b'<html>\n<title> - CYBER CRIME: AN EXISTENTIAL THREAT TO SMALL BUSINESS</title>\n<body><pre>[Senate Hearing 116-47]\n[From the U.S. Government Publishing Office]\n\n\n                                                     S. Hrg. 116-47\n\n                   CYBER CRIME: AN EXISTENTIAL THREAT\n                           TO SMALL BUSINESS\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                      COMMITTEE ON SMALL BUSINESS\n                          AND ENTREPRENEURSHIP\n                          UNITED STATES SENATE\n\n                     ONE HUNDRED SIXTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                             MARCH 13, 2019\n\n                               __________\n\n    Printed for the Committee on Small Business and Entrepreneurship\n\n[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]\n\n\n        Available via the World Wide Web: http://www.govinfo.gov\n        \n                                \n                                 __________\n\n                    U.S. GOVERNMENT PUBLISHING OFFICE                    \n36-838 PDF                  WASHINGTON : 2019                     \n          \n--------------------------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Publishing Office, \nhttp://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,\nU.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).\nE-mail, <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="23534c63405650574b464f530d404c4e0d">[email&#160;protected]</a>                 \n        \n        \n        \n            COMMITTEE ON SMALL BUSINESS AND ENTREPRENEURSHIP\n\n                     ONE HUNDRED SIXTEENTH CONGRESS\n\n                              ----------                              \n                     MARCO RUBIO, Florida, Chairman\n              BENJAMIN L. CARDIN, Maryland, Ranking Member\nJAMES E. RISCH, Idaho                MARIA CANTWELL, Washington\nRAND PAUL, Kentucky                  JEANNE SHAHEEN, New Hampshire\nTIM SCOTT, South Carolina            EDWARD J. MARKEY, Massachusetts\nJONI ERNST, Iowa                     CORY A. BOOKER, New Jersey\nJAMES M. INHOFE, Oklahoma            CHRISTOPHER A. COONS, Delaware\nTODD YOUNG, Indiana                  MAZIE K. HIRONO, Hawaii\nJOHN KENNEDY, Louisiana              TAMMY DUCKWORTH, Illinois\nMITT ROMNEY, Utah                    JACKY ROSEN, Nevada\nJOSH HAWLEY, Missouri\n             Michael A. Needham, Republican Staff Director\n                 Sean Moore, Democratic Staff Director\n                            \n                            \n                            C O N T E N T S\n\n                              ----------                              \n\n                           Opening Statements\n\n                                                                   Page\n\nRubio, Hon. Marco, Chairman, a U.S. Senator from Florida.........     1\nCardin, Hon. Benjamin L., Ranking Member, a U.S. Senator from \n  Maryland.......................................................     3\n\n                               Witnesses\n                                Panel 1\n\nRoat, Ms. Maria, Chief Information Officer, U.S. Small Business \n  Administration, Washington, DC.................................     5\nRomine, Dr. Charles, Director, Information Technology Laboratory, \n  National Institute of Standards and Technology, Washington, DC.    13\n\n                                Panel 2\n\nSmith, Ms. Stacey, President & CEO, Cyber Association of \n  Maryland, Inc., Baltimore, MD..................................    36\nHyman, Ms. Elizabeth, Executive Vice President, CompTIA, \n  Washington, DC.................................................    41\nHarper, Ms. Karen A., President, Charles River Analytics, Inc., \n  Cambridge, MA..................................................    50\n\n                          Alphabetical Listing\n\nCardin, Hon. Benjamin L.\n    Opening statement............................................     3\nCOLSA Corporation\n    Statement dated March 26, 2019...............................    92\nHarper, Ms. Karen A.\n    Testimony....................................................    50\n    Prepared statement...........................................    52\n    Responses to questions submitted by Chairman Rubio...........    89\nHyman, Ms. Elizabeth\n    Testimony....................................................    41\n    Prepared statement...........................................    43\n    Responses to questions submitted by Chairman Rubio...........    86\nRoat, Ms. Maria\n    Testimony....................................................     5\n    Prepared statement...........................................     7\n    Responses to questions submitted by Chairman Rubio...........    72\nRomine, Dr. Charles\n    Testimony....................................................    13\n    Prepared statement...........................................    15\n    Responses to questions submitted by Chairman Rubio...........    78\nRubio, Hon. Marco\n    Opening statement............................................     1\nSmith, Ms. Stacey\n    Testimony....................................................    36\n    Prepared statement...........................................    39\n\n \n                   CYBER CRIME: AN EXISTENTIAL THREAT\n                           TO SMALL BUSINESS\n\n                              ----------                              \n\n\n                       WEDNESDAY, MARCH 13, 2019\n\n                      United States Senate,\n                        Committee on Small Business\n                                      and Entrepreneurship,\n                                                    Washington, DC.\n    The Committee met, pursuant to notice, at 2:31 p.m., in \nRoom 428A, Russell Senate Office Building, Hon. Marco Rubio, \nChairman of the Committee, presiding.\n    Present: Senators Rubio, Scott, Ernst, Young, Kennedy, \nHawley, Cardin, Cantwell, Shaheen, Markey, Duckworth, and \nRosen.\n\nOPENING STATEMENT OF HON. MARCO RUBIO, CHAIRMAN, A U.S. SENATOR \n                          FROM FLORIDA\n\n    Chairman Rubio. The Senate Committee on Small Business and \nEntrepreneurship will come to order. I want to thank everyone \nthat is here today, and I want to welcome our witnesses. We\'ll \nhave two panels. I\'ll introduce them in a moment.\n    This hearing will discuss one of the most challenging \nissues facing small businesses: cybersecurity.\n    It\'s hard enough for small businesses to get up and running \nwith changing markets, regulatory hurdles, and the cost of \nstarting a business, but cyberattacks can bring a quick end to \nall of one\'s hard work.\n    Foreign hackers and other cyber criminals are increasingly \ntargeting small businesses to steal their intellectual \nproperty, trade secrets, and valuable information, and an \nequally nefarious practice is to hold hostage small businesses\' \noperational and customer data in order to get a ransom payment.\n    Small businesses are the victims in approximately 43 \npercent of all attacks. While ransomware attacks on individuals \nhave fallen, those attacks, ransomware attacks targeting \nbusinesses, rose 12 percent in the last year. Almost 55 percent \nof small businesses were victim to phishing attacks in 2017. \nThat is up 30 percent from just 2 years before that.\n    The risk of cybercrime is greater to small businesses, \nwhich lack, many cases, the dedicated IT staff, the \nsophisticated equipment that larger companies have in order to \ntry and stay safe. Cybercriminals know that. They know small \nbusinesses may be unprepared for attacks, which is why small \nbusinesses are twice as likely to be targeted by phishing \nattacks.\n    Consequences of cybercrime are also greater for small \nbusinesses, which operate on a smaller profit margin and are \nnot always able to bounce back after a costly attack.\n    The Department of Justice\'s Internet Crime Complaint Center \nrecorded more than 300,000 cybersecurity complaints in 2017 \nalone, which added up to more than $1.4 billion in losses, and \nwe know that cyberattacks on small businesses are significantly \nunderreported because either they do not know who to call or \nthey do not want their customers to know that they are, or have \nbeen, potentially compromised.\n    Because the risks to small businesses are so high today, I \nintroduced, along with Senator Shaheen, the Small Business \nCyber Training Act to create a cyber-strategy training program \nfor the counselors at the small business development centers \nacross the country. The bill will prepare them, these \ncounselors, to provide vital advice on cybersecurity to \nentrepreneurs when it matters most: at the beginning of their \nbusinesses\' life cycle. And perhaps, most importantly, \ncounselors can make small businesses more aware of the very \nreal cyber threats that they face.\n    In addition to internal controls and protections for their \nown operations, businesses that want to work with the Federal \nGovernment are required to meet an extra level of cybersecurity \nprotection under NIST contracting requirements.\n    It is important for the Government to maintain a high level \nof security with its contractors, but the inability to meet \ncertain cybersecurity criteria can begin to disqualify smaller \ncompanies, who cannot afford to build up the cyber capability \nnecessary to service the Government.\n    In fact, many times small businesses cannot even understand \nwhat the Government requires of its contractors. It is complex. \nWe hope that NIST, the SBA, and other Government agencies will \nwork together to educate and train small business contractors \nso that they can be equipped to take on business with the \nGovernment.\n    Federal agencies face very real cyber threats, including \nthe SBA. It may be a small Government agency in comparison to \nothers, but for many small businesses, the SBA is an important \ngateway to loans, disaster relief, and business training. And \nthat\'s why it\'s especially important that the IT system at the \nSBA be secure enough to protect very sensitive data that small \nbusinesses and lenders entrusted to the agency.\n    The SBA Office of Inspector General has consistently ranked \nSBA\'s IT as one of the most serious challenges facing the \nagency. Specifically, the IG has recommended that the SBA \ncontinue to improve IT controls to address operational risks, \nsuch as cyberattacks.\n    The SBA is moving quickly to modernize its systems, but we \nknow that criminals often move even faster. In recent years, we \nhave seen what happens when Government agencies let their guard \ndown, as was the case with OPM in 2015 when personnel data of \nmore than 4 million current and former Federal Government \nemployees was stolen.\n    The risk of cyberattacks for small businesses also \ncompromises data that could harm U.S. national security. Our \nadversaries are laying the groundwork for cyber espionage by \nembedding their technology into the systems we depend on to do \nbusiness, be it a small business or a Government business.\n    Just last week, reports emerged showing that the Chinese \nhacking group APT40 has infiltrated IT systems of at least 27 \nuniversities worldwide, including MIT, in an attempt to steal \nU.S. military information from less secure sources.\n    These cybercriminals operate with the full backing of the \nChinese Communist Party, and we must take proactive steps to \ndeny the Chinese government and others access to our networks \nand to the personal information of small businesses.\n    This is why I, along with the Rank Member Senator Cardin, \nintroduced the SBA Cyber Awareness Act, which would require the \nSBA to develop a cyber strategy and to examine where the \ncomponents in its IT system are manufactured.\n    This bill would also require the SBA to report to this \nCommittee about the cyber breaches and threats it faces so that \nwe can give the SBA the tools that it needs to defend itself \nagainst future attacks.\n    So we look forward to talking with our witnesses about ways \nto protect small business information from cybercriminals, \nwhile also helping them understand cyber guidelines and \nrequirements that allow their full participation in the market.\n    Now I recognize the Ranking Member.\n\nOPENING STATEMENT OF HON. BENJAMIN L. CARDIN, RANKING MEMBER, A \n                   U.S. SENATOR FROM MARYLAND\n\n    Senator Cardin. Well, Mr. Chairman, first of all, thank you \nfor convening this hearing on a very important topic for small \nbusinesses.\n    As I go around and meet with small business owners around \nthe State of Maryland, around our Nation, cybersecurity and \ntheir capacity to deal with cyberattacks is always mentioned, \nand it is an area of great concern to the future growth of \nsmall businesses in our community.\n    In recent years, the Senate has played close attention to \nthe risk that cybercrime poses to our national security and our \ndemocracy. We have also confronted the risk posed to consumers \nwhen their private data is exposed by hacks at large \ncorporations and Federal agencies like Target, Equifax, and \nOPM.\n    As large companies and Government agencies continue to \ninvest in cybersecurity and harden defenses, cybercriminals are \nincreasingly turning their sights to softer targets, like small \nbusinesses that are unable to invest in the most cutting-edge \ncybersecurity technology.\n    According to the 2018 Verizon report, 58 percent of data \nbreech victims globally are small businesses. Small businesses \nwith their narrow margins and lower capital reserves are unable \nto maintain trained cybersecurity personnel or purchase the \nmost up-to-date tools. So for most small businesses, a data \nbreach is a fatal blow.\n    A 2017 Better Business Bureau survey revealed that more \nthan half of all small businesses reported that they could not \nremain profitable for only--they could have remained profitable \nfor only one month if they permanently lost access to the \nessential data, and only 35 percent reported that they could \nsurvive more than 3 months. These statistics are cause of great \nconcern.