Senn. Thank you, Congressman.
Yes, seniors are disproportionately targeted. They hold
most of the nation's wealth. You work your entire life so that
in your golden years, you hopefully can sustain the rest of
your life with the retirements that you have saved. Criminals
know that. That is where the money is.
You have heard the studies where, as you age, your
cognitive function declines, and your financial judgment is
part of that. And so, seniors are more vulnerable to financial
fraud because of that, the weakening in their financial
judgment.
Through NASAA, our North American Securities Administrators
Association, we have developed a model law to report the
suspected financial exploitation of seniors, and, through that
law, which 27 States have passed--yesterday was Elder Abuse
Awareness Day, and we were pleased to announce that--we have
reports coming in. So we can review--I have a stack of them on
my desk here of the types of frauds that seniors are being
exposed to.
And especially now, during the COVID-19 pandemic, seniors
are at home, they are being isolated, they are away from their
friends and family who normally check on them to see how things
are going and ensure that they are not online surfing the
internet and being solicited by fraudsters.
And so, it is critical during this time to reach out to
your friends and family, check on them, make sure that things
aren't unusual, red flags--I could talk about those all day--
but to continue to report suspected financial exploitation.
I want to mention one thing about the financial industry,
because we regulate on the State level the small businesses.
And I know you guys are talking at a macro level, but on a
micro level, we see the trickle down. I sit down with the
victim investors and talk with them about the frauds that have
impacted them, and some of them have been ripped off of their
entire life savings, and it is a problem for all of us--
Mr. Gottheimer. What do you think States--if I could just
follow up on that--what do you think States can do, what should
we equip States to do to be able to fight back and protect
vulnerable populations from fraud? Are there things you would
recommend?
Ms. Senn. Congressman, yes. I mentioned in my opening
remarks and in my written testimony, we--NASAA supports the
Senior Investor Pandemic and Fraud Protection Act, and I
believe that is legislation that you are interested in, which
would allow States to apply for a grant. And I know we do a
great job with the limited resources that we have, but, sir, we
can do better.
For example, in Alabama, we are able, through a small
grant, to hire a victim service officer to assist our financial
abuse victims, mostly seniors, with reporting and to provide
that human element. So it is critical, yes--
Mr. Gottheimer. Ma'am, I am glad you mentioned the
legislation that I have drafted. The Senior Investor Pandemic
and Fraud Protection Act does a lot, I think, that would really
help in that effort to allow qualified States to apply for
these grants, to be able to hire and train investigative staff,
which seems like that would make a difference, whether it is
purchasing technology and equipment or developing other
materials to fight fraud.
And I am going to ask unanimous consent, Mr. Chairman, to
submit a series of letters from industry and consumer groups in
support of this draft legislation into the record.
Chairman Cleaver. Without objection, it is so ordered.
Mr. Gottheimer. Thank you so much.
I can't tell how much time I have left. Mr. Chairman, how
much time is that? It is not coming up. How long?
Chairman Cleaver. One minute.
Mr. Gottheimer. One minute. So I will just say, as the
world races to find a cure for COVID, Iranian and Chinese
hackers have waged cyber attacks targeting American companies,
universities, and research institutions, the pharmaceutical
company Gilead Sciences, and the World Health Organization
(WHO).
Mr. Jaffer, in the time we have left, how vulnerable is our
financial sector to state-sponsored hacking at this time?
Mr. Jaffer. I think state-sponsored hacking is the biggest
threat to our financial sector because of the capabilities they
can bring to bear.
If you think about what nation-states have, they have
almost unlimited resources, both human and monetary, to throw
at a problem. So, any single private-sector company, whether it
is JPMorgan Chase or a small community bank like you were
talking about, they simply don't have the resources to be able
to go up against that kind of a threat.
That is why we have to bring them together in a collective
defense fabric, one bank with another, large banks with small
banks, all coming together collectively to defend one another
in this scenario. You just can't beat a nation-state at their
own game.
Mr. Gottheimer. Thank you, Mr. Jaffer.
Ms. Senn, thank you for your answers.
And thank you, again, to the chairman and the ranking
member and our witnesses. I yield back.
Chairman Cleaver. Thank you.
The gentleman from Tennessee, Mr. Rose, is now recognized
for 5 minutes.
Mr. Rose. Thank you, Chairman Cleaver and Ranking Member
Hill, for yielding and for holding this hearing today.
I also want to thank our witnesses for their testimony and
for their expertise.
As the COVID-19 pandemic continues to impact our country,
fraudsters and cybercriminals have seized the opportunity to
prey on vulnerable Americans. They have exploited this crisis
to infiltrate our institutions and are a systemic threat to our
financial system.
