[House Hearing, 117 Congress]
[From the U.S. Government Publishing Office]
STRENGTHENING THE CYBERSECURITY POSTURE
OF AMERICA'S SMALL BUSINESS COMMUNITY
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON SMALL BUSINESS
UNITED STATES
HOUSE OF REPRESENTATIVES
ONE HUNDRED SEVENTEENTH CONGRESS
FIRST SESSION
__________
HEARING HELD
JULY 20, 2021
__________
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Small Business Committee Document Number 117-026
Available via the GPO Website: www.govinfo.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
45-122 WASHINGTON : 2021
-----------------------------------------------------------------------------------
HOUSE COMMITTEE ON SMALL BUSINESS
NYDIA VELAZQUEZ, New York, Chairwoman
JARED GOLDEN, Maine
JASON CROW, Colorado
SHARICE DAVIDS, Kansas
KWEISI MFUME, Maryland
DEAN PHILLIPS, Minnesota
MARIE NEWMAN, Illinois
CAROLYN BOURDEAUX, Georgia
TROY CARTER, Louisiana
JUDY CHU, California
DWIGHT EVANS, Pennsylvania
ANTONIO DELGADO, New York
CHRISSY HOULAHAN, Pennsylvania
ANDY KIM, New Jersey
ANGIE CRAIG, Minnesota
BLAINE LUETKEMEYER, Missouri, Ranking Member
ROGER WILLIAMS, Texas
JIM HAGEDORN, Minnesota
PETE STAUBER, Minnesota
DAN MEUSER, Pennsylvania
CLAUDIA TENNEY, New York
ANDREW GARBARINO, New York
YOUNG KIM, California
BETH VAN DUYNE, Texas
BYRON DONALDS, Florida
MARIA SALAZAR, Florida
SCOTT FITZGERALD, Wisconsin
Melissa Jung, Majority Staff Director
Ellen Harrington, Majority Deputy Staff Director
David Planning, Staff Director
C O N T E N T S
OPENING STATEMENTS
Page
Hon. Nydia Velaquez.............................................. 1
Hon. Blaine Luetkemeyer.......................................... 2
WITNESSES
Ms. Tasha Cornish, Executive Director, Cybersecurity Association
of Maryland, Inc., Baltimore, MD............................... 5
Ms. Sharon Nichols, State Director, Mississippi Small Business
Development Center, University, MS............................. 7
Ms. Kiersten Todt, Managing Director, Cyber Readiness Institute,
New York City, NY.............................................. 8
Mr. Graham Dufault, Senior Director for Public Policy, ACT/The
App Association, Washington, DC................................ 10
APPENDIX
Prepared Statements:
Ms. Tasha Cornish, Executive Director, Cybersecurity
Association of Maryland, Inc., Baltimore, MD............... 43
Ms. Sharon Nichols, State Director, Mississippi Small
Business Development Center, University, MS................ 45
Ms. Kiersten Todt, Managing Director, Cyber Readiness
Institute, New York City, NY............................... 51
Mr. Graham Dufault, Senior Director for Public Policy, ACT/
The App Association, Washington, DC........................ 58
Questions for the Record:
None.
Answers for the Record:
None.
Additional Material for the Record:
National Association of Federally-Insured Credit Unions
(NAFCU).................................................... 74
The National Cybersecurity Society........................... 77
STRENGTHENING THE CYBERSECURITY
POSTURE OF AMERICA'S SMALL BUSINESS COMMUNITY
----------
TUESDAY, JULY 20, 2021
House of Representatives,
Committee on Small Business,
Washington, DC.
The Committee met, pursuant to call, at 10:01 a.m., in Room
2360 Rayburn House Office Building and via Zoom, Hon. Nydia
Velazquez [chairwoman of the Committee] presiding.
Present: Representatives Velazquez, Crow, Davids, Mfume,
Phillips, Newman, Carter, Bourdeaux, Delgado, Houlahan, Mr.
Kim, Craig, Luetkemeyer, Williams, Hagedorn, Stauber, Meuser,
Tenney, Garbarino, Ms. Young Kim, Van Duyne, Donalds, and
Fitzgerald.
Chairwoman VELAZQUEZ. Good morning. I call this hearing to
order.
Without objection, the Chair is authorized to declare a
recess at any time.
Let me begin by saying that standing House and Committee
rules and practice will continue to apply during hybrid
proceedings. All Members are reminded that they are expected to
adhere to these standing rules including decorum.
House regulations require Members to be visible through a
video connection throughout the proceeding, so please keep your
cameras on. Also, please remember to remain muted until you are
recognized to minimize background noise. If you have to
participate in another proceeding, please exit this one and log
back in later.
In the event a Member encounters technical issues that
prevent them from being recognized for their questioning, I
will move to the next available Member of the same party and I
will recognize that Member at the next appropriate time slot
provided they have returned to the proceeding.
For those Members and staff physically present in the
Committee today, we will continue to follow the most recent OAP
guidance. Masks are no longer required in our meeting space for
Members and staff who have been fully vaccinated. All Members
and staff who have not been fully vaccinated are still required
to wear masks and socially distance.
As new technology has made America more dependent on
digital tools, malicious actors have been launching more
frequent and severe cyber attacks. In the early months of 2021,
we have seen a wide array of headlines detailing attacks on
institutions like large corporations and municipal governments.
Just yesterday, the Biden administration acknowledged that
hackers affiliated with the Chinese government were responsible
for hacking Microsoft email systems, compromising tens of
thousands of computers worldwide and exposing reams of
sensitive data. The fallout of the attack is still being
evaluated, but it is estimated the hack could have affected
hundreds of thousands of small businesses. Episodes like this
exhibit the significant threat cyber attacks pose to small
businesses.
This risk has increased in recent years as small businesses
have begun to rely more heavily on digital technologies.
According to the Connected Commerce Council, 72 percent of
small firms increased use of digital tools during the pandemic.
Unfortunately, as digital adoption has increased,
investment in security measures has not kept pace. Small
businesses often do not have the resources to invest in an
adequate cyber defense system or hire a dedicated specialist.