\n    So our goals for this hearing are twofold. First, we want \nto learn how SBA plans to comply with the Federal Data \nManagement Standards outlined by the Federal IT Acquisition \nReform Act, also known as FITARA. I was pleased to read last \nyear\'s OIG report that found that the SBA has made substantial \nprogress towards full compliance with FITARA. So I am looking \nforward to hearing from the SBA Chief Information Officer, \nMaria Roat, today about the tools and resources the SBA needs \nto achieve full compliance.\n    Second, we want to know how we can help small businesses \nkeep their data out of the reach of cybercriminals. I am \ngrateful to the National Institute of Standards and Technology, \nwhich is one of many Federal, commercial, and academic \ncybersecurity assets in my home State of Maryland. It is \nalready working to improve cybersecurity for small businesses, \nand I am eager to examine what is working well but also \ninterested in learning how NIST is tailoring its guidance into \npractical steps that small businesses can take.\n    Earlier this week, I was at NIST and had a chance to hear \nfirsthand some of the work that you are doing. I am proud that \nin Maryland, we have the National Cybersecurity Center of \nExcellence, which partners with the State of Maryland, which \nprovides incredible services in this challenging field.\n    We also have the Information Tech Lab at NIST, which is an \nimportant asset for us to have to try to understand how we can \nbe more effective in dealing with this challenge.\n    Maryland is also home for U.S. Cyber Command, and we have \nUniversity of Maryland. And, Mr. Chairman, I could go on and on \nabout Maryland, but I know the State of Washington or Florida \nwill want equal time. So I will move on.\n    Just that I am proud that Maryland is a national leader in \nhelping to expand cybersecurity resources to small businesses \nso they can not only be prepared for cyber threats but recover \nwhen hackers strike.\n    Last year, our State enacted first-of-its-kind legislation \nto provide tax credits to small businesses that purchase \ncybersecurity products or services from a local qualified firm. \nThe bill also created a tax credit for investors who invest in \nMaryland cybersecurity companies.\n    Stacey Smith, the executive director of Cyber Association \nof Maryland, is here to share some of the lessons we have \nlearned in Maryland, so we have a better understanding of how \nto help small businesses with cybersecurity.\n    Lastly, I would like to thank all the witnesses that are \nhere today that have joined us in this discussion. My hope is \nthat by the end of this hearing, we will know where we are in \nour effort to keep the SBA and small businesses safe from \ncybercrime, a clear sense of where we need to go to ensure our \ndata is kept safe, and ideas on the best way to achieve these \nresults.\n    Thank you, Mr. Chairman.\n    Chairman Rubio. Thank you.\n    And just claiming my time on behalf of Florida, we have no \nsnow.\n    [Laughter.]\n    And I can see the Bahamas from my backyard.\n    All right. Our fist panel of witnesses is Ms. Maria Roat, \nthe Chief Information Officer at the U.S. Small Business \nAdministration. She previously served as the CIO at the \nDepartment of Transportation, was the Deputy CIO for FEMA, \nChief of Staff and the CIO at DHS, and in numerous other \nGovernment IT roles. In addition, she retired from the U.S. \nNavy with the rank of Master Chief Petty Officer following 26 \nyears of active duty and reserve service.\n    Charles Romine is the Director of the Information \nTechnology Laboratory at the National Institute of Standards \nand Technology, NIST, under the Department of Commerce. At the \nITL, Dr. Romine develops and disseminates the cybersecurity \nstandards and guidelines for Federal agencies and U.S. \nindustry. The ITL also uses emerging IT to help meet national \npriorities such as homeland security applications.\n    We all want to thank both of you for being here, and we \nwill begin with you, Ms. Roat.\n\nSTATEMENT OF MARIA ROAT, CHIEF INFORMATION OFFICER, U.S. SMALL \n            BUSINESS ADMINISTRATION, WASHINGTON, DC\n\n    Ms. Roat. Thank you, Mr. Chairman, Ranking Member Cardin, \nand members of the Committee.\n    I joined SBA 2 and-a-half years ago after serving as the \nChief Technology Officer at the Department of Transportation. \nPrior to that, I worked for 10 years at the Department of \nHomeland Security. At the time I came on board at SBA, the \nagency had experienced eight CIOs over a 10-year period. The \nlack of consistency negatively impacted the agency\'s technology \nfootprint, and since taking over the position, my team and I \nhave tackled many issues head on.\n    I am pleased to present a different picture today than what \nI inherited. We significantly upgraded the agency\'s technology \nstack and through comprehensive improvements generated $11 \nmillion in savings and cost avoidance.\n    Along the way, I have enjoyed the support of Administrator \nMcMahon. I am proud of the work of my team and colleagues.\n    Under my direction, we continue to drive innovation and \nmove aggressively to address deficiencies and improve SBA\'s \ncybersecurity posture. The result is that SBA is now a leading \nFederal agency in its cybersecurity capabilities.\n    Today, SBA employees have greater access to secure modern \ntechnology and productivity tools. Small businesses and \nentrepreneurs have an improved user experience, and they can be \nassured that we are protecting their information assets.\n    A key part of achieving this is taking an enterprise \napproach to modernization and moving our application systems \nand data to the cloud. In early 2017, we were the first agency \nto deploy DHS\'s Continuous Diagnostics and Mitigation, CDM, \ninto the cloud. We ingest data from our on-prem assets, \nmultiple cloud services, and even legacy IT to provide a \ndetailed picture of our environment. This greatly reduced the \nnumber of tools and services in use while strengthening \nprotection and detection capabilities.\n    Like many organizations, the number one threat to SBA is \nemail. Phishing attacks are not just a nuisance. They are a \nserious and effective means to gain unauthorized access to \nsensitive information.\n    Over the past 6 months, my cybersecurity team identified \nand investigated nearly 500 phishing attacks. We purged over \n6,800 malicious emails from employee mailboxes, and working \nwith DHS, we removed nearly 300 malicious internet websites \nthat were being used for phishing or distribution of malware.\n    The agency\'s website at sba.gov is the first place many \nsmall business owners engage with SBA, and the site receives \nmore than 10 million unique visitors per year.\n    In 2018, during National Small Business Week, we launched \nour agency website to simplify customer access to SBA services.\n    In addition to this complete website re-platforming and \ndesign, my office continues to partner with our program offices \nto introduce modern technologies, help them manage large \ndatasets, and develop much needed system improvements for our \nsmall business community.\n    In 2017, we worked with the Office of Capital Access to \nlaunch the Lender Match Tool to better connect borrowers with \nlenders. We helped the Office of Disaster Assistance deploy a \nnew disaster credit management system to enhance our disaster \nloan processing. We are working with our Office of Investment \nand Innovation on a new platform for our SBIC program to allow \nus to better manage the lifecycle of SBICs.\n    We are beginning a project with our Office of Capital \nAccess to replace our micro loan IT system to better manage \ndata and loan information.\n    We will soon engage our Office of Entrepreneurial \nDevelopment to replace the centralized Web-based reporting \nsystem used by our resource partners: SBDCs, SCOREs, Women \nBusiness Centers, and our Veteran Business Outreach Centers.\n    And we continue to support the work of Administrator \nMcMahon on the launch of the new Women\'s Digital Learning \nPlatform. I believe she discussed this with you during a recent \ntestimony before the Committee.\n    These are examples of actions that are helping transform \nSBA from an agency with many stovepipes, unstable technology \nand infrastructure, to a more proactive and innovative \nenterprise services organization. We are becoming much more \nresponsive to the business technology needs of SBA program \noffices, and we are recognized across the Federal and industry \nIT community as a technology leader and innovator. We have \ncertainly come a long way in a short period of time.\n    Thank you for the opportunity to speak with you today. I \nlook forward to your questions.\n    [The prepared statement of Ms. Roat follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Chairman Rubio. Thank you.\n    Dr. Romine.\n\n   STATEMENT OF CHARLES ROMINE, Ph.D., DIRECTOR, INFORMATION \n  TECHNOLOGY LABORATORY, NATIONAL INSTITUTE OF STANDARDS AND \n                           TECHNOLOGY\n\n    Dr. Romine. Chairman Rubio, Ranking Member Cardin, and \nmembers of the Committee, thank you for the opportunity to \nappear before you today to discuss NIST\'s cybersecurity efforts \nas they relate to small businesses.\n    Small businesses are more innovative, agile, and productive \nthan ever, thanks to the capabilities delivered by information \ntechnology, but the IT security challenge for small businesses \nlooms larger than ever.\n    In the cybersecurity realm, NIST has worked with Federal \nagencies, industry, and academia since 1972, and NIST\'s role \nhas been expanded to research, develop, and deploy information \nsecurity standards and technology to protect the Federal \nGovernment\'s information systems against threats as well as to \nfacilitate and support the development of voluntary industry-\nled cybersecurity standards and best practices for critical \ninformation.\n    NIST has a longstanding and ongoing effort supporting small \nbusiness cybersecurity. This is accomplished by providing \nguidance through publications, meetings, and events.\n    NIST has worked with interagency partners, including the \nSmall Business Administration, the Federal Trade Commission, \nFederal Bureau of Investigations\' InfraGard program, and DHS\'s \nCybersecurity and Infrastructure Security Agency to host \ncybersecurity workshops, training webinars, and has provided \nonline resources for small businesses.\n    More recently, in response to the NIST Small Business \nCybersecurity Act, NIST launched the NIST Small Business \nCybersecurity Corner website to put key resources in one place. \nSmall Business Administration, CISA within the Department of \nHomeland Security, and Federal Trade Commission are \ncontributors to this website. These agencies as well as \nnonprofit organizations are providing small business-focused \nresources to be shared through that site, and they will promote \nawareness and use of the site.\n    In 2016, NIST released a major revision to the popular \nreport ``Small Business Information Security: The \nFundamentals.\'\' The report is designed for small business \nowners with little cybersecurity expertise and provides basic \nsteps needed to help protect their information systems.\n    I would like to highlight a document that the Committee may \nbe familiar with, ``The Framework for Improving Critical \nInfrastructure Cybersecurity,\'\' or the Cybersecurity Framework, \nwhich many organizations, including many small businesses, use \nto manage their cybersecurity risk.\n    Published in 2014 and revised in 2017 and 2018, the \nframework provides a voluntary, risk-based, flexible, \nrepeatable, and cost-effective approach that relies on \nvoluntary standards, guidelines, and practices to help \norganizations identify, assess, manage, and communicate \ncybersecurity risks.\n    In addition to the Cybersecurity Framework, NIST has \ndeveloped extensive cybersecurity standards and guidelines, \nincluding a risk management framework that can be customized \nfor small businesses and implemented on a voluntary basis to \nhelp protect a small business\' intellectual property and \norganizational assets.\n    Building further on the success of the Cybersecurity \nFramework, NIST released the draft Baldrige Cybersecurity \nExcellence Builder, a self-assessment tool to help \norganizations of all sizes better understand the effectiveness \nof their cybersecurity risk management efforts.\n    Small businesses constitute the backbone of the U.S. \nmanufacturing sector. Within NIST, the Manufacturing Extension \nPartnership, or MEP, has a specific focus on assistance to \nsmall manufacturers and operates a nationwide network with MEP \ncenters located in every U.S. State and Puerto Rico.\n    In 2008, the National Initiative for Cybersecurity \nEducation, or NICE, a public-private collaboration among \nGovernment, academic, and industry, was established to enhance \nthe overall cybersecurity capabilities of the United States.\n    In August 2017, NIST released the NICE framework, which is \na national resource that categorizes and describes \ncybersecurity work.\n    The NIST National Cybersecurity Center of Excellence is a \ncollaborative hub where industry organizations, Government \nagencies, and academic institutions work together to address \nbusinesses\' most pressing cybersecurity issues. This public-\nprivate partnership enables the creation of practice \ncybersecurity solutions for specific industries as well as for \nbroad cross-sector technology challenges.\n    NIST recognizes that it has an essential role to play in \nhelping small businesses. The NIST programs that I have \ndemonstrate that NIST\'s cybersecurity portfolio is applicable \nto a wide variety of users, from small- and medium-sized \nenterprises to large private and public organizations.