The number of cybersecurity complaints in the last 4 months
has spiked to as many as 4,000 incidents a day.
Ms. Senn, would you please outline to what extent we are
seeing an increase? That is, is it exponential, or does it
compare to fraud seen in the wake of other natural disasters?
Ms. Senn. Thank you, Congressman.
In my opinion, it is exponential. I can speak from my
perspective here in Alabama and for other States that we have
seen a dramatic, 50 percent uptick in the number of financial
exploitation reports that are coming in during this time.
Like I mentioned earlier, I have a stack of them on my
desk, because primarily, seniors are at home alone. The
computer is a source of social--it is a social platform. People
are online more. They are ordering food and other items online.
Shopping online is a tremendous source of fraud. They are being
inundated with pop-up things, and people just don't know how to
sort through BS and get to the legitimate sites.
And our brokerage firms, you all mentioned small
businesses, a lot of them are working from home. And so, we are
working to ensure that controls are in place for the small
businesses that we regulate on the financial side.
Mr. Rose. Thank you.
Cyber threat actors have been taking advantage of the
crisis to undermine the U.S. Government, to prod systems for
weaknesses, and stoke fear and confusion.
Professor Jaffer, where are a majority of these cyber
attacks originating from, and what has been their main target?
Mr. Jaffer. Thank you, Congressman.
Obviously, the vast majority of cyber attacks that come
against our country are coming from a combination of nation-
states and fraudsters. So it depends on what we are talking
about. If we are talking about major attacks on our banking
system or the like, we have seen that come from countries like
North Korea, and from Iran. We saw the 2016 and the 2012
attacks on our banking system by Iran, and those continue
apace.
Our government is targeted by all manner of nation-states
and patriotic hackers and the like. I don't really believe in
patriotic hackers. Those are simply nation-states acting
through proxies.
At end of the day, if we are really going to defend this
nation when it comes to cyberspace, we have to realize that we
have put the private sector on the front lines unlike any other
scenario. We don't expect Target and Walmart to defend against
Russian Bear Bombers coming across the horizon, yet today in
cyberspace we expect exactly that of JPMorgan, Citibank,
Walmart, Target, and every mom-and-pop institution, whether it
is a bank or a bakery, to defend against the Russians, the
Chinese, and the Iranians. That is simply an unsustainable
scenario, and we have to bring the nation together.
Large banks have to protect small banks. Large corporate
institutions have to protect other smaller corporations. We
have to take a supply chain mentality to this.
And that is something that the government single-handedly
can bring together and create that joint collaborative
environment that the Cyberspace Solarium Commission talked
about in order to make that happen. It requires us to move and
act in real time. We can't simply wait and have the
conversation a day or two later. By that time, your systems are
down, sir.
Mr. Rose. Picking up there, Professor Jaffer, have we given
our law enforcement agencies and the criminal justice system
the tools that we need to give them to combat this 21st Century
challenge?
Mr. Jaffer. Thank you for that question, Congressman.
We have historically given a lot of the tools that our
government needs. One of the challenges we face today, though,
is that we have a debate in this country about the right
authorities for police, the right authority for our
intelligence community. You see the expired provisions of the
USA Patriot Act. We are now in a pre-9/11 era when it comes to
protecting ourselves against foreign nation-state threats and
terrorist threats.
The same is true of cybercriminals. Those same authorities
we used are gone. And the fact that we haven't been able to
come together as a country and reauthorize those provisions
which are--one of which is controversial, two of which are
absolutely noncontroversial, is really a concern. And we really
have to come together and provide authorities and add
authorities, as we are doing with the Secret Service, and
resources to really address these threats.
It is a hard thing to do in a time we are spending a lot of
money on restarting our economy, but it is something we have to
do if we are going to protect it in the long-term, sir.
Mr. Rose. Quickly, one follow-up question. I have always
felt like we probably were not getting to the easiest place to
cut off the threat, so the providers of access to the internet.
Do you think we have enough and a robust enough set of tools in
that arena to combat crime in the cyber era?
Mr. Jaffer. The providers do a lot today to take spam off
the network and the like. Could we empower them with more
capabilities, more authority, frankly, more information from
the government? Absolutely.
The truth is that we have been talking about the government
giving classified information to the private sector to defend
itself for the better part of almost a decade and a half. We
have never really acted in a serious way. That is on the
intelligence community on one side. But it is also on industry,
because the industry has to show the government where the
attack is from.