Guarding against cyber attacks often comes with high
implementation costs and substantial investments of time and
resources. Many are already operating on thin margins and slim
human resources.
Failing to prepare for a cyber attack can have disastrous
impacts. Damage to information systems, regulatory fines, lost
customer trust, decreased productivity, and lost income are all
potential consequences of a cyber breach.
Because of their structural importance to the overall
economy, attacks on small firms can have severe impacts on
larger enterprises and governments connected to them through
the supply chain. Given the greater risk cyber attacks pose to
small employers and their limited capacity to protect against
them, this Committee must find ways to help entrepreneurs
strengthen their cybersecurity posture.
Today's hearing gives us the chance to examine how existing
cyber resources can be enhanced and integrated into small
business support mechanisms.
I also look forward to discussing new initiatives that can
alleviate the financial burden of cybersecurity preparedness.
Small businesses are the foundation of our economy, so their
vulnerability is our nation's vulnerability. Investment in
their security will make us all more secure.
I would now like to yield to the Ranking Member for his
opening statement.
Mr. LUETKEMEYER. Thank you, Madam Chairwoman.
In preparing for today's hearing, I am reminded of how
pervasive the use of the internet and information technology
has become in our society in such a short period of time. We
bank online, we work online, for the past year, we have held
many congressional hearings online. Our growing dependency on
constantly evolving information technology is fundamentally
altering the way we live, and the way businesses of all size
operate.
Although benefits springing from the utilization and
adoption of new technologies are incalculable, we are forced to
contend with a new threat, specifically, the explosive growth
of a criminal industry seeking to steal valuable data and
manipulate critical systems for financial gain.
As the world continues to embrace new technology, we
increase the attack surfaces through which cybercriminals can
infiltrate and wreak havoc to a devastating effect.
These attacks are not without consequence. The cost of
cybercrime is absolutely overwhelming. Experts estimate global
damages totaling $6 trillion this year alone, projected to
reach a staggering $10.5 trillion annually by 2025.
Because small businesses are the intended targets of
cybercriminals approximately half the time, the damage
inflicted upon small businesses is catastrophic. These attacks
push many to the brink with one in six businesses reporting the
financial impact materially threatening the company's future.
In addition to financial costs, many are unable to recovery
from the loss of their intellectual property, resources, and
reputation following a cyber-attack.
During my time with this Committee as a member and now as
Ranking Member, I have had the privilege to speak with many
small businesses in my district and beyond, and I say with
certainty that many small businesses do not have the resources,
knowledge, and awareness to properly defend against such
attacks which is precisely what makes them attractive targets.
Many lack insufficient inhouse expertise to deal with these
breaches, leaving it up to the small business owners themselves
to handle the matter with predictable results.
Make no mistake; this is asymmetrical warfare.
Cybercriminals expend little effort targeting small businesses
that often have fragile to nonexistent cybersecurity defenses,
while small businesses must allocate valuable time and precious
resources to defend against this faceless enemy. While attacks
against large businesses consistently make frontpage news,
small businesses must not be disregarded. The new reality is
that large organizations are merely sprawling networks of
interconnected business partners consisting of all sizes of
companies including small businesses, each a viable vector for
attack.
And one of the most effective means of shoring up
cybersecurity defenses is knowledge. Knowledge is power and we
need to empower small businesses with the tools they need to
protect themselves, and by extension, the wider network of
businesses and organizations they touch.
A critical component to knowledge is the need for
information sharing among the public and private sectors. As
fast as cybersecurity systems are established and patched,
cybercriminals are already looking for and in many cases
successfully finding new creative ways to infiltrate
organizations' internal networks. Having a robust information
sharing system is fundamental for a strong and effective
cybersecurity defense not just for small businesses but for our
country as a whole.
Unfortunately, small businesses experience significant
resistance to participating in cybersecurity information
sharing activities for a variety of reasons. They may be
reluctant to risk exposure to potential legal liabilities
resulting from the disclosure and they may harbor doubts
regarding the government's ability to adequately protect
reported data and privacy information.
The federal government recognizes these concerns and has
made significant strides towards alleviating these fears.
However, these effects must continue to improve in order to
make the most impact on small businesses which derive the
digital economy's growth, innovation, and job creation.
To that end, there are several pieces of bipartisan
legislation introduced by my colleagues on this Committee which
attempt to begin resolving some of the issues and reservations
small businesses have. I hope we will engage in a fruitful
dialogue with our witnesses about this legislation today.
Combatting cyber threats is a vastly complicated issue that
will require largescale coordination across the entire federal
government and private sectors.
We must not let that complexity deter us from our goal.
Rather, we must redouble our efforts towards strengthening the
cybersecurity of our country starting with small businesses. I
look forward to hearing the testimony of the witnesses.
And with that, Madam Chair, I yield back.
Chairwoman VELAZQUEZ. Thank you, Mr. Luetkemeyer. The
gentleman yields back.
I would like to take a moment to explain how this hearing
will proceed. Each witness will have 5 minutes to provide a
statement and each Committee Member will have 5 minutes for
questions. Please ensure that your microphone is on when you
begin speaking and that you return to mute when finished.
With that, I would like to introduce our witnesses.
Our first witness is Ms. Tasha Cornish, the Executive
Director of the Cybersecurity Association of Maryland known as
CAMI, located in Baltimore, Maryland. CAMI is dedicated to
enhancing the local cybersecurity ecosystem by offering
training, cyber career networking, and the Cyber SWAT team
which is a free cybersecurity incident hotline. Ms. Cornish has
nearly a decade of nonprofit leadership experience and she
earned her master's degree at Johns Hopkins Bloomberg School of
Public Health and holds a bachelor's degree in neuroscience
from Cedar Crest College. Welcome, Ms. Cornish.
Our next witness is Ms. Sharon Nichols, the State Director
for the Mississippi SBDC. The state's SBDC network provides
business services at 15 centers and sites, including the
Mississippi State University Center for Cyber Innovation. The
MSU SBDC hosts a cybersecurity project to help small businesses
with data protection in the wake of COVID-19. Before coming to
Mississippi, Ms. Nichols spent 10 years working for the
Oklahoma SBDC. Ms. Nichols has an MBA from the Northeastern
State University and a bachelor's degree from the University of
Central Oklahoma. The Mississippi SBDC was named Resource
Partner of the Year for 2020. Congratulations, and welcome, Ms.