\n    Thank you for the opportunity to present NIST views \nregarding cybersecurity challenges facing small businesses, and \nI will be pleased to answer any questions that you may have.\n    [The prepared statement of Dr. Romine follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Chairman Rubio. Thank you both.\n    I am going to defer the majority of my time at the front \nend.\n    I just want to start actually with a story and then a kind \nof comment. I would love your input on this.\n    So, about 2 years ago, according to an account that was \nshared with me, a small midsized company in South Florida \nshared with me that they got to work on a Monday morning and \nfound that their entire system had been locked, and they had \ngotten, somehow, notification. I believe they said by email, \nbut basically, all of their financial and proprietary business \nrecords had been stolen. And that in the message, they \nbasically said to them, ``We want you to send us $500,000 in \nBitcoin. We know you can afford it because we have your \nfinancials. We are not asking for a million. We are asking \n$500,000.\'\'\n    They contacted law enforcement and were basically told, \nwell, if you want your information back, you are going to have \nto pay it.\n    This was a company that--I would not say they are tiny. \nThey are certainly profitable and a growing business but \ncertainly not a large company. They had bars on the windows and \nan alarm system in their office, but they were wholly unaware \nthat anybody even knew they existed, much less that a foreign \nactor from North Korea or somewhere else would target them.\n    What do you assess writ large is the awareness that exists \ntoday among the millions of small and midsized businesses in \nAmerica that they can be targeted this way, and what are we \ndoing to create more awareness that this could happen to them?\n    Dr. Romine. Well, thank you, Mr. Chairman, for the \nquestion.\n    It is certainly the case that businesses of all sizes are \nsusceptible to cybersecurity risk, and I think we are seeing \nincreasingly that that is manifested through attacks on \norganizations of all sizes, so I understand the concern.\n    From our perspective, from the NIST perspective, the way \nthat we manage that is by trying to communicate more \neffectively to small and medium businesses that the size of \nyour organization does not make you immune to the potential for \ncyber risk and that you have a responsibility in the same way \nthat every organization manages financial risk and reputational \nrisk and HR risk and all other types of risk. You have a \nresponsibility as an organization to also manage your \ncybersecurity risk.\n    Now, stating that after the fact, after someone has been \nattacked, I am not trying to blame the victim here. I am just \nsaying that the goal for NIST is to try to raise that awareness \nacross all sectors of the economy and at all scales that there \nis a responsibility to manage that risk, and that we have \nresources available that can help you do that.\n    Chairman Rubio. What\'s your sense of the general awareness? \nI know it is not directly your department but just interacting \nwith this issue.\n    Ms. Roat. So with the SBA, I think the Small Business \nDevelopment Center is working with the Office of \nEntrepreneurial Development. Working with those small \nbusinesses, many times it is not that the tools are not there \nand toolkits are not there, but I think there needs to be more \nengagement and more communication with the small businesses to \nget out in front of that and facilitation and getting that \ninformation sharing out there.\n    You can tell a small business, ``Protect your \nenforcement,\'\' but how do you do it? What is that checklist? I \nthink there needs to be more engagement on that, adding on to \nwhat Dr. Romine said.\n    Chairman Rubio. Ranking Member.\n    Senator Cardin. Well, thank both of you for your testimony.\n    Ms. Roat, on April 25th of last year, this Committee held a \nhearing in regards to preparing small businesses for \ncybersecurity success. After that hearing, then Chairman Risch \nand I sent a letter to Administrator McMahon with some of the \nsuggestions that came out of that hearing, and we asked her \nview on requiring a number of Small Business Development Center \ncounselors to be certified in cybersecurity assistance, a \ncertification program for part-time cybersecurity professionals \nto fill the void that exists and IT workers that will service \nsmall businesses, a cybersecurity boot camp for small \nbusinesses, and forming a cybersecurity co-op to pull together \nwilling buyers from various cybersecurity products and \nservices, lowering the costs to small businesses for these \nproducts.\n    We have not gotten a reply to that letter. Are you aware \nthat that letter was sent, and can you just tell us what \nprogress has been made in regards to those suggestions?\n    Ms. Roat. So I am aware of the letter. I think in the \ncontext of the work that SBA\'s Office of Entrepreneurial \nDevelopment has done with DHS, they are working on the Small \nBusiness Development Center, the cyber strategy for those small \nbusinesses, those SBDCs, and I think some of the elements that \nare in that letter should be incorporated as part of what \nshould be done as part of that plan.\n    I know that plan is in final clearance right now, but those \nelements should be at least vetted and worked through as part \nof that plan with SBA, the Office of Entrepreneurial \nDevelopment, the SBDCs, as well as DHS.\n    Senator Cardin. So when can we expect to receive that?\n    Ms. Roat. It is in final clearance right now, going through \nSBA and DHS.\n    Senator Cardin. A couple weeks? A month?\n    Ms. Roat. I am not entirely sure. I do know that it is \ncomplete, and it is being vetted through SBA up to the \nAdministrator now and through DHS.\n    Senator Cardin. Well, I would encourage you to try to get \nthat to us, particularly in response to our letter.\n    There was an OIG report dealing with SBA\'s most serious \nmanagement and performance challenges, and several categories, \nthe OIG report gives you progress for implementing the \nrecommendations. However, the OIG report also states at SBA, \noutstanding IT security vulnerabilities remain, and the agency \nhad significant deficiencies in IT security controls.\n    Can you tell us the progress in implementing those \nrecommendations or those findings?\n    Ms. Roat. So the original management challenges, they were \nhanded to me in October of 2016 when I walked in the door at \nSBA.\n    I can tell you over the last 2 years, we have made \nsignificant progress, and we have actually taken not small \nsteps, but very big steps to improve our cybersecurity posture \nat SBA.\n    Not only have we gotten our arms around the entire \ntechnology stack from the infrastructure upgrading, all of our \nservers patching, we have consolidated our tool sets. We are \nnow using cloud-based tool sets to monitoring all of our on-\nprem environment, all of our cloud-based environments. We are \ntaking log data, and that includes our legacy systems, taking \nall that data. So we have visibility of our entire enterprise.\n    We are current on our patch levels across the entire \norganization. We are not running old operating systems and \nanything like that anymore. We have taken care of that. We have \ngotten rid of old equipment, old hardware, old software, and we \nhave consolidated a lot. And we are actually taking an \nenterprise view of SBA.\n    Last fall, we launched our Enterprise Security Services, \nand we are nearly completing onboarding the program offices, \nwhere there were previously stovepipes.\n    So we have taken not little steps; we have taken some very \nbig steps to get our arms around what is going on at SBA \nthrough the entire technology stack for our cybersecurity to \nmake sure that that data is protected.\n    Senator Cardin. I would ask that you keep our staff updated \nas to the progress you are making and complying with those \nconcerns. I would appreciate that.\n    Ms. Roat. Will do.\n    Senator Cardin. Dr. Romine, you mentioned the Cyber \nFramework, NIST\'s Cyber Framework. I would be interested in how \nthat is tailored towards small businesses and making it more \nuseful for small businesses.\n    Also, if you could, as you know, Congress passed the Small \nBusiness Cybersecurity Act. It was signed into law August of \nlast year. I understand the implementation is not what--it \nwould be unrealistic to expect that it is fully implemented, \nbut if you could give us an idea of how you are implementing \nthose requirements, I would appreciate it.\n    Dr. Romine. Thank you, Senator.\n    First, let me take the opportunity to thank you for your \nrecent visit on Monday to NIST. We are really grateful for the \ninterest that you display in the Institute.\n    With regard to the Cybersecurity Framework, I would like to \npoint out that during the development of the framework, we \nsought input from a very wide array of stakeholders and \npotential stakeholders, including small businesses, and we \nstrove mightily to ensure that the Cybersecurity Framework as a \nframework was scalable across sectors, up and down the supply \nchain, and from large to very small businesses. So we tried to \nkeep it in plain language.\n    We focused on just the five functions of identify, protect, \ndetect, response, and recover, and tried to give a common \nlexicon so that people could discuss cybersecurity posture and \ntheir cybersecurity requirements with vendors, for example.\n    So we feel that we have anecdotal evidence that many small \nbusinesses are adopting the framework in whole or in part to \neither begin a cybersecurity risk management program for their \ncompany or to augment and buttress one that already exists.\n    With regard to the Act that you mentioned that specifically \ncalls on NIST to provide more support for small businesses, I \njust want to reiterate that we rolled out just a few weeks ago \nwhat we call the ``Small Business Cybersecurity Corner,\'\' which \nis a website that is dedicated to providing as much useful \ninformation to small businesses as we possibly can. This \nincludes resources from NIST but also resources from our other \nFederal partners as well as from nonprofit organizations that \nmay have useful content that they can provide for small \nbusinesses to help manage their cybersecurity risk.\n    Senator Cardin. Thank you.\n    Chairman Rubio. Senator Shaheen.\n    Senator Shaheen. Thank you. Thank you both very much for \nbeing here and what you are doing to help small businesses.\n    Ms. Roat, last week, we had a hearing on Chinese industrial \npolicy, and one of the questions that I asked one of the \nwitnesses had to do with what SBA is doing to help small \nbusinesses deal with the cyber threat, whether it is from the \nChinese or others.\n    You just laid out very clearly what is happening internally \nwith controls at the SBA, but can you talk about what else SBA \nis doing to help those small businesses deal with cyber \nthreats? Because, unfortunately, one of our witnesses at that \nhearing said that the SBA really is not doing very much and \nthat they need to step up the game in order to help small \nbusinesses deal with an issue that is a huge challenge.\n    Ms. Roat. So I am aware of the training that the SBDCs are \noffering. In some of the programs last fall, I reviewed some of \ntheir materials, and the training runs from very basic \ncybersecurity, things that you should be doing as a small \nbusiness, and then stepping into a little bit more detail. So \nthey are providing some of that training.\n    I cannot answer if they are telling people specifically do \nnot buy these products or do not buy this software. That, I do \nnot know, but I have seen some of the materials and that they \nare training those small businesses.\n    Senator Shaheen. Is there further discussion about what \nelse either the SBDCs or other arms, other ways in which the \nSBA can help small businesses?\n    Ms. Roat. I think through our partnership with DHS, the \nSBDC--again, I mentioned earlier the cyber plan that has been \nput together that is in final clearance. I think that that will \ngo a long way to education, the role of the SBDCs and what they \nneed to do, not just offering basic training, but what other \nthings they should be doing to help address exactly what you \nare talking about.\n    Senator Shaheen. Have you thought about partnering with \nother agencies, whether it is Homeland Security, with the plan?\n    I know last year, there was a requirement that in order to \nbid on certain defense contracts, there had to be certain \ncybersecurity measures in place for small businesses, and that \npresented a huge challenge to many of our businesses in New \nHampshire because they just did not have the capacity, the \nresources to get the help they needed in order to quality.\n    Has the SBA thought about partnering with DoD or other \nGovernment agencies that are requiring certain cybersecurity \nprotections in order to bid for Government contracts?\n    Ms. Roat. I know the program offices are working closely \nwith other agencies on those requirements for cybersecurity as \nwell as other things. There are a number of different groups, \nwhether we work with DHS or DoD or others, and I know there are \ncertifications in many of the other programs that SBA offers.\n    To your question specifically, how are we engaged on that, \nI am not sure that I have a complete answer on that----\n    Senator Shaheen. Yeah. I think----\n    Ms. Roat [continuing]. As far as the certifications and the \nrequirements.\n    I work with small businesses in my office all the time, and \nI do hear from them. I was on the FedRAMP program as the \ndirector, and I heard from many small businesses about the \nrequirements around FedRAMP and security and cloud and how they \nget their applications to the cloud and the security \nrequirements and should they be partnering with an AWS and a \nMicrosoft and those big cloud providers, for their \napplications. I understand some of the challenges that they are \nhaving because they have brought those to me specifically when \nI was on the FedRAMP program.