And so, we have to create that shared situational
awareness, but both sides have to play, and the government has
to give more classified information to industry and in a form
they can actually use it, sir, and that is the most important
thing.
It is one thing to pull somebody in a room and say, ``Here
is a bunch of secrets.'' Walk out, you can't say anything about
it. It is different to give them the actual information and let
them use it to defend themselves.
Chairman Cleaver. Thank you, Mr. Jaffer.
Mr. Rose. Thank you. I yield back. I think I have ran out
of time, but the clock disappeared.
Chairman Cleaver. Yes. Well, this is your gift for the day.
Mr. Rose. I yield back.
Chairman Cleaver. Ms. Wexton of Virginia, you have 5
minutes.
Ms. Wexton. Thank you, Mr. Chairman.
And thank you to the witnesses for being with us today.
This is a really fascinating and obviously a very timely
discussion.
One of the pieces of legislation that we are considering
today is a bill that I am working on, the COVID-19 Restitution
Assistance Fund for Victims of Securities Violations Act, which
would create a fund at the SEC to provide restitution payments
for individuals harmed by COVID-19-related securities fraud if
they don't otherwise receive full restitution.
Ms. Senn, I was pleased to hear you reference this bill in
your opening remarks. Do you agree with this approach? Do you
think that this is a positive piece of legislation?
Ms. Senn. Overwhelmingly yes, Congresswoman. As a long-time
prosecutor, 10 years of financial crime, I have spent many long
hours on the topic of victims who will never see another cent
of the money that was stolen from them by fraudsters. And, in
Alabama, there is not a recovery fund for victims of financial
crimes. And so, yes, Alabama and NASAA overwhelmingly support
the establishment of this fund.
Ms. Wexton. And you say in your testimony that victims of
investment scams often have a hard time recovering their
losses. Can you explain why that is, and what are some of the
challenges that they faced in recovering their losses?
Ms. Senn. Yes, ma'am. As my distinguished colleagues on the
panel have mentioned several times, that money goes overseas,
and we see it in the bank records. We coordinate regularly with
our Federal partners. The FBI can provide us with the exact
location, but we can't go out and get it.
As Congress is aware, there are certain threshold
requirements. Due to the limited resources, we have to allocate
them properly. So, we can't go after Ms. Jones' $50,000 that
she put as a down payment on her house. Maybe that came from a
brokerage firm. It is just not possible to spend the money to
go out and get that. And so, those people oftentimes have seen
entire retirement accounts dissipated, and they have nowhere to
turn. They don't have friends and family to look after them. So
they turn to public welfare, and it is a sad situation. But
victims of financial fraud need a recovery fund.
Ms. Wexton. It is very sad that someone's entire life
savings wouldn't be enough to go and recover it as best we can.
But do you have any suggestions or thoughts about what other
actions Congress can take to uncover and prosecute those who
would commit fraud in this way?
Ms. Senn. Yes, ma'am.
As mentioned earlier, the States come together, we
coordinate, and we communicate. If there is a fraudster in one
State, we have internal communications where we ensure that our
resources are being allocated properly so that we can go after
these folks.
And we are also coordinating with our Federal counterparts,
the SEC, CFTC, FBI, and DOJ. But we all have limited resources.
I know, on the State side, particularly with the financial
fraud that we are seeing, everybody needs more money for
technology.
I am listening to my panelists, and I am shaking my head in
agreement, yes, especially the smaller businesses. The
cybersecurity protocols 20 years ago were nothing in
comparison. You tried to make sure your computer was updated
occasionally. And so, it is overwhelming to small businesses
across the State, so I mention those things, money as always.
Ms. Wexton. Great. Thank you so much, to all of you. With
that, I will yield back, Mr. Chairman.
Ms. Senn. Thank you.
Chairman Cleaver. The gentlelady yields back.
The Chair now recognizes Mr. Lynch from Massachusetts.
Mr. Lynch. Thank you, Mr. Chairman. First of all, I want to
thank you, Mr. Chairman, for holding this hearing, and also
Ranking Member Hill. I want to thank our witnesses. They have
all been terrific, and I really appreciate their testimony.
Mr. Chairman, I don't have many more questions, but I sort
of handle a similar topic over on the House Oversight and
Reform Committee, where I chair the Subcommittee on National
Security, and we sort of overlap. And one of the earlier
questions was what evidence do you have as to the nature of
some of these cyber intrusions.
So, we have submitted a request to our intelligence
agencies to do a classified briefing when we get back into D.C.
And I was wondering if, Mr. Chairman, you would cosign that
request and we would do a joint classified briefing so that we
can get into some of the details of this that we cannot discuss
in this forum, which is unclassified?