Nichols.
Our third witness is Ms. Kiersten Todt, the Managing
Director of the Cyber Readiness Institute known as CRI located
in New York City. CRI provides prescriptive, accessible, and
free content and tools to improve the resilience and readiness
of small and medium-sized enterprises. Ms. Todt has a master's
in public policy from the John F. Kennedy School of Government
at Harvard University and earned her bachelor's degree at
Princeton University. We appreciate your time and expertise,
Ms. Todt.
Now I yield to the Ranking Member to introduce our final
witness.
Mr. LUETKEMEYER. Thank you, Madam Chair.
I would like to welcome our final witness, Mr. Graham
Dufault. Mr. Dufault is the Senior Director for Public Policy
at ACT/The App Association, representing more than 5,000 app
makers and connected device companies in the mobile economy.
The app association gives voice to small technology companies
and its mission is to help members promote an environment that
inspires and rewards innovation while providing resources to
help them raise capital, create jobs, and continue developing
incredible technology. Mr. Dufault is no stranger to Capitol
Hill having served as counsel for the House Energy and Commerce
Committee. He now leads a number of critical public policy
initiatives on behalf of The App Association members. He earned
his JD with a concentration in communications law from George
Mason University and a bachelor's degree in Economics from
Emory University. Mr. Dufault, welcome back to the Hill. And
thank you for your participation today. We look forward to your
testimony. And you are parking at a very good spot along the
street this morning by the way, right across from my apartment.
So anyway, thank you, Mr. Dufault for being here. I yield back.
Chairwoman VELAZQUEZ. The gentleman yields back.
Ms. Cornish, you are now recognized for 5 minutes.
STATEMENTS OF TASHA CORNISH, EXECUTIVE DIRECTOR, CYBERSECURITY
ASSOCIATION OF MARYLAND, INC.; SHARON NICHOLS, STATE DIRECTOR,
MISSISSIPPI SMALL BUSINESS DEVELOPMENT CENTER; KIERSTEN TODT,
MANAGING DIRECTOR, CYBER READINESS INSTITUTE; GRAHAM DUFAULT,
SENIOR DIRECTOR FOR PUBLIC POLICY, ACT/THE APP ASSOCIATION
STATEMENT OF TASHA CORNISH
Ms. CORNISH. Great. Thank you again for the invitation to
be here.
So CAMI is an approximately 580-member association based in
Maryland. We were founded in 2015 to grow the industry. About
80 percent of our members are cyber providers, providing
products and services to small businesses and the government.
The other 20 percent supports the industry through cyber
liability, data privacy law, and other business building
resources.
So one of our main roles is to provide business building
resources to these cyber companies and the other is to educate
small and medium-sized businesses about cyber hygiene and to
provide solutions. So I am here specifically to talk about
that. I am going to cover three of our programs today: our
Cyber SWAT team; our variety of curated directories of products
and services; and our advocacy work for financial incentives.
Additionally, we do collaborative workshops with our business
partners and chambers of erce and other trade associations, and
we also do workforce development initiatives to build that
critical pipeline of IT and other professionals in cyber.
So our Cyber SWAT team came out of this huge shift to work
from home that happened last year. As mentioned before, it
really expanded the threat surface that our small businesses
experienced. Virtual machines, VPNs and remote access points
are commonly high targets for threat actors. So we developed
the Cyber SWAT team in partnership with the State of Maryland
and it is a coordinated breach response with all components--
technology providers, cyber providers, cyber insurance, legal
and compliance, and communication and PR. So businesses who are
either experiencing a breach or suspected breach can submit
their request via email and online form or via the phone. So
within 1 hour, they will receive a call from our triage team.
We will triage their request to our best fit cyber companies
based on their size, location, industry, and breach needs.
So there is no cost to connect with this information,
resources, or referrals. They get that 1-hour free
consultation. Of course, if they do choose the services, they
enter a contract and then pay for those services. But this has
helped greatly to assist companies in Maryland and beyond
really with external threats such as phishing campaigns and
ransomware. And also internal threats, including when
terminated employees have unauthorized access to systems.
So moving further upline in the protect and defend section,
we provide an online directory of all of our member companies
with relevant designations, including minority-owned small
businesses, women-owned small businesses, service-disabled
veteran-owned small businesses, 8(a), et cetera.
So this is helpful for prime contractors and others looking
for subs at government agencies, of course, but also private
sector companies who prioritize diverse vendor pools. We also
do publications with our local business guides and we are
launching a program now with Exelon, a Fortune 100 company that
works in every stage of the energy business. I do not need to
tell you that there have been some pretty high profile breaches
within that industry, and typically that is an industry that
has not had a lot of regulations and compliance. So we are
working Exelon to connect them through our new database with
providers in our membership who can help their vendors build
security programs and complete assessments to really secure
that supply chain for the energy industry. It is a very highly
specialized industry so many of these vendors are seeing this
information for the first time so we are pleased to partner
with them to do that.
Additionally, we will be doing something similar for our
DOD contractors as CMMC or Cybersecurity Maturity Model
Certifications come down the pipeline to again provide those
resources to our small businesses who are doing government
work.
Lastly, I want to touch on some of the financial incentives
that we have advocated for. So in 2018, we actively advocated
for the Buy Maryland Tax Credit which was approved by the
Maryland General Assembly and signed by Governor Hogan. So it
offers qualified Maryland businesses fewer than 50 employees to
receive a tax credit, which is worth 50 percent of the purchase
price when they buy it from qualified Maryland cyber providers
of products and services. So qualified sellers are, again,
small companies or companies owned by the specific
designations. And this offers up to $4 million worth of tax
credits each year and has an active directory of about 50
companies.
Additionally, there are funds that come down from the
federal government. So, for example, the Defense Cybersecurity
Assistance program, which, again, being in Maryland, we have a
lot of government contractors who do work with the DOD so there
are specific funds that we help promote that those contractors
can use for assessments and remediation. Thank you.
Chairwoman VELAZQUEZ. Thank you, Ms. Cornish.