\n    Senator Shaheen. Well, thank you. It is an area that I \nthink we should be looking at ways in which we can be creative \nand provide more assistance because it is clearly needed.\n    Dr. Romine, one of the entities that exists that helps \nsmall businesses--and you mentioned that in your written \ntestimony--is the Manufacturing Extension Partnership. They \nhave done a great job in New Hampshire with providing \nassistance, whether it is around cyber issues or in other ways, \nmanufacturing processes with our businesses, and yet it is one \nof those programs which is consistently recommended by this \nAdministration to be eliminated.\n    So can you talk about the importance of maintaining the MEP \nprograms and what kinds of things they do to help business?\n    Dr. Romine. Certainly. Thank you for the question.\n    From our perspective, the MEP program is a really effective \nmeans of spreading the word on many different aspects of what \nmy laboratory works on and most particularly in cybersecurity. \nSo we have collaborated with MEP to provide additional guidance \nspecifically related to the previous question, which is how to \nsatisfy the requirements the Department of Defense has in \npointing back to our guidance, Special Publication 800-171, \nwhich is the protection of controlled unclassified information. \nSo there is additional guidance that helps to clarify for small \nbusinesses what they can do that is being distributed through \nthe MEP programs.\n    With regard to the program itself, if Federal funding \nshould be suspended--and that is something that, of course, is \nup to Congress and the Administration to work out, and I have \nno purview to speak on that score, but the States, as you know \nin your home State, also provide significant funding to those \nMEP centers. So although they might be required to reduce their \nscope, I think they would still continue.\n    Senator Shaheen. I would just correct you on New Hampshire.\n    Dr. Romine. All right.\n    Senator Shaheen. While we provide some support to the MEP \nprogram, without the Federal support, I think it is very \nunlikely that our program would continue.\n    Dr. Romine. Okay. All right.\n    Senator Shaheen. Thank you.\n    Thank you, Mr. Chairman.\n    Chairman Rubio. Thank you.\n    Just as a follow-up to both of you, last February, we heard \nfrom the Director of the FBI before the Senate Intelligence \nCommittee in an open hearing, and he discussed how smartphones \nmade by Chinese government-owned companies and -backed \ncompanies like ZTE and Huawei--and this is a quote from him--\nhave the capacity--this is a quote--``capacity to maliciously \nmodify or steal information.\'\'\n    Then in the 2019 NDAA, the National Defense Authorization \nAct, it restricted the Federal Government\'s use of products \nmanufactured by Chinese-based technology firms for substantial \nor critical components of any systems or as critical \ntechnology.\n    Can you discuss a little bit about what the Federal \nGovernment is doing to ensure that not only are we not using \nthese products, but that we are also cautious against white \nlabeling, which is basically the buying of technology parts \nfrom one of these companies where they are just not labeled as \nmanufactured by one of these companies? They put a generic \nlabel on it, sometimes even their own label, and we are \nconcerned because sensitive government work and essential \ngovernment work in America, we rely heavily on the private \nsector and so if they are compromised with the existence of \nthis technology, be it in routers or handheld devices or what \nhave you, a potential liability for the whole system, what are \nwe doing to address that particular component?\n    Dr. Romine. Thank you, Mr. Chairman. I am happy to address \nthat question.\n    Although NIST has no role in specifying a specific nation \nstate or other threat that is directly coming from a specific \ncountry, we do have an active program, an ongoing program in \nsupply-chain risk management. This is the kind of guidance that \nwe put out in consultation and collaboration with other Federal \nagencies on principles and practices that organizations can use \nto try to ensure that the equipment they purchase has the \nintegrity that they expect it to have by ensuring, to the \nextent practicable, the supply chain of that product or \nservice.\n    Chairman Rubio. Senator Ernst.\n    Senator Ernst. Thank you, Mr. Chair, and thank you to our \nwitnesses for being here today as well.\n    I am excited. First, Ms. Roat, I want to congratulate you \non the progress that you and your team have made to improve \ncybersecurity capabilities and protect the valuable personal \ninformation of millions, and that is just so far. We still have \nwork to do, but congratulations. Thank you so much.\n    Now that the Small Business Administration has caught up, \nwhat are you viewing as tomorrow\'s top cybersecurity \nchallenges, and what can we do to combat those emerging \nthreats?\n    Ms. Roat. Like you said, Senator, we have come a long way \nover the last 2 and-a-half years, and while we have built the \nfoundation, we have put some walls on what we have done, we are \ncontinuing to build out our house around cybersecurity.\n    We are actually a leader across the Federal Government now \nin the tools and the capabilities we have. We have been pilots \nfor DHS on their CDM and their tech programs. We are going to \ncontinue to build on that and really continue to drive that \ninnovation in our cybersecurity practices so they are not \nwaiting on somebody else. We are using those tools that are \nusing artificial intelligence that are really applying machine \nlearning, so that we understand what is in our environment, \nwhere our data is going, how it is moving across the \norganization, building in things like SD-WAN across our \napplication and building security in through our entire \ntechnology stack.\n    We are continuing to work with our program offices. While \nwe still have legacy systems in our environment and we are \ncontinuing that work, our modernization path is taking us, \nlooking at the enterprise as a whole, where previously it used \nto be in stovepipes, so that as we are looking at our data, how \nis our data being used, how is it moving across the \norganization, who is using it, both within the agency and \nexternally with our partners.\n    So next steps around cybersecurity are continuing on that \npath with our data strategy, getting our arms around our data, \nmaking sure we know exactly where it is, who is using it, and \nputting those role-based access controls around all of that.\n    Senator Ernst. Yes. Thank you for that.\n    I am not sure if Senator Shaheen had mentioned it, but \nyesterday we had a subcommittee in Armed Services on emerging \nthreats and capabilities. The focus of our subcommittee was \nartificial intelligence and machine learning and that type of \ntechnology. So it just even discussed how can we best utilize \nand leverage different departments, different agencies within \nthe Federal Government working together through research and \ndevelopment and then applying those technologies. Do you see \nthat that synchronization could possibly exist between our \nagencies as each of you look into cybersecurity and artificial \nintelligence?\n    Ms. Roat. So I think a lot of that activity through the CIO \nCouncil is going on right now around a lot of the artificial \nintelligence, a lot of those things really looking at how that \ncan be applied. Zero-trust networks is one of those things as \nwell. But through the CIO Council, the committees under the CIO \nCouncil are actually--the information sharing is going on, the \npilots, the testing, and gathering that.\n    So through the CIO Council--let me put a plug in for them.\n    Senator Ernst. Yeah, very good.\n    Ms. Roat. But there is a lot of work already under way in \nthat area.\n    Senator Ernst. Very good. Well, I appreciate that.\n    Dr. Romine, thank you so much for being here as well. Those \nnew small businesses and small businesses that have gained new \ncapabilities such as access to rural broadband may be \nespecially vulnerable to cyberattacks.\n    I come from a rural area. I know this is a concern that so \nmany of our businesses do have. What steps can we take to \nensure that these types of small businesses that are newly \nexposed to those cyber threats are equipped with the tools and \nthe resources they need to be cybersecure as quickly as \npossible?\n    Dr. Romine. Thank you, Senator.\n    I think the best way I can address that is to again talk \nabout the urgency of getting the word out on the importance of \nmanaging cybersecurity risk at all businesses, at all levels, \nregardless of size or location.\n    That word, we are trying to spread more effectively, and \nthis hearing, I am grateful is going to be doing that in part. \nWe get a spotlight on this issue.\n    The resources that we are making available through the \nSmall Business Cybersecurity Corner can be a good starting \npoint, the NIST website that we have stood up to specifically \naddress the concerns of small business in the cybersecurity \narena.\n    So I would just point to that and to the Cybersecurity \nFramework as a flexible way of helping initiate the management \nof cybersecurity risk in any organization.\n    Senator Ernst. Very good. We just need to ensure that they \nknow the path forward and how to make sure that they are secure \nand that their clients or customers are secure as well, so \nthank you.\n    Thank you very much to our witnesses, and thank you, Chair \nand Ranking Member.\n    Chairman Rubio. Thank you.\n    Senator Rosen.\n    Senator Rosen. Mr. Chairman, thank you for being here today \nand for the work that you are doing.\n    I was an original cosponsor of the NIST Small Business \nCybersecurity Act. I am very happy it was passed into law last \nsession.\n    So can you tell me how you think the situation has improved \nsince we have put that bill in?\n    I would also like to know--you said we have the website up, \nand there are on-ramps for small businesses. Do you have the \ndata or the numbers of the amount of usage of those websites?\n    Dr. Romine. Thank you for the question.\n    We do not yet. The website is relatively new. We will be \ntracking the number of times that it is visited and downloads \nof any documents that we have, not to origin, but just in terms \nof numbers of downloads.\n    Senator Rosen. I think it would be really helpful if you \nprovided us, those analytics, even with region of the country \nor where it is, because if that website is not getting utilized \nenough, then what is our challenge to be sure that people know \nthat they have this way to use it as an on-ramp?\n    Dr. Romine. Absolutely right. I appreciate that.\n    I think we still have a lot of work to do to get the word \nout. As I said, the website has been stood up for just a few \nweeks, and so it is very early days yet, but our goal is to \nensure that we do the maximum that we can to ensure that there \nis awareness of the site.\n    Senator Rosen. How are you spreading the word?\n    Dr. Romine. We are doing that in part through--again, this \nis very, very early days.\n    Senator Rosen. Uh-huh.\n    Dr. Romine. But we are doing this in part through our \npartnership with SBA. We are doing it through our partnership \nwith the Manufacturing Extension Partnership program within \nNIST. So we have collaborated on resources to help support \nsmall businesses in some of the requirements that the \nDepartment of Defense has in their acquisitions requirements.\n    So we are going to leverage that because that is a \nnationwide system that is designed to get the word out to small \nbusinesses, specifically manufacturers, but we think it is \nbroadly applicable.\n    We have a number of people who are subscribers to \ninformation services to keep abreast of activities that are \ngoing on in cybersecurity, and then we have a huge number of \nprivate-sector partners with whom we work collaboratively on a \nregular basis. We want them to get the word out as well.\n    Senator Rosen. I would hope you consider partnering with \nour Chambers of Commerce, and particularly in the States, maybe \neach governor probably has an office of small business, and \nthat through our State legislatures, we would be able to \ndisseminate the information.\n    Dr. Romine. Absolutely.\n    Senator Rosen. I think that would be something terrific.\n    Senator Rosen. And as we disseminate this information at \nNIST, we are sure that we have a well, robust, trained \ncybersecurity workforce. What kind of investments do you think \nwe can make in helping provide the people pipeline and trying \nto promote good business practices there?\n    Dr. Romine. NIST is privileged to lead the interagency \nactivity, the National Initiative for Cybersecurity Education, \nor NICE, and that is dedicated to strengthening the pipeline of \nhighly qualified workers in the cybersecurity arena, both \ncybersecurity-educated workers who we expect to work in the \ncybersecurity field as well as a greater understanding of the \nimportance of cybersecurity and some of the elements in a \ngenerally more educated workforce.\n    Senator Rosen. Who are your partners with that in our \nStates that we can point to?\n    Dr. Romine. Let us see. In the State, I know that we are--\n--\n    Senator Rosen. How are we getting the information?\n    Dr. Romine. I know that we are working with a lot of other \nFederal agencies in that space. We have, again, a pretty active \nwebsite of available activities. We have contractors who have \ndeveloped a website that is specifically designed to display \nwhere jobs are available across the Nation and where there is a \nconcentration of workers.