But that is my one request. And it would be expanded not
only to the cyber hacks, but, also, there is evidence that
foreign actors are also online, exacerbating and disrupting
some of the discussions around us reforming our criminal
justice system and the brutal murder of George Floyd in
Minneapolis.
They have been piling on, on top of that issue, too, and we
would like to drill down and see what actions some of these
malign actors overseas, both government-wise but also
individual hackers, have influenced that debate as well.
So, that is all I have. I would love to have you join us. I
think it is one of the common interests between our committees,
and it is also bipartisan. It is shared among our colleagues.
In closing, I do want to say that I fully endorse the
Realignment Act that has been put forward by Mr. Heck and Mr.
Williams, and I am happy to support that, and I will yield
back. Thank you, sir.
Chairman Cleaver. Thank you, Mr. Lynch. We look forward to
working with you to see what--and I would ask Mr. Perlmutter as
well, and Ranking Member Hill to sit down with you. I think we
should work together on this issue.
The Chair now recognizes the Chair of the Full Committee,
the gentlewoman from California, Chairwoman Waters.
Chairwoman Waters. I would like to thank you for convening
this hearing on the cybersecurity threats and electronic fraud
issues that have proliferated during the COVID-19 pandemic.
Persistent cyber attacks on our financial system are not new. I
don't know if you have had this discussion this morning, but I
am concerned that some minority communities, and particularly
those with higher limited-English-proficient populations, are
more vulnerable to predatory practices and scams during the
COVID-19 pandemic.
For example, in the last financial crisis, consumer groups
reported that borrowers with limited-English-proficiency paid
thousands of dollars to scammers for foreclosure prevention
help that never materialized, with cybersecurity complaints to
the FBI increasing from 1,000 per day to 4,000 daily, which
scams have been predominantly targeting seniors, minorities,
and individuals with limited English proficiency during this
pandemic.
What can financial regulators and advocacy groups do to
better protect and educate consumers in these communities
against such threats?
I would like to address this to all of our witnesses. Any
one of you can start with a response to this if you have any
information or advice about what is happening as this fraud is
targeted toward these minority communities.
Mr. Coleman. Chairwoman Waters, this is Kelvin Coleman with
the National Cyber Security Alliance. I will start by saying
that with the nation being over 360 million Americans in 50
States and 6 territories, the National Cyber Security Alliance
has been very successful in using force multipliers for trusted
community groups to spread our message about cybersecurity
awareness and education. I think this is the perfect
opportunity to do that as well. So, utilizing and speaking with
organizations that are trusted and embedded in those
communities to carry our message forward, because oftentimes,
these are low-hanging-fruit solutions that we can recommend to
people.
I know Amanda and Jamil and Tom are talking about some
pretty sophisticated products and processes that the U.S.
Government can look at. But when it comes to the average
citizen, we need to be talking about more basics, like password
protection, making sure that they are patching their systems,
that they are up-to-date. And so, I would advocate utilizing
those existing embedded community groups to really, again, use
them as our force multiplier to get the message out there to
them.
Chairwoman Waters. Ms. Senn?
Ms. Senn. Chairwoman Waters, I will add to Kelvin's comment
that the States--we have discussed this--have provided
translators in the communities in some of our States, because
they know the communities, our State securities regulators
understand their communities' needs, and they are able to
partner with private industry to host workshops and investor
education events and have folks there to translate.
Chairwoman Waters. Thank you very much for that response.
And I just want to say to the chairman, I thank you so very
much. This is a subject that is going to get a lot of attention
based on our new normal. So, thank you very much.
I yield back the balance of my time.
Chairman Cleaver. Thank you, Madam Chairwoman.
Let me, at this time, thank all of the witnesses for their
very helpful, insightful testimony.
Without objection, I would like to offer letters of support
for this hearing provided by the FACT Coalition; the National
Association of Federally-Insured Credit Unions; a submission
for the record by the Washington, D.C.-based think tank Third
Way; and a number of letters of support for legislation to
reauthorize and funding the Senior Investor Protection Grant
Program.
Without objection, it is so ordered.
The Chair notes that some Members may have additional
questions for this panel, which they may wish to submit in
writing. Without objection, the hearing record will remain open
for 5 legislative days for Members to submit written questions
to these witnesses and to place their responses in the record.
Also, without objection, Members will have 5 legislative days
to submit extraneous materials to the Chair for inclusion in
the record.
With that this hearing is now adjourned.
[Whereupon, at 1:44 p.m., the hearing was adjourned.]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]