Now we recognize Ms. Nichols for 5 minutes.
Ms. Nichols, you need to unmute yourself, please.
STATEMENT OF SHARON NICHOLS
Ms. NICHOLS. It says that I am unstable. Can you hear me?
Chairwoman VELAZQUEZ. Yes, we can hear you now. Thank you.
Ms. NICHOLS. Thank you. Good morning.
In order to survive the pandemic, many small businesses had
to quickly pivot to online platforms to sell their product and
shift to remote work. The small businesses of our nation are at
high risk for hackers due to the inadequate cybersecurity
protection for their data and intellectual property as was
discussed before.
Why are they at an increased risk? Just like it was said,
owners simply do not know how to protect their business or they
lack the funds to do so. Most hackers want money but that is
not all that is at risk here. No small business wants its
customers or clients to know that they have been breached and
it is a fear that they will lose the business or that hard-
earned trust. And so many go unreported.
In 2016, it was estimated that 10 to 12 percent of all
cybercrimes were reported. In Mississippi alone, in the last
couple of weeks, there was a medical clinic in our small town
that had to pay a ransom to get their data back. This was never
reported in the news. Just 2 weeks ago, our own office was hit
by an email phishing scam and I was given an email yesterday in
regards to a heating and air company that lost a couple of
weeks of work due to a scan.
My name is Sharon Nichols. I am the state director of the
Mississippi SBDC where we offer connection, education and
guidance for thousands of businesses across the state.
In response to the cybersecurity crisis, the MSBDC
allocated a portion of the CARES Act funds we received to
develop a cybersecurity center to help Mississippi small
businesses become cyber aware and more prepared. This center
that was developed offers training based on the CMM model and
the CMMC, but we call it the CMM model because we do not do
certification, offering actionable steps any business owner can
take. Also, access to trained cybersecurity counselors for
individual counseling, as well as on-demand cybersecurity
workshops that are available on our website. Everything that we
offer is for free.
The Cybersecurity Maturity Model that we have implemented
is based on a program initiated by the U.S. Department of
Defense in order to measure their defense contractors'
capabilities, readiness, and sophistication in the area of
cybersecurity. And we have adopted this model because it is a
tool that can be personalized and expanded to meet each
business's unique levels. Levels one through three, and there
are five in the CMMC model, are considered attainable by small
businesses and are designed to make securing a business
affordable, yet very effective.
Please know, again, we do not offer the certification at
the end of each level but business owners can pursue that on
their own if they choose.
Collaboration and connection in all of our organizations is
key and it is the future. The Mississippi Cyber Initiative we
call MCI was created to offer a central location for the
exchange of ideas and beneficial information about the
cybersecurity. The Air Force Base on the Gulf Coast of
Mississippi, Mississippi State University, and Mississippi Gulf
Coast Community College are part of MCI. Our organization, the
Mississippi SBDC has been invited to explore ways MCI resources
can be shared with the business community. This is an example
of collaboration and connection.
The Mississippi SBDC serves the small businesses of our
state with connection, education, and guidance. And I would
like to point out how we have applied these guiding principles
in response to the cyber crisis. Through connection, we are
connecting our business owners with valuable cybersecurity
resources via the MSU Cybersecurity Center and MSI into MCI and
other collaborations. We are acting as a conduit for the
Federal, state, and local resources to the small businesses in
our state.
In education, we are utilizing the Cybersecurity Center to
educate business owners so that they can evaluate the threat
that they have and their threat level and institute measures
for protection. We will be employing a variety of marketing
platforms reaching out through videos and PSAs and pushing
awareness on all six of our social medial channels. We are
working to dismantle the idea that small business owners are
powerless to take charge of cybersecurity and make the process
involved simple, yet effective.
Finally, through guidance, we actively supply support and
guidance via our one-on-one counseling with cybersecurity
counselors at no cost to business owners. By supplying one-on-
one guidance, business owners can get answers to specific
questions and solutions unique to their situations. There is no
putting the genie back in the bottle. Our lives and livelihoods
are connected via the cyberworld.
Small businesses play a huge part in the welfare of our
communities and the nation. We must put cybersecurity and cyber
safety of our businesses at the forefront of everything that we
do and equip them with every tool to succeed and protect their
businesses.
I very much appreciate the opportunity to be a voice for
the small businesses of Mississippi, as well as the nation.
Thank you for inviting me to testify.
Chairwoman VELAZQUEZ. Thank you, Ms. Nichols.
Ms. Todt, now you are recognized for 5 minutes.
STATEMENT OF KIERSTEN TODT
Ms. TODT. Thank you, Chairwoman Velazquez, Ranking Member
Luetkemeyer, and members of the Committee. Thank you for the
opportunity to testify before you today.
I currently serve as managing director of the Cyber
Readiness Institute, a nonprofit effort that convenes senior
executives of global companies to share resources and best
practices that inform the development of free cybersecurity
tools for small businesses, including the Cyber Readiness
Program, a five-step, self-guided program, several guides all
based on human behavior.
In 2016, I served as executive director of President
Obama's Commission on Cybersecurity, and after the conclusion
of the Commission, several of the commissioners and myself came
together to launch this effort. Relevant to the hearing today,
I also served as a senior staff member on the Senate Homeland
Security and Governmental Affairs Committee before, during, and
after 9/11 and helped to draft the legislation to create DHS.
The assaults on our nation's digital infrastructure,
particularly over the last 12 months, underscore the urgent
need to close a critical gap in our nation's cyber defenses.
When we think about cybersecurity, we tend to think at a
macrolevel, about state actors and state secrets, hacks of
millions of online identities, and direct threats to critical
infrastructure. And when we think about remedies, we tend to
focus on digital giants and on national or multinational policy
making. These policy solutions are necessary and appropriate
but they are not sufficient. The threats we face as a nation
and as individual consumers and citizens are not restricted to
the macro level.
Given that over two-thirds of large businesses outsource a
portion of their functions and allow third-party access to
their data, insufficient cyber protection among SMBs can be
consequential for larger firms, too, as we saw with solar winds
in Kaseya. SMBs, which are constrained by limited resources and
unable to invest proportionately in cybersecurity expand our
risk exposure significantly. Eighty percent of America's
businesses have fewer than 10 employees, and 95 percent have
fewer than 100.