\n    Senator Rosen. If it does not get down to individuals who \nwant to seek training for these things, the problem I see in a \nlot of these is we pass these frameworks, but then the \ninformation is not really--it is not disseminated to people who \nreally need it.\n    Dr. Romine. Right.\n    Senator Rosen. School guidance counselors, college guidance \ncounselors, career and technical education, apprenticeships.\n    So it is great that we have these websites. It is great \nthat you have all this information and you have some partners, \nbut if it is not ultimately sent out to everyone in a way that \nwe can turn that into action, then it is not very useful.\n    So that is why I am hoping we are going to see some future \nanalytics from you that will point us as to how we can educate \nour schools, guidance counselors, and all the like to prepare \nstudents for these kinds of jobs.\n    Dr. Romine. Right. We certainly do intend to be more \naggressive about getting the word out, and we routinely \ninteract with both the U.S. Chamber of Commerce as well as \nlocal Chambers of Commerce in some of the dissemination of \ninformation that we have.\n    Senator Rosen. Thank you.\n    Chairman Rubio. Senator Markey.\n    Senator Markey. Thank you, Mr. Chairman, very much.\n    There is a Dickensian quality to the internet. It is the \nbest of liars and the worse of liars simultaneously. It can \nenable. It can ennoble. It can degrade. It can debase. It all \ndepends upon how it is used.\n    So we have a situation where IoT, the Internet of Things, \nis also IoT, the Internet of Threats. You just cannot separate \nthem out unless you are realistic and want to build in the \nprotections, the safeguards to ensure that the vulnerabilities \nare minimized.\n    Last Congress, I introduced a bill called the Cyber Shield \nAct, which I will introduce again this year. I am doing it with \nCongressman Lieu, over in the House, and what the bill would do \nis to create an advisory committee on cybersecurity, experts \nfrom academia, industry, small businesses, consumer advocacy \ncommunities, and the public to create cybersecurity benchmarks \nfor IoT devices, such as baby monitors, cameras, toasters, \nrefrigerators, toys, et cetera.\n    The IoT manufacturers can then voluntarily certify that \ntheir products meet these industry-leading cybersecurity and \ndata security benchmarks and display the certification in \npublic, like Energy Star. There it is. Now for cyber, you have \nthe same kind of information.\n    My bill would reward manufacturers adhering to the best \ndata security practices while also ensuring small businesses \ncan make more informed choices. They are going to need \ninformation so they can make the right choice.\n    Ms. Roat, how could we help reward small IoT businesses \nthat are adhering to and investing in the best cybersecurity \nand data security protections?\n    Ms. Roat. So as we are working with the small business, I \nknow the Small Business Development Committees, the SBDCs, are \nworking with small businesses to try to educate them on what \nthey need to do.\n    I had read the bill on the Cyber Shield. I think one of the \nchallenges around that is making sure that it is kept up to \ndate and that people want to volunteer to participate in that \nto get the information out, so that the small businesses in \nturn know how to use and get to that information. And that is \ncritically important.\n    But that education piece and the communication and the \nconstant facilitation, not just providing, say here is \nsomething, go look at it, but really facilitating that \ndiscussion with the small businesses so they really understand \nand truly understand what it really means and what those \nthreats are.\n    You said IoT, the Internet of Threats, but how does the \nsmall business not just--how do you get through to them to \nreally understand what that threat factor is?\n    Senator Markey. I appreciate that. I do not know a lot \nabout electricity or other, but I know what Energy Star is. So \nI am just an ordinary consumer trying to figure it out, and I \nam kind of saying, ``Okay. That is a voluntary standard, and I \nwill trust that.\'\' If I find out I do not trust it, next time I \nam in the store, I am just going to say that was a piece of \ncrap that I got sold, just so you know, sir or ma\'am. So that \nis kind of how I view this. It is just information.\n    Then one of the problems in cybersecurity is you do have to \nkeep updating it.\n    Ms. Roat. Mm-hmm.\n    Senator Markey. It is just not a static thing. So the \nindustry that is selling the devices should have a \nresponsibility to keep updating, so that the consumer or the \nsmall business knows that this is a 2019 standard, not a 2016 \nstandard, and there it is, a 2019 five-star or a four-star or a \nthree-star. But then you can choose. If you do not want to pay \nfor the five-star, fine, but you understand that at a three-\nstar and two-star, you are taking a risk.\n    Would you think that would be helpful to small businesses \nto have that kind of information, especially the ones that have \na little bit of--maybe they have got a 23-year-old on staff who \ncan tell them what it means, you know, making the decision.\n    [Laughter.]\n    Ms. Roat. I think it could be helpful, especially for those \nsmall businesses where you have folks that may have that 23-\nyear-old, but that 23-year-old really, again, needs to \nunderstand what--like the Energy Star, what that really means \nand what the importance of it is.\n    Senator Markey. Right.\n    Ms. Roat. So having something like that definitely would be \nuseful for the small businesses because they could have a list \nand say okay, this, this, this, and this is what I need.\n    Senator Markey. Right. And I agree with you. I mean, it is \na way of not having a mandate, but yet it is voluntary. You do \nit or you do not do it. You do not even have to do it. You just \nhave your product out there without a cybersecurity, but when \nyou are trying to buy a car and it says five stars for safety, \nfour, three, two, you can ask extra questions. If you have a 3-\nyear-old, you can ask extra questions. What is the security \nthat is missing in this vehicle? If you want to just go \ndiscount, you can do it, but you are taking the risk, in other \nwords. It is right there for you to see.\n    Having the information ultimately, from my perspective, is \ngoing to be something that it drives the whole industry because \npeople will gravitate towards excellence. They will gravitate \ntowards security and especially every day that there is another \nbreach, and you are now purchasing something for your company, \nyour small company, that could help to avoid something that \nhappened at Equifax or TJ Maxx or something where their whole \nsystem went down, and then you find out later, they were using \na three-star safety system, which in a lot of instances, that \nis what the big companies were using.\n    So you really want to make this a virtuous technological \ncompetition, and then those that are doing the best let you \nknow. And I think then people would gravitate towards it.\n    I am hoping I can work with the community towards achieving \nthat goal.\n    Thank you, Mr. Chairman.\n    Chairman Rubio. Thank you.\n    I want to thank both of you.\n    Do you have any further questions?\n    [No response.]\n    So thank you both for being here. I appreciate it. We are \ngrateful for your testimony and for answering our questions.\n    We will transition to the second panel as I begin to \nintroduce them, so thank you. I guess we will have to get one \nmore chair up there.\n    So let me introduce the second panel as they come up and \nget ready. Karen Harper of Cambridge, Massachusetts, is the \npresident of Charles River Analytics, Inc., which uses \ninternational property to serve Government and private clients. \nMs. Harper is also the principal scientist at Charles River, \nspecializing in developing unmanned systems and other \ninnovative products.\n    Elizabeth Hyman is an executive vice president at CompTIA, \nhere in Washington, D.C. She has extensive experience with IT \npolicy from working with Lenovo and the Consumer Technology \nAssociation. Her role in government affairs for this technology \nassociation began by working for the Attorney General, the Vice \nPresident, and the Office of the U.S. Trade Representative.\n    Stacey Smith is the president and CEO of the Maryland Cyber \nAlliance.\n    Senator Cardin. You can tell by her scarf.\n    Chairman Rubio. You can tell by the scarf, he says.\n    The Maryland Cyber Alliance or CAMI. Is that right? At \nCAMI, Ms. Smith works with business partners, cybersecurity \nprofessionals, and Maryland government to create cybersecurity \njobs. Previously, she was a small business owner and served as \nthe Cyber Community Manager for the Maryland Department of \nCommerce.\n    Thank you all for being here with us today.\n    Ms. Smith, we will begin, if you have a statement for us.\n\nSTATEMENT OF STACEY SMITH, PRESIDENT AND CEO, CYBER ASSOCIATION \n                       OF MARYLAND, INC.\n\n    Ms. Smith. Thank you.\n    As you mentioned, I am Stacey Smith, the president of the \nCybersecurity Association of Maryland, Incorporated, or CAMI, \nas we are known, for short. Our organization is a statewide, \nnonprofit organization based in Baltimore City, and we are with \na mission of job creation and sales generation through \nMaryland\'s cybersecurity industry.\n    Our members include almost 450 of Maryland\'s cybersecurity \nproduct and service companies, many of which are small \ncompanies focused on helping small businesses be more \ncybersecure.\n    In 2017, the Better Business Bureau conducted a national \nstudy and published the ``State of Cybersecurity Among Small \nBusinesses in North America\'\' report. Eighty-five percent of \nthe businesses surveyed had 50 or fewer employees and were in \nvarious industry sectors, including retail, construction, \nfinancial, manufacturing, real estate, health care, and others.\n    The research found that small businesses are becoming more \naware of cyber threats and are taking proactive steps to \nenhance their cybersecurity. In fact, 9 out of 10 said they \nhave some form of cybersecurity in place, with the most common \nbeing antivirus and firewalls.\n    But that is not nearly enough to ensure a business is safe \nfrom today\'s advanced cyber threats. As a result, they leave \nthemselves vulnerable and may even lose more through a \ncyberattack than they would have spent implementing \ncybersecurity protections to prevent them.\n    If small businesses are more cyberaware than ever, why are \nnot they doing more to protect themselves, their data and their \ncustomers?\n    The BBB\'s research found that companies are ill-equipped, \nprimarily due to a lack of resources, including funds, and the \nlack of knowledge--what to do, who to consult or hire.\n    Here are a few real-world cyberattack examples provided by \nsome of our members.\n    A small marketing firm in Baltimore was hit with a \nransomware attack. Everything on their server, including client \ndocuments, financial spreadsheets, and the project tracking \nsoftware at the core of their day-to-day business, were locked \nand held for ransom.\n    Hackers had used automated bots to search the internet for \nvulnerable servers without the necessary security controls. \nWhen the bots reached the agency\'s server, they hit pay dirt.\n    The agency reached out to a Maryland cybersecurity company \nthat restored their systems, and 317,000 files had to be \npainstakingly restored. Two days of client work were lost. It \ntook 4 days to fully restore everything, and the business spent \nthousands of dollars to mitigate the situation.\n    In another example, the CFO for a small Maryland \nconstruction company fell target to an email phishing scam. He \nreceived a message from what looked to be one of their regular \npayees asking him to update wire information and transfer \nmoney. He did so.\n    Seeing a vulnerable target, the hacker sent another message \nthat ultimately allowed access for a ransomware attack through \nwhich the company\'s files were locked until the company paid \nthe ransom money.\n    In total, the company lost almost $200,000 through the wire \ntransfer, ransom payment, and cost for a Maryland cybersecurity \ncompany to completely restore and rebuild their network.\n    Lastly, another recent example, a small organization \nnoticed anomalies affecting the CEO\'s electronic calendar and \ndocuments and reached out to a Maryland legal firm for help. \nThe firm\'s data security breach response team\'s investigation \nrevealed that the organization\'s recently fired head of \nInformation Technology had hacked back into the organization\'s \nsystems and deleted key events and documents of the CEO and ex-\nfiltrated electronic personal health information of thousands \nof Marylanders.\n    The U.S. Attorney\'s Office and FBI were notified. The \nhacker was charged and sent to prison. The legal firm helped \nthe organization notify affected individuals.\n    Had these businesses had proper protections and employee \ntraining in place, it is possible that the cyberattacks could \nhave been prevented or mitigated, saving them from immeasurable \nstress; time, production and financial losses; and even \nreputational damage.\n    But, as previously mentioned, small businesses often do not \nknow what help they need or where to go for help, and the fear \nof the cost keeps many of them from investing in cybersecurity \nbefore they are faced with a cyberattack.\n    Luckily, for Maryland businesses, CAMI exists to connect \nthem to companies within our State with answers to their \nquestions and products and services they need to be \ncybersecure.\n    They can connect online through our directory of Maryland \ncybersecurity providers. They can also attend events, including \nour upcoming Maryland Cyber Day Marketplace, to connect face-\nto-face with local cybersecurity companies.\n    If funding is the issue, our State legislators passed a \nnationally unique bipartisan bill in 2018, making it more \naffordable for businesses to be cybersecure. The bill provides \na tax credit for Maryland businesses with 50 employees or less \nfor 50 percent of what they spend on cybersecurity products and \nservices purchased from a qualified Maryland cybersecurity \nseller, up to $50,000 annually for that tax credit.\n    In 2019, we have $4 million to award in tax credits to \nsmall businesses through this program.\n    Our organization has partnered with the Maryland Department \nof Commerce, the Better Business Bureau of Greater Maryland, \nRegional Manufacturing Institute of Maryland, Maryland \nManufacturing Extension Partnership, and others to make small \nbusinesses aware of the tax credit program to incentivize them \nto be proactive rather than reactive in their efforts to be \ncybersecure.\n    This local bill provides a tool for Maryland cybersecurity \ncompanies to generate local sales, grow, and ultimately add \njobs as they do so, and it incentivizes Maryland businesses to \npurchase the cybersecurity products and services they need, \nthus ensuring a more cybersecure business environment in \nMaryland.\n    Thank you for the opportunity to testify, and I am happy to \nanswer any questions.\n    [The prepared statement of Ms. Smith follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Chairman Rubio. Ms. Hyman.\n\nSTATEMENT OF ELIZABETH HYMAN, EXECUTIVE VICE PRESIDENT, COMPTIA\n\n    Ms. Hyman. Chairman Rubio and Ranking Member Cardin, on \nbehalf of the Computing Technology Industry Association, \nCompTIA, thank you so much for having me here today.\n    CompTIA is the leading voice and advocate for the $1.6 \ntrillion U.S. information technology ecosystem and the more \nthan 11.5 million IT professionals who design, implement, \nmanage, and safeguard the technology that powers the world\'s \neconomy.\n    As we have discussed, small businesses are the backbone of \nour economy, but they are fertile targets for cybercriminals \nlooking to exploit vulnerable defenses. Small businesses have \nfewer employees and resources than large enterprises and \nbecause of this have less to invest in cybersecurity.\n    CompTIA works with small businesses and customers on a \ndaily basis, and we are committed to ensuring that they are \neducated on and protected from the threats that they are \nfacing.\n    At one time, cyberattacks were considered just an IT \nproblem, and that is certainly not the case anymore. \nCybersecurity issues have grown in size and scope, becoming \nmore sophisticated, harder to detect, and more widespread.\n    As Senator Cardin has already noted, according to the 2018 \nVerizon Data Breach Investigation Report, 58 percent of breach \nvictims were characterized as small businesses. Research by \nCybersecurity Ventures estimates that by 2021, cybercrimes will \ncost $6 trillion per year.\n    While improved cybersecurity is needed across the board, \nsmall companies are the ones with the steepest challenge. \nAccording to our research, 62 percent of small businesses have \ninternal resources focused on security compared to 91 percent \nfor medium-size businesses and 96 for large firms. \nUnderstanding the problems facing small businesses is only part \nof the challenge.\n    We must also aggressively put forward solutions and enlist \nthe help of public partners like the Small Business \nAdministration and NIST to help address these challenges.\n    We must focus on improving three key elements of modern \nsecurity. The first are technology tools. SMBs need advice and \nguidance on what a modern security toolset should include. This \ncan range from data loss prevention software to more proactive \ntools and methods, such as penetration testing which assesses \nthe strength of a defense system.\n    Secondly, focus is needed on helping small businesses \ndevelop business processes that reflect how to build security \npolicies and establish proper enforcement. This will include \ninternal operations as well as relationships with outside \nsuppliers of services or partners. A great place to start in \nthis discussion is to develop metrics to track the \neffectiveness of security programs and processes, such as, for \nexample, tracking results from phishing expeditions.\n    Lastly, we need effective employee education. Many small \nbusinesses have a small team or a solo IT professional who \nneeds to have a solid foundation in security skills, sufficient \nspecialized expertise in a few key areas, and then the ability \nto work with an outside partner, such as a managed security \nservices provider, when deep expertise is called for.\n    CompTIA is one of several vendor-neutral certifying bodies \nthat offer certifications, high-stakes exams, that are ANSI- \nand ISO-accredited.\n    CompTIA is the market leader, having certified more than 2 \nmillion people in more than 100 different countries. There are \nmany ways our certifications can help support small businesses \nand enhance their cybersecurity.\n    CompTIA\'s Cybersecurity Pathway includes certifications \nthat describe the basics of IT systems, such as our IT \nfundamentals exam or an A-plus exam, and others that describe \nthe technical aspects of cybersecurity, such as Security Plus, \nCompTIA Cybersecurity Analyst Plus, and Penetration Testing \nPlus.\n    Completion of at least IT Fundamentals and A-Plus would \nposition a small business IT professional to successfully \nhandle internal cybersecurity matters and oversee third-party \nmanaged security firms.\n    Finally, it is vital that we focus on establishing a \nculture of cybersecurity within any organization, including \nsmall business owners and principals. As CompTIA outlined in \nour white paper, ``Building a Culture of Cybersecurity: A Guide \nfor Executives and Board Members,\'\' there are six principles \nthat all organizations can adopt on a scale that is appropriate \nfor their business.\n    One, integrate cybersecurity into a business strategy.\n    Two, insist that the corporate structures reinforce a \nculture of cybersecurity, otherwise leadership is not sending \nthe message that this matters.\n    Understand that employees are the biggest risks. Consider \neducation for the employees, even considering access to company \ndata to mitigate damage.\n    Focus on detection. The longer it takes to detect a data \nbreach, the more expensive that breach becomes.\n    Emphasize data protection, that is, collect what is needed. \nShare only what needs to be shared.\n    And, finally, develop robust contingency plans and test \nthem.\n    By working together and continuing to embrace the private-\npublic partnership that has long benefited the cybersecurity \necosystem, we can do a great deal to help better prepare small \nbusinesses and businesses of all sizes for the cybersecurity \nthreats they are facing.\n    I thank you for the opportunity to participate in the \nhearing today and look forward to your questions.\n    [The prepared statement of Ms. Hyman follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Chairman Rubio. Ms. Harper.\n\n    STATEMENT OF KAREN A. HARPER, PRESIDENT, CHARLES RIVER \n                        ANALYTICS, INC.\n\n    Ms. Harper. Good afternoon. Thank you, Chairman Rubio, \nRanking Member Cardin, and members of the Senate Committee on \nSmall Business and Entrepreneurship for inviting me to testify \ntoday on the current state of cyber vulnerabilities facing \nAmerica\'s small businesses and the impacts that current \npolicies, though well intended, are having on small business.\n    My name is Karen Harper. I serve as president of Charles \nRiver Analytics, a small research and development company \nemploying 180 people, headquarters in Cambridge, Massachusetts, \nwith a satellite presence in Wakefield, Rhode Island, and \nremote presence across the country.\n    Since 1983, Charles River has been delivering intelligent \nsystems software to transform our customers\' data into mission-\nrelevant tools and solutions across Federal agencies.\n    For a small business, we bring an impressive array of deep \ntechnical expertise to these efforts, including artificial \nintelligence, sensor and image processing, human systems \nintegration, and notably for today\'s hearing, cybersecurity.\n    Charles River has been on the cutting edge of research and \ndevelopment related to cyber defense for many years. Through \nthis research, we have gained a deep understanding of the \nvulnerabilities of our Nation\'s public and private \ninstitutions, corporate entities, and private citizens. It is \nimperative to provide the Nation\'s small businesses with \nstraightforward, pragmatic policy guidance and effective \nsupport to improve our own cyber defense systems.\n    Recent efforts to standardize cyber defense strategies have \nbeen implemented in the defense industry through the adoption \nof the National Institute of Standards and Technology, or NIST, \nSpecial Publication 800-171, to protect controlled unclassified \ninformation, or CUI, in non-Federal IT systems.\n    While we are small, business leaders understand the good \nintentions of the NIST standard. Compliance with it is \ncurrently extremely costly and overly burdensome.\n    The publication includes 110 IT control requirements. Many \ncontractors are still grappling not only with the technical \ncomplexities of the requirements, but also with a lack of \nclarity about what actually constitutes controlled unclassified \ninformation.\n    This lack of clarity has been a critical concern in Charles \nRiver\'s NIST compliance program. Because CUI is not always \nclearly identified, we declared that all data on our corporate \nnetworks must be treated as CUI. It may sound simple; it has \nbeen far from it.\n    Our IT and software engineering teams took on the challenge \nof NIST compliance with gusto. However, they encountered \nmultiple issues in their efforts. First, NIST requirements are \nvague. All of the 110 NIST controls can be implemented in a \nvariety of ways, and there is a dearth of specific guidance on \npreferred implementation methods.\n    As a result, we spent approximately 800 person-hours to \nsimply interpret the control requirements.\n    Second, we found that many of our customers seemed equally \nconfused and unable to provide helpful clarification and \nguidance throughout Federal agencies.\n    Fortunately, our team is very technically savvy. After \ndeciphering all of the NIST controls, we were able to develop a \nrisk-gap analysis and formulate a plan of action. We then spent \nan additional 1,500 person-hours to implement that plan.\n    While we are confident that Charles River is now fully \nNIST-compliant, we remain unsure of how and when that \ncompliance will be confirmed through audit.\n    The costs of NIST compliance are quite burdensome. We spent \nmore than $300,000 in hardware, software, and vendor \nmaintenance contracts. We estimate that we will spend an \nadditional 30 percent each year on non-labor IT to maintain our \ncompliance. Our IT staff has almost doubled in size and cost, \nspecifically to support NIST compliance.\n    Now, I recognize that as an advanced software engineering \ncompany, our IT infrastructure is more complex than the average \nU.S. small business, and so our costs are likely higher than \nmost. However, we cannot kid ourselves that true NIST \ncompliance can currently be achieved at a reasonable cost to \nsmall business.\n    Finally, NIST compliance places a significant burden on our \ntechnical staff. Creating and maintaining compliant \ninfrastructure drains resources from project work, resulting in \nless progress per dollar.\n    Perhaps most importantly, NIST compliance hinders and \nfrustrates our top-performing staff, causing them to seek \nemployment in other sectors, thus making it difficult to \nmaintain competitive business advantage and, at the end of the \nday, competitive national advantage.\n    Given the challenge, expense, and business impacts of our \nNIST compliance program, we recommend improvements to the \nGovernment specification and support for its implementation \nacross three areas.\n    First, we require clarity in the definition and management \nof CUI, both provided by our DoD customer base, but also \ngenerated by our company in the course of doing business.\n    Second, we require flexibility in the application of \ndefined NIST controls. IT requirements across industry varies \nwidely, and the implementation of NIST-compliant controls \nshould reflect this diversity.\n    Finally, we require clear guidance to support proper \ncompliance, and that guidance must be delivered in easily \naccessible implementation guides.\n    Thank you for allowing me to testify before the Committee \ntoday. I would be happy to answer any questions you may have \nfor me.\n    [The prepared statement of Ms. Harper follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Chairman Rubio. Thank you.\n    I\'m going to defer my question time to Senator Hawley, who \nI think has to go and do something right away.\n    Senator Hawley. Thank you very much, Mr. Chairman. Thank \nyou, Ranking Member, and thank you to the witnesses for being \nhere.\n    Ms. Harper, I just want to stay with you. The citizens of \nMissouri, my home State, have been faced with a series of \ncyberattacks across a range of industries.\n    Last year, Blue Springs, which is in the Greater Kansas \nArea, the Blue Springs Family Care was hacked by malware and \nransomware, and nearly 45,000 patient records were stolen, \nincluding patients\' Social Security numbers, account numbers, \ndriver\'s licenses, medical information, and so on.\n    We had another case in Fort Leonard Wood, which I think the \nChairman mentioned earlier, in which Fort Leonard Wood, our \nmilitary installation there removed surveillance cameras made \nby Chinese manufacturers due to significant security concerns.\n    As I just listened to your testimony, as I read your \nwritten testimony and those of your fellow panelists, I was \nstruck by the sheer magnitude of the problem, but also what you \nhave just been talking about, the incredible difficulty of \ncomplying with the NIST standards.\n    You suggested something I found interesting, which was in \nyour written testimony, which was incentivizing large IT \ncommercial vendors to develop NIST-compliant variance of \nmarket-leading IT products. Can you just say something more \nabout that idea?\n    Ms. Harper. Absolutely.\n    We all agree that the threat is paramount. It is a targeted \nthreat in many cases. It is a challenging threat for the entire \nNation, for all of our institutions, our companies, small \nbusinesses, and us as individuals. We cannot minimize the \nthreat, but the way that we address that threat is still very \nnascent in my opinion.\n    As we have gone through our NIST compliance program, which \ntook an immense amount of effort and challenge for a very \nsavvy, high-tech software engineering company, small businesses \nin this country that do not do the work we kind of do, do not \nstand a chance to be as effectively implementing something like \nNIST 800-171, at least.\n    So can we transfer some of the requirement for that on to \nthe IT sources that we all already rely upon? So Office 365 for \nMicrosoft and AWS with their Web service and cloud \ninfrastructure. Is there a way that the Government can \nincentivize those players in the industry as well as the \nhardware side with Cisco, et cetera, to augment and provide \nNIST-compliant versions that will take the complexity of this \nprocess out of the game for small businesses that do not have \nthe technical savvy that my staff does?\n    Senator Hawley. Is it your thought or hope that this would \nmake these sort of protections, effective cybersecurity, more \naffordable for small business as well? I mean more widely \navailable, more affordable, easier to implement.\n    Ms. Harper. Many of us already pay a great deal of money to \nmanage our software licenses for these very common tools. \nAugmenting that cost to get a NIST-compliant collection at a \nreasonable cost seems a very reasonable approach.\n    If my IT staff could have bought AWS NIST-dot-1, dot-2, we \nabsolutely would have done it, and we probably would have spent \na lot less than $300,000 in doing it.\n    Senator Hawley. Yeah. The costs that you outlined in your \ntestimony here are just extraordinary.\n    What can we do? What might this Committee do to help make \nthis happen?\n    Ms. Harper. So, first of all, I think recognizing the NIST \nStandard 800-171 is a really valiant attempt to address this \nset of threats that is facing us.\n    I do not want it to go away. I want it to be a more \nmanageable process. I want it to be more accessible, even to a \nstaff like mine.\n    When we were introduced to the requirements for NIST--and I \nwill say this anecdotally at best--my IT team pulled me and my \nCFO into a conference room and spoke to us for about 2 and-a-\nhalf hours, and we left the room feeling quite ill. We could \nsee exactly the cost that was coming at us, but the cultural \nimpact that this has also had on our company.\n    So I do not want to dismiss any of the value of NIST. I \nwant to recognize that where we are right now is not good \nenough in supporting its implementation. I would like to see \nCongress able to support NIST and other organizations like SBA \nto provide access to recipe guidelines for various companies \nthat have IT requirements--X, Y, and Z. Here are the five \nthings you need to buy and implement. If you need to do lots of \nother things in A, B, and C, then here is the extra \ncomplexity--more complex set of things that need to be done.\n    That level of documentation, spending, 4 of our 8 months of \nimplementation, just trying to interpret the controls was \ndisconcerting, at best.\n    Senator Hawley. That is extraordinary.\n    Yeah. Thank you so much for your testimony. Thank you for \nbeing here.\n    Thank you, Mr. Chairman.\n    Chairman Rubio. Ranking Member.\n    Senator Cardin. Well, I thank all of you for your \ntestimony.\n    Ms. Harper, I am trying to get a handle on exactly how we \ncan accomplish the objective that is critically important when \nyou are dealing with Federal agencies that have sensitive \ninformation, and we expect the contractors to have security for \nthat information, how we achieve those objectives, but do it in \na way that is less burdensome and certainly less impact on the \nwork of your talented people.\n    We appreciate the follow-up for today. You certainly have \npiqued our interest, and we are still a little bit confused as \nto how we should proceed in order to deal with some of the \nissues that you have raised. So I hope you will feel \ncomfortable in working with us to try to figure out how we can \naccomplish this.\n    Ms. Harper. I and my staff would be more than happy to help \nto shape some activities.\n    I think that it will be important to recognize different \nrequirements and recognize the different companies.\n    Yes, we are a defense contractor. We hold a great deal of \nsensitive information that is not classified, and we recognize \nthe importance of that.\n    We equally recognize the importance of our own data and our \nstaff data.\n    So protecting all of it is imperative, but there has to be \na more flexible way to go about implementing this kind of \nstandard than we have accomplished.\n    Senator Cardin. And I appreciate it. I appreciate that \nattitude, recognizing we need to do it.\n    Ms. Harper. Yes, absolutely.\n    Senator Cardin. So let us figure out the best way to do it.\n    Ms. Hyman, I looked at some of your numbers, and I am \nthinking that there are a lot of small businesses that have \nbeen compromised that do not come forward and tell us. Either \nthey are embarrassed or they do not want their customers to \nknow they have been infiltrated. So we do not even have the \nfull numbers of small businesses that have been compromised \nthrough cyberattacks.\n    What have you found is the best selling point to get a \nsmall businesses owner focused in the right direction as to how \nto deal with their cybersecurity needs?\n    Ms. Hyman. Senator, thanks for the question.\n    To your point, one thing that I would present to you is \nthat we have a very robust research department at CompTIA, and \nwe are open to and would welcome the opportunity to do more \nresearch into the small business situation, try to get to the \nbottom of what some of the challenges are that they are facing \nin addition to what we have put in our written testimony.\n    But we work day-to-day with a lot of small businesses and \nparticularly on the managed service side of things. We have an \nIT security community which is sort of a crowdsource group of \ncompanies, and so we are able to talk to them about the dollar \nvalue, what is their exposure from a business point of view. \nAnd it is really the title of this hearing. It is an \nexistential threat, and they could ultimately go out of \nbusiness if they are not paying attention to some of the basic \nissues that are out there.\n    The other thing is because we are a certifying body for the \nworkforce, we are very focused on trying to attract talent and \nmake sure that that one person in that small business has the \nrequisite knowledge and can validate their skill sets, so that \nthey can at least have an opportunity to manage what they need \nto manage on a day-to-day basis, but also have the education \nand expertise to work with managed service providers, managed \nsecurity providers. That third-party relationship is really \nvital I think to a lot of small businesses, particularly not \nthose that are in software, but like an HVAC company.\n    Senator Cardin. Certainly.\n    Ms. Hyman. Yeah.\n    Senator Cardin. Thank you. That is very helpful.\n    Ms. Hyman. Yeah.\n    Senator Cardin. Of course, I am very proud of what Maryland \nhas done. Ms. Smith, congratulations on getting that \nlegislation through the Maryland General Assembly because \nobviously cost is an issue. There is not a lot of flexible \nfunding for a company that has one employee. So for them to get \nthe expertise they need to deal with cyber, it is a challenge \nfinancially.\n    So the credit in Maryland seems like a very attractive \ntool. I think I heard you say somewhere around $4 million in \ncredits for----\n    Ms. Smith. Yes, sir. Yes. That is the year 2019. There is \n$4 million available for tax credits for that program.\n    Senator Cardin. So it is a little early, I guess, to know \nthe exact impact here, but can you just tell us what you have \nbeen hearing from the small business community in regards to \nthe attractiveness of this tool and getting the focus on \ncybersecurity?\n    Ms. Smith. Sure.\n    I hear more on the side of our cyber companies telling us, \n``How do I apply? How do I get approved as a seller?\'\' But we \nwork closely with the Better Business Bureau of Greater \nMaryland and Regional Manufacturing Institute, as I mentioned, \nand they are getting the word out to their businesses who are \nexcited about it, trying to figure out how do they access it.\n    I think because it is so new, just in October, we got the \nfinal details all worked out and are able to release it.\n    But working even with the MEP group organization in our \nState, we have done some programming to let the businesses know \nabout it, and they are very excited that it is there. It is \njust right now figuring out who is the qualified sellers that \nthey can purchase those products from and what do they need. A \nlot of them do not even know what do I need, where do I start. \nSo just connecting them with the right resources, that is where \nwe are playing a role in helping them identify those.\n    Senator Cardin. I am a believer in federalism. So we are \nwatching very closely what you are doing in Maryland. We might \ntry to take some of those programs and look at them as national \nprograms. So we will be following very closely what is \nhappening in the great State of Maryland. So thank you very \nmuch.\n    Chairman Rubio. Senator Kennedy.\n    Senator Kennedy. Thank you, Mr. Chairman, and I want to \nthank our witnesses for being here today.\n    I mean, most small businesswomen and businessmen are busy \nearning a living and trying to make payroll. They read about \nthe need to enhance their cybersecurity, but most of them--and \nmany Senators--do not know where to start.\n    Tell me again what Maryland has done to try to educate \nsmall business people.\n    Ms. Smith. Well, our organization is primarily focused on \nour cybersecurity companies growing and generating sales. So we \nhave partnered with a lot of business organizations in the \nState that do help the small business community or even larger \nbusinesses to access whatever they need to be cybersecure.\n    So we create programs throughout the year. We have a big \nevent coming up in April where they can connect face-to-face. \nIt is called our Maryland Cyber Day Marketplace. We will have \nabout 100 of our cyber companies there. This year, we have \ncreated what we call ``Information Station,\'\' so they can come \nand, if you do not know where to start, somebody will guide \nyou. So just partnering, I think, with those organizations, \nother organizations, and also having an online directory. Most \nStates do not.\n    Senator Kennedy. Tell me what, if anything, does the SBA do \nhere. I mean, if I am a small businessman and I want to enhance \nmy cybersecurity and I call SBA and say, ``How do I enhance my \ncybersecurity?\'\' What are they going to tell me?\n    Any of you.\n    Ms. Smith. I know that we see SBA members or staff people \nat some of the events that we go to, so I know they are out \nthere.\n    I was not aware that the SBA had cybersecurity resources \nuntil I was asked to testify here, so I do not know.\n    Senator Kennedy. What would you advise me as a small \nbusinessman? I come to you and I say, ``I want to enhance my \ncybersecurity. Where do I go? What do I do?\'\'\n    Ms. Hyman. I would say there are a number of different \navenues, but I think one of the--well, I mean, there is the \nNational Cybersecurity Alliance. There are the SBDCs, which are \nstarting to try to take a more vocal----\n    Senator Kennedy. What is an SBDC?\n    Ms. Hyman. The Small Business----\n    Ms. Harper. Development Center.\n    Ms. Hyman [continuing]. Development Center. Thank you.\n    So they are localized. For example, I was looking at the \nMichigan SBDC earlier today, and they have developed a very \ncomprehensive website, which is great. It is a start.\n    But we also work with NIST, for example, in terms of what \nthey do, or DHS has local--localized efforts to reach out to \nsmall businesses. But I will tell you it is a very dispersed \nconversation.\n    So, as a nonprofit trade association, we are constantly \ntrying to educate our membership, and it ranges from managed \nservice providers to small companies to large companies, but we \nare trying to educate them as to the resources that are out \nthere. That is a role that we can play, partnering with these \nvarious public entities.\n    Senator Kennedy. Ms. Harper, do you want to add anything?\n    Ms. Harper. Senator, I believe that being a small business \nowner and not having the technical background that my company \ndoes--and you recognize that there is this threat out there \nthat you do not understand; you do not understand how it \nimpacts your systems, your payroll systems, anything else that \nyou are housing in your organization--sadly, I would say I bet \npeople start with google.com and start looking for some \nresources.\n    I would hope that the presence of SBA and the NIST \nCybersecurity Framework and things would pop out as resources \nto that small business owner to provide that, but I am quite \nconfident that they do not know about it today.\n    Senator Kennedy. Okay. You may or may not know this, but I \nassume most small business people start thinking about \ncybersecurity after they have had a problem.\n    Would that be----\n    Ms. Harper. As a research company very focused in \ncybersecurity, I would like to think we are a little ahead of \nthe game, but understood.\n    Senator Kennedy. With the exception of your company.\n    How do we reverse that? I try to put myself in the shoes of \nthe small businessperson. Again, you are working hard. You are \ntrying to make payroll. You read these articles about \ncybersecurity, but you do not know where to start.\n    Ms. Harper. And furthermore, sir, when you see the news and \nyou recognize that TJ Maxx and OPM are being compromised, how \ndo you even hope to start----\n    Senator Kennedy. That is a great point. That is a great \npoint.\n    Ms. Harper [continuing]. And provide that? So you are \nhoping that industry is going to rally around you and provide \nyou, hopefully, with the tools that are being developed to \nprotect those kinds of industries, and hopefully, you can \nafford them once they are available.\n    Ms. Hyman. I wonder also if there is a message to be \ndelivered, which is that it is a competitive advantage for a \nsmall business to have taken on certain steps that show they \nare aware of cybersecurity and that they need to differentiate \nthemselves from the guy down the street. That is certainly one \nthing to talk about.\n    But you are right. This is a very comprehensive effort \nrequired from an educational point of view, from providing \nreasonably affordable tools that are out there, and making that \nbusiness case.\n    Ms. Smith. As I indicated in my testimony, one of the \nreasons that companies say they do not implement cybersecurity \nprograms or invest in cybersecurity is they do not know who to \nuse. That Google search is going to turn up a ton of resources, \nso maybe having resource directories of cyber providers.\n    Senator Kennedy. That is just going to give you Google\'s \npreferred providers.\n    Ms. Smith. Right, right. Who pays Google, right, would be \nat the top of the list.\n    Ms. Harper. And, by the way, the phishing folks on the \nother side using that as a capture.\n    Senator Kennedy. That is a good point.\n    Thank you, all three of you. It was very interesting, very \nhelpful.\n    Chairman Rubio. Senator Duckworth.\n    Senator Duckworth. Thank you, Mr. Chairman.\n    Ms. Hyman, we all know that cybersecurity has become more \nimportant than ever for businesses of all size, and I wanted to \nsort of follow on the thread of the discussion so far.\n    Say you have an entrepreneur coming to you. Can you explain \nwhy entrepreneurs in businesses of all size, including the \nsmallest startups, should be thinking about cybersecurity and \nhow it plays an essential role in protecting their customers? \nAs you said, it is a competitive advantage. So you have someone \nwho is starting a company. They are just getting started, and \nthey come to you. How do you talk them through this? How do you \ntalk them into making the investment in cybersecurity, when \nthey are just trying to get this thing set up? And how do you \nexplain what the steps should be as they go through this \nprocess?\n    Ms. Hyman. It is a great question. Thank you, Senator.\n    I think what I would like to do is just take one step back \nand share with you a little bit of research that we have done \nrecently at CompTIA with small businesses that was not directly \nrelated to cybersecurity, but had some interesting results.\n    So the five technology areas of concern among SMBs, the top \nfive, number one was figuring out how to integrate different \napplications, data sources, platforms, devices, number one. \nNumber two, effectively managing and using data, because any \ncompany now is trying to figure out how to make that customer \nexperience a better one. Number three, cybersecurity and data \ncybersecurity. Number four, modernizing aging equipment or \nsoftware; and number five, getting more ROI or a bang for the \nbuck, if you will, from technology investments.\n    The reason I raise that with you is those are the top-line \nconcerns for 650 SMBs that we actually surveyed, and I think \nthat is representative of a lot of companies around the \ncountry. So what are they asking for? They are asking for tools \nto be able to figure out how to do all these things.\n    One of the proposals, I believe, in the legislation is to \nhave an SBDC official who might be able to provide assistance \nand guidance on some of these things. We would recommend that \nthat individual be certified with an industry-recognized \ncredential so that they have the wherewithal to help answer \nsome of these questions. That is the beginning of a \nconversation.\n    I would also say in terms of what resources are needed, \ntraining for the companies themselves. I mentioned earlier that \noftentimes in a small company, there might be one person that \nis sort of responsible for taking care of the computers. Well, \nif that person had, for example, the investment in some sort of \ntraining--for us, it might be IT fundamentals, which gives a \nbasic overview of what the technology landscape looks like and \nstarts to get into some basic security issues or even an A-plus \nexam, and there are other groups like ours that do this. But if \nthey have that initial training opportunity and the investment \nfor that, they can do some of the basic things that they need \nto do, and they can also interact well with third parties.\n    One thing I want to point out that I think is very \ninteresting is on the updating and modernizing of equipment. So \nI understand a startup may well have newer issues, but pretty \nsoon, they are going to have some of those problems as well.\n    I do not know if you have looked at your Microsoft 7 and \nsaid, ``Oh my God, I cannot even get service for it anymore.\'\' \nSo how do we continuously upgrade and modernize technology? I \nthink that is an important investment to be made.\n    So I hope that answers your question.\n    Senator Duckworth. It does.\n    Is there any move towards a certification program or \nsomething where either the businesses can be certified if they \nare handling a lot of data as, hey, we have gotten this Good \nHousekeeping Seal of Approval, good cybersecurity is installed, \nthat becomes an advantage that they have over their \ncompetitors?\n    Then also, on the other side of that, as they are looking \nfor people who are experts, they go to the Google search. How \ndo they know which companies are legit and which ones are \nreally going to provide them with the right advice to move \nforward?\n    Ms. Hyman. Well, I will share that CompTIA had a Trustmark \nprogram in place, and the IT Security Trustmark is an \norganizational credential. It is totally voluntary.\n    When we first unveiled it, it was mapped to the NIST \nFramework. We found even thought we had pared that down rather \nsignificantly, it was still a big challenge for small \nbusinesses to meet a lot of the requirements of that Trustmark.\n    But one of the things that we raised in our written \nsubmission was that perhaps that is something, working with \ncompanies like Charles River and elsewhere, where we can start \nto really define and pare down more significantly what that \norganizational credential looks like.\n    We are happy to volunteer and give our organizational \ncredential so that there is at least a basis for that \nconversation, and you can look at it. And then we can figure \nout how do we make that even a more effective credential going \nforward.\n    Senator Duckworth. Thank you.\n    Ms. Harper or either of one of you, do you want to add \nsomething to that?\n    Ms. Smith. One of the things I wanted to mention is we have \ntalked with our local Better Business Bureau about doing \nsomething like that, but looking at us as a small nonprofit \nsaying where do we start with this, it was too much of an \nuphill climb for us. But the BBBs are there to ensure as a \nconsumer, who are you buying from, who do you trust, and maybe \nthat is an organization that would be good to involve if \nsomething like that would happen.\n    And we have talked about it even in the procurement process \nfor the State if a business was certified, whatever that is, \nthat they might get a preferential treatment in the procurement \nprocess with our local State government.\n    Senator Duckworth. Thank you.\n    Thank you, Mr. Chairman.\n    Senator Cardin. Mr. Chairman, just for one observation, if \nI might, because Senator Kennedy raised a very good point about \nthe capacity of the SBA.\n    The SBDCs are clearly an entity that could help on cyber. \nThe letter that we wrote, this Committee, to SBA urged them to \nlook at the SBDC\'s capacity to deal with cyber-trained helpers. \nI just mention that.\n    Then Ms. Roat\'s testimony was they have limited resources \nin order to deal with it.\n    Just one observation, if I might, since this is the week \nthe President\'s skinny budget came out. He happens to cut--the \nTrump budget cuts the SBDCs by 23 percent. I know that we will \ndo things here that will be different than the President\'s \nbudget. I understand that, but I do think we also have to be \nrealistic about the resources that are made available to the \nSBA.\n    Chairman Rubio. Thank you.\n    I just have one. I mean, my colleagues have covered a lot \nof the topics that I wanted to ask, but there is one. I think \nyou have touched on it just a little bit.\n    But I am curious about CAMI and its role in representing so \nmany small businesses that are afraid to come forward and \ndiscuss vulnerabilities. Obviously, it has business impacts. On \nthe one hand, obviously, if there is a breach of some sort, you \nwant people to know about it; on the other hand, many \nbusinesses that are small and midsized businesses would \nstruggle with a public disclosure that could theoretically, \nreputationally wipe them out.\n    So how is CAMI handling that? What is it doing? First, it \nsort of highlights the number and severity of the attacks that \nare on small business, and then, in particular, helping small \nbusinesses that are afraid to come forward and discuss their \nvulnerabilities because, frankly, from those attacks is how we \ncan improve our method of responding and preventing them.\n    Ms. Smith. Sure. One of the things that we are \nimplementing--and it will come out in our revised website in \nApril--is case studies, which allows our members to talk about \nbusinesses that have been breached and what they did to remedy \nthe situation and the cost involved and the steps that they \ntook and things that they might have been able to do ahead of \ntime to prevent that.\n    So I think illustrating it through this is a manufacturer, \nthis was a small retail organization, so they can say ``okay, \nthat is me,\'\' just to know that someone else has gone through \nit.\n    And contacting us, one of the things we do is anonymously \nput out a plea to our members. If anybody is available to \nhandle this situation, so the business is not--their contact \ninformation or name is not out there, to then connect them with \nresources and give those resources to the business that is \nlooking for that. They can also directly contact the businesses \nthrough our website.\n    But that fear factor is certainly there, but that is also \nafter they have been breached. If we can get to them before \nthey have been breached and say, ``Put these protections in \nplace,\'\' many of them would not suffer those breaches or \nattacks.\n    Chairman Rubio. But the existence of those case studies, \nwithout outing a company, is very helpful to a small company \nthat sees themself reflected in the case study----\n    Ms. Smith. Absolutely.\n    Chairman Rubio [continuing]. And understands that someone \nlike them could also be hit by this.\n    Ms. Smith. Absolutely.\n    One of the things that we find all the time in what we do, \neven our organization when we were first created, we expected \nbusinesses to come to our programs and hear a talk on \ncybersecurity and how to be cybersecure. They do not do that.\n    Our local SBA rep said the same thing, that they have tried \nto do programs for the small businesses, and they do not come. \nThey know they have got to be secure. They are too busy or it \ndoes not apply to them, whatever.\n    But going to organizations that are already doing things \nand making it a piece of their conference, put the information \non their website in addition to the SBA website, things like \nthat, small things that can be done, taking the message out to \nthe business and marketing.\n    We deal with our local government. They do not want to \nspend money on marketing and getting the word out, but you have \ngot these great programs. How do you get the word out? And \nthere has got to be some kind of method for telling the message \nand promoting what resources are available to those.\n    Chairman Rubio. Well, I want to thank all three of you for \nbeing patient and being with us today. We have had a great \nhearing, and your input, as you saw from the questions and \ncomments of some of our members I think has elicited thinking \nabout, number one, things people may want to take back to their \nown States, but more holistically some of the challenges we \nface as we move forward on what SBA can do and what the Federal \nGovernment can do to empower small businesses to confront this \nvery real 21st century challenge, and again, we thank you for \nbeing willing to be a part of this today because it is very \nhelpful to us.\n    The hearing on the record will remain open for 2 weeks, and \nany statements or questions for the record should be submitted \nby Wednesday, March 27th, at 5:00 p.m. and again, thank you so \nmuch for being here, and with that, this hearing is adjourned.\n    [Whereupon, at 4:11 p.m., the Committee was adjourned.]\n\n                      APPENDIX MATERIAL SUBMITTED\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n\n  \n                                  [all]\n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'