SMBs are the backbone of our economy but they are
inherently fragile. During the pandemic, according to the SBA
administrator at the time, a small business was closing every
hour. These small enterprises lacked the resilience to
withstand a barrage of cyber attacks. Small businesses do not
have the safety nets that large businesses do. An attack of any
size can challenge their viability.
At the end of 2020 and earlier this year, we experienced
the impact of several high-profile attacks, with impacts across
multiple supply chains and critical infrastructure. We have
been forced to now understand that in addition to physical
supply chains, all businesses, especially small businesses,
must pay attention to their IT supply chains.
These events have brought us to another so-called
inflection point. So-called because we use this term frequently
when it comes to cybersecurity, yet we continue to fail to do
what is necessary to improve America's cyber defenses. These
events and attacks are symptoms of the challenges we face.
Policies are not enough, nor can we simply shrink tools and
techniques employed by major corporations into compact versions
for SMBs.
Small businesses need access to cybersecurity resources and
support from the federal government. They need prescriptive,
easy to adopt programs that strengthen their everyday
operations while not pinching their budget. Because a small
business may not have a department or even a single employee
solely focused on cybersecurity, approaches grounded in
creating cultural change through human behavior and education
are critical to helping small businesses become more resilient.
Human behavior can be a force multiplier for cybersecurity
in small businesses and larger ones as well. Small businesses
must be educated on the threats and the fundamental actions
that they need to be resilient.
The federal government can play a critical role. Earlier
this year, the Cyber Readiness Institute released a white
paper, The Urgent Need to Strengthen the Cyber Readiness of
Small and Medium Sized Businesses: A Proposal for the Biden
Administration, outlining actions to help small businesses.
Here are five steps from the white paper that the federal
government can take to improve small business cybersecurity
defenses.
My prepared testimony goes into greater detail and I am
happy to elaborate during our Q&A.
1. Create a Small Business Cybersecurity Center. Today, no
single government agency curates cybersecurity resources from
multiple vetted sources for SMBs. Given the ongoing work to
support SMBs by the Cybersecurity and Infrastructure Security
Agency and the recent allocation of additional resources to the
agency. CISA is a recommended agency to perform this function.
2.Establish cybersecurity incentives. Tax credits to SMBs
that invest in cybersecurity can incentivize cybersecurity
efforts.
3.Set cybersecurity standards. We need minimum standards
for cybersecurity that all organizations must follow, including
small businesses.
4.Launch national cyber squads. We should amplify the
existing cyber corps with government-funded cyber squads of
student interns to help minority-owned SMBs and to fill a
desperately needed talent pipeline.
5.Roll out a national cyber readiness education campaign.
Awareness is critical for small businesses in the entire
population. We need an effective public service campaign that
would focus on a single, basic cybersecurity issue, such as
using multifactor authentication which experts assert would
reduce cyber attacks significantly.
Our nation's cybersecurity challenges are diverse. One
foundational way we can improve our defenses is by supporting
and investing in the cyber readiness of small businesses.
America's hundreds of thousands of small businesses can be
mobilized, educated, and supported to be our resilient
frontline of cyber defense and to become a great strength for
our country. This critical investment in building that strong
defense will pay major dividends for our nation. Thank you.
Chairwoman VELAZQUEZ. Thank you, Ms. Todt.
We recognize Mr. Dufault for 5 minutes.
STATEMENT OF GRAHAM DUFAULT
Mr. DUFAULT. Thank you, Chairwoman Velazquez, Ranking
Member Luetkemeyer, members of the Committee. My name is Graham
Dufault, and I am senior director for Public Policy at ACT/The
App Association. The App Association is the leading trade group
representing small, connected device and mobile software
companies in the app economy which is about a $1.7 trillion
sector globally that supports about 5.9 million jobs in the
U.S., including in your districts.
I am here to ask for your help to improve the cybersecurity
resources for small businesses that are the backbone of your
districts.
In Brooklyn, Ali Iberraken founded Chaperone, an app to
help teachers organize and manage fieldtrips. Jason Oesterly, a
former IBM and MasterCard developer created WASHMO Media in
Washington, Missouri. So app economy innovators like Chaperone
and WASHMO deal with cyber threats all the time. Small
companies, even in industries associated with a higher level of
technical expertise, like our members, our favorite target is
cybercriminals. In fact, about 71 percent of companies
reporting cyber attacks are small firms. And around 80 percent
of small firms say they are not prepared for a cyber attack.
Most of them are reticent to tell anyone about the fact that
they are victims as you have heard from other testimony today.
We want to highlight four main things for this hearing.
1. While recent high-profile ransomware attacks are
grabbing headlines, it is difficult for small companies to
share information about threats, incidents, and defensive
measures they use. Legislation like H.R. 1649 and 1649 from
last Congress would help create better conditions for
information sharing and readiness. So we appreciate the
Committee's work on those pieces of legislation and we are
pleased to see that at least one of them is being reintroduced
this week.
2.Cybersecurity is a team sport in many ways. Small
companies, especially app makers, leverage the cybersecurity
capabilities of software platforms such as app stores,
operating systems, and Cloud services to protect their clients
and customers. Federal policy should enable these platforms to
take protective measures and to avoid undue interference with
them on antitrust and other grounds.
3.Cybersecurity begins with good defenses. Small companies
rely on technical protection measures like encryption of data
in transit and at rest and on devices, so where is the
Committee to push back on proposals that would weaken
encryption?
And a bonus,
4.I would be remiss if I did not mention the number one
daily issue my industry faces and that is finding and hiring
enough qualified people. With about 3.5 million unfilled
cybersecurity jobs globally, Federal investment in this area is
necessary. So we support programs like the Master Teacher Corps
and legislation like the Computer Science for All Act, H.R.
3602.
App Association members and our customers have everything
to lose when it comes to cyber threats. The onslaught of recent
attacks comes amid a global talent shortage so we cannot simply
hire our way out of the problem. Therefore, we need your help.
Cybersecurity for mobile devices is important for everyone.
For example, Black and Hispanic Americans rely
disproportionately on mobile devices as opposed to desktop
computers to access online services. These devices now contain
our most sensitive personal data, including financial real-time
location and health information. Therefore, app makers in
particular must leverage the security features of software
platforms and Cloud services. Unfortunately, in some proposals
in Congress and in some states that prohibit these gating
functions ostensibly to help my member companies and your
constituents but in truth they would do much more harm than
good. So we urge you to reject those ideas as the make smart
devices much less secure and much more attractive targets. Why?
Because cybercrime is a business after all. And cybercriminals
benefit also from the silence of their victims.
If Congress's goal is to make it harder for cybercriminals
to do business, information sharing plays a key role. We need
to make it too costly for cybercriminals to target small
companies with $15,000 ransoms. The attacks we see on small
firms from real estate investment to neighborhood bike shops
are often well-designed to ensnare specific kinds of victims.
The attackers learn the lingo of the sector they target and
study everyday practices to disguise phishing attempts so that
they look legitimate. Understanding these shifting forms of
camouflage requires rapid intelligence sharing and we need to
counterbalance the potential legal exposure and reputational
harm of disclosure.
While small companies often rely on outside support and
expertise for cybersecurity, it is impossible to contact away
risk or accountability for security. It is incumbent on small
companies to develop a level of independent working knowledge
of cyber threats to their business and information sharing best
practices.
The Committee is well-positioned to help improve
cybersecurity, literacy for small firms, and the conditions for
information sharing, and we look forward to assisting with
those efforts.
Thank you for the opportunity to share our views, and I
look forward to your questions.
Chairwoman VELAZQUEZ. Thank you, Mr. Dufault. I will begin
by recognizing myself for 5 minutes. I just want to say that it
is kind of scary listening to your stories and your expertise
regarding the threat of cybersecurity. I would like to ask Ms.
Todt, based on your own experience having worked for the
federal government, and now as the CEO of this institution, do
you think that there is an ongoing education throughout the
federal government in terms of different agencies as to the
threat that they are exposed to? How does that trickle down to
those most vulnerable--in this case, small businesses?
Ms. TODT. Thank you, Madam Chairwoman.
There is absolutely an education challenge. And when we
talked to small businesses, and I think this holds true
certainly for large businesses, the issue is not that they do
not know, they do not want to do anything, the issue is that
they often do not know what they should be doing and where the
threat is.
There was a survey done by Apple recently that said that
many small businesses asked, well, is this not part of my
software package, the security piece? And so we have to be more
prescriptive. So when we are looking at the Federal agencies,
and this is where I think the increase in resources to CISA is
going to play a significant role as well as the new leadership
working in collaboration across agencies to create a
synchronized effort that educates the agencies on the
priorities and also creates a unified government approach so
that you do not have agencies looking to others to understand
what is happening but that there is leadership both within the
White House and within CISA that helps to streamline what needs
to happen because the threats are certainly consistent across
all of our agencies and I think as Chris Inglis, the new
national cyber director said in the context of the
international arena but it certainly is in the domestic arena
as well, in order to get one of us you have to get all of us
and I think that approach for government needs to hold true.
Chairwoman VELAZQUEZ. Thank you.
Ms. Nichols, what were the most common services requested
by small business owners in the transition to telework because
of COVID-19?
Ms. NICHOLS. You know, I would like to say it was
cybersecurity but that was not it. It was mostly sources of
capital because they were concerned about how they were going
to keep their doors open. And confidence to survive, trying to
find out how to handle their financial projections as well as
the logistics of employees, Internet connections, suppliers,
and commitments. Cyber was not that one thing that they
contacted us about. And so while it was the greatest need, it
was not what they contacted us about.
Chairwoman VELAZQUEZ. Ms. Nichols, the SBA rolled out
several COVID-19 programs in 2020. Did any of these programs
provide cybersecurity specific guidance?
Ms. NICHOLS. To my memory, neither the EIDL nor the PPP
programs provided cybersecurity specific guidance. The PPP was
primarily for payroll followed by other items, such as rent and
utilities and the EIDL had an allowance for accounts payable
and other bills but not specific to cyber unless it was already
a related expense.
Chairwoman VELAZQUEZ. Thank you.
Ms. Cornish, with respect to commerce directly, what is the
importance of including the designations or certifications
small businesses may have as part of the company information?
Ms. CORNISH. Sure. So part of it is for, you know,
subcontractors and prime contractors and even government
agencies to better diversify the government contracting
workforce. Additionally, when our companies are looking at
their own DEI plans, many of them want to incorporate diverse
vendors in that pool as well. So we are excited to help support
those efforts through our designations.
Chairwoman VELAZQUEZ. Thank you. Do you think that
including such designations can promote diversity and
cybersecurity contracting?
Ms. CORNISH. Absolutely.
Chairwoman VELAZQUEZ. Mr. Dufault, recent security breaches
have heightened the importance of continuously monitoring
against outside threats but the necessary technologies and
practices are too expensive for small firms. How much on
average is the cost to secure networks?
Mr. DUFAULT. That is a great question. It is one of the
main areas of focus that a lot of our member companies have to
pay a lot of attention to. I am not sure exactly what the cost
is per small company. It probably varies as to what kinds of
tools you want to adopt. One of the observations of one of our
member companies is that for a lot of really specific
cybersecurity focused tools that help you manage your threats
across your supply chain, the number of licenses that you have
to buy is really high. And so it is kind of you have to buy in
bulk, and this particular member company just signed up as a
reseller so they could get access to a smaller number of
licenses. And so that is potentially a problem and a potential
area of focus here to provide more Federal resources so that
companies can buy smaller and not necessarily in bulk access.
Chairwoman VELAZQUEZ. What can SBA and its resource
partners do to remove barriers for small firms that want better
protection?
Mr. DUFAULT. That is a great question, Chairwoman. There
are a few things that you guys can do. We were really happy to
see Congress introduce H.R. 1648 and 1649 last Congress. These
are bipartisan bills that would help ensure that there are
liability protections for information sharing with the
government, but also to provide more resources for small
companies through the federal government through the SBA to
have access to cybersecurity counselors. And so that was H.R.
1649 which has a certification program for SBA employees. So
access to that through the SBDCs is something that we feel
would be a great improvement and would help them.
Chairwoman VELAZQUEZ. Thank you. My time has expired.
Now we recognize the Ranking Member, Mr. Luetkemeyer.
Mr. LUETKEMEYER. Thank you, Madam Chair.
Mr. Dufault, you know, one of the things that is concerning
to me is the cost to be able to protect the small businesses
out there. And so it is a two-part question. The first part of
it is what would be the average cost that a small business
would have to anticipate occurring to be able to protect
themselves? And then the problem becomes, well, you have got to
protect it today but there are a lot of smart guys out there
that are going to figure out how out how to break into the
security you have got right now so you are going to have to
continue to update your security and you are always behind the
curve, so to speak here in trying to protect yourself. And so
these ongoing costs are sometimes things that I think deter
small business from even, they throw their hands up and say,
well, I probably cannot afford the first set of security
measures. I sure cannot continue to pay money out the door when
I think my exposure is small. How would you answer that
question?
Mr. DUFAULT. So it is a great question, Congressman. I
think, you know, one of the member companies described the cost
of just trying to get penetration testing, which is kind of an
entry level set of services where an outside firm comes in and
tests your network. Tests the integrity of the security systems
that you are using. And that can cost between $10,000 and
$30,000 according to the member company. And that is just the
one-time cost. And that is just for that service. So if you
want to buy the full suite of services it goes up from there.
Now, we also have member companies that have worked with
other customers that have had trouble putting together $200 to
pay for antivirus software which is the lowest, sort of the
lowest level tool that you can invest in. So it ranges quite a
bit, I think, depending on the kind of company you have and
your focus and whether or not you are seeing these threats.
Another thing I will point to is the IT sector coordinating
council. So DHS has various sector coordinating councils where
they focus on cybersecurity in different sectors. The IT sector
coordinating council did a survey of small businesses, and
about 38 percent said they do not expect to see a cyber
incident in the next 2 to 3 years which is a little bit of
overconfidence I think. And so there is a baseline level of
sort of an appreciation that you have to have in addition to
the amount of money that comes along with the basis for
spending that kind of money on these protective measures. So on
an ongoing basis as you pointed out, it is even harder.
Mr. LUETKEMEYER. Thank you.
Ms. Cornish, you talked about a tax credit that was put
together by I think the State of Maryland I think you
indicated, which is intriguing to me. But I was curious, what
kind of participation rate was there among the small
businesses? And what was the average cost that they actually
were able to get a credit for? Or do you know that information
off the top of your head?
Ms. CORNISH. Sure. I can speak a little bit to that.
So it certainly is not utilized to its full potential by
our small business community. So we know that there is work to
do on our end to help promote that as well. I think to Graham's
point, many of the costs range between $5,000 to about $30,000.
There are ways to do continuous monitoring that is a little bit
less expensive on the defensive side. So then it only cost
about $6,000 to $10,000 a year.
Mr. LUETKEMEYER. One of the things I think, Mr. Dufault, I
think back to you again. I think somebody else mentioned,
talked about the number of folks within the industry worth 3.5
million jobs, people short to be able to fill the number of
folks. What is the problem here? We just do not have enough
people interested in the field? The wages are too small to
attract people into it? Nobody likes to do that kind of work?
What do you think?
Mr. DUFAULT. There are a number of different factors. Some
of it is cultural. There is a lack of, I think, awareness of
the available jobs. When you are going into college and when I
was going into college there was not a whole lot of emphasis on
sort of STEM fields at that time. So there is sort of an
outreach campaign that can be done to make sure the folks know
that this is where high-paying jobs are. It is $89,000 median
salary for this kind of work here in the U.S. across the
country.
Mr. LUETKEMEYER. Let me interrupt. My time is about up
here.
Is this something that Small Business Administration could
do? They could entice or enhance or send out information to the
high schools and folks, colleges, to let them know that there
is availability of all this? I mean, we have to get the SBA
engaged in this somehow because this is a small business issue.
Mr. DUFAULT. I think that is a great idea. I think that
there is definitely a role for the Small Business
Administration there. There are other Federal agencies that
ought to be involved but the Small Business Administration in
particular because small companies do have trouble finding
access to qualified folks.
Mr. LUETKEMEYER. My time is expired. Thank you. I yield
back.
Ms. HOULAHAN. The gentleman's time is expired and the
gentleman yields back.
The gentleman from Colorado is now recognized for 5
minutes.
Mr. CROW. Thank you, Madam Chair.
For more than 20 years, the SBA Office of the Inspector
General has listed IT security as one of the most serious
management and performance challenges facing the SBA. So this
is not obviously a new thing but it is more acute and becoming
more of a problem as particularly nation state actors and
others weaponize the ability to go after our small businesses.
Recently, I reintroduced the bipartisan SBA Cyber Awareness
Act which would direct the agency to issue an annual report
assessing its cybersecurity infrastructure. It also requires
the SBA to report cyber threats, breaches, and cyber attacks to
the respective House and Senate Small Business Committees. And
then to notify affected individuals within 30 days because we
know that notification is one of the biggest issues, is the
required notification.
So that is part of it. But even after the notification then
there is the issue of what happens next? And in all of your
testimonies you referenced the challenges particularly facing
small businesses that just do not have the resources.
So Ms. Cornish, starting with you, can you describe, flush
out for me a little bit more what resources are available,
could have the biggest impact on providing resources or support
to small businesses particularly in high tech sectors? Like, I
have a lot of defense, aviation, and aerospace within my
district and a lot of those are small businesses and they are
prime targets of hacking and intellectual property theft. What
is out there and what could make the biggest impact that is not
out there?
Ms. CORNISH. Sure. So in the defense industry,
specifically, there is the Defense Cybersecurity Assistance
Program which provides funding for assessments, and honestly,
you know, investing in the assessment and the protection phase
is really where you are going to get the largest ROI for the
SBA and others. So I would certainly encourage investment
there. When companies are breached, you know, definitely it
varies by the situation, but certainly shoring up interventions
to improve your chances moving forward are critically important
there.
So I would love to see that the DCAP comes down from DOD. I
would love to see other agencies also do something similar
through their Office of Small Business work.
Mr. CROW. Thank you.
Ms. Todt? Mr. Dufault?
Ms. TODT. Thank you. One of the key issues that we focus on
at the Cyber Readiness Institute is human behavior because it
recognizes that regardless of the sector that you are in or the
resources that you have you have got to start by creating these
cultures of behavior. And if we make the analogy to safety,
creating cultures of safety that we did with businesses
particularly following 9/11, it helps us to understand that
while this is all new to us and it is somewhat foreign and
uncomfortable, we often say security is not convenient, we can
create those cultures. And by doing so, you have force
multipliers in your companies when every individual recognizes
that he or she can be an access point to the network, that he
or she can be the strength that actually prevents an attack or
can be the opportunity. And I think that is one of the pieces
in the education that we have got to be focusing on to help
employees have that accessibility to those resources and the
knowledge.
Mr. DUFAULT. Yeah, Congressman. And I agree 100 percent
with the comments of Ms. Todt because all it takes is one weak
point in a company or an organization and that is why you saw
with some of the recent cyber attacks they used the password
spray where they try really common passwords on a large number
of accounts because chances are in an organization of a couple
hundred people or a couple thousand people somebody will use
password123. And so creating that culture that Ms. Todt
described is extremely important. And also understanding which
kinds of threats are being directed to your specific industry
because they are kind of, as I said in the oral statement just
a minute ago, the attackers are studying the everyday habits
and trying to mimic those and they do a pretty good job of that
based on specific sectors. So, info sharing within sectors is
extremely important.
Mr. CROW. Thank you.
And Ms. Nichols, to you, and I guess to that last point
since you are with an SBDC, on the training piece, training of
employees and others, how can we better do that or assist small
businesses in conducting the training?
Ms. NICHOLS. So we are basing our model on the DOD
cybersecurity model, the CMMC, but just using the CMM portion
of it. And I liken it to the Maslow's Hierarchy of Needs.
Basically, on level one through three is basic cyber hygiene,
and it is all about education and awareness, where also I think
it is very imperative that we look at what is our consistent
voice and what is that consistent messaging because there are a
lot of resources out there and a lot of organizations, and I
believe that the consistent messaging and education and
training is very key not only just for employees but for
potential employees because there needs to be that standard
base and education.
Mr. CROW. Thank you. My time is expired. I yield back.
Ms. HOULAHAN. Thank you. The gentleman's time is expired
and the gentleman yields back.
The gentleman from Texas, Representative Roger Williams,
the Vice Ranking Member of the Committee is now recognized for
5 minutes.
Mr. WILLIAMS. Thank you, Madam Chair.
A 2021 Cybersecurity Trend Report shows that phishing is
the top cyber threat for small businesses as we have talked
today. In this type of attack, simply clicking on a link or
opening an attachment can compromise an entire company's
network. Rather than target a vulnerability within the cyber
network, this tactic targets unknowing employees. Regardless of
what additional resources or best practices are shared to the
industry, we must ensure that we are not leaving out the
socially engineered attacks that can occur on untrained
employees.
So Ms. Nichols, first of all, Mississippi State has a great
baseball program.
Ms. NICHOLS. Yes, they do.
Mr. WILLIAMS. That is good.
Secondly, can you discuss the training that SBDCs, and we
have talked about this a little this morning, have to ensure
employees are aware that they could be targets of these
phishing attacks?
Ms. NICHOLS. Specifically attacking employees, is that what
you are asking?
Mr. WILLIAMS. Yes.
Ms. NICHOLS. Yes. And it is just a matter of awareness.
Just like I said in my presentation, our organization had been
phished. And it is raising awareness of that basic, what to be
ready for and, you know, what are the very basic minimal things
that you have to look for. And that is what we want to show our
small businesses is how to prepare their employees to work
remotely but also keep their intellectual property and their
information safe. So the social engineering is really the focus
of most training that is going on right now. And while it is at
a higher level and you hear about the big ones like the
pipeline and different things that have happened, it is the
smaller phishing that is really affecting the smaller
businesses. So education is key.
Mr. WILLIAMS. Thank you.
When small businesses are targeted with cyber attacks, it
may not make the news like some of the more high-profile cases
we have seen lately such as the Colonial Pipeline or Microsoft
attacks. Unfortunately, since many of these smaller companies
operate on tighter budgets, they are often easier targets and
then the intruders can go undetected for long periods of time
than some of the more established businesses.
So Mr. Dufault, you mentioned in your testimony that
smaller firms could leverage the cybersecurity capabilities of
Cloud services. Can you elaborate on the advantages of using
this service and why it may be a more attractive option for
smaller firms who do not have as large of a budget to dedicate
to cyber defense?
Mr. DUFAULT. Absolutely, Congressman. It is a great
question.
As there was testimony earlier this year in the Homeland
Security Committee where witnesses sort of elaborated on the
capabilities that Cloud providers have in contradistinction to
where you are using on-premises hosted servers. Right? Where if
you have your own servers there at the small business, it is
incumbent upon you, the small business, to install updates that
could have security patches. It is also incumbent on you to
sort of on your own go out and find threat indicators and
indicators of compromise whereas all that stuff sort of happens
quickly and efficiently if you are using Cloud-hosted servers
where the updates are sent automatically, that patch potential
vulnerabilities, and you also sort of benefit in real time and
quickly from indicators of compromise that other folks are
seeing that are using the same Cloud services. And so that is
sort of what I am referring to when I say the ability to
leverage those capabilities.
Mr. WILLIAMS. Very good.
Cybersecurity breaches are only going to become more common
as we know and technology continues to advance and criminals
get more sophisticated. While small businesses do what they can
to protect themselves from attacks that never happened in the
first place, it is ultimately the government's responsibility
to track down and hold these bad actors accountable. If we use
every tool at our disposal to hold these criminals accountable,
it will deter these attacks in the future.
Ms. Cornish, are there any roadblocks that are preventing
the federal government from more aggressively prosecuting
cybercrimes?
Ms. CORNISH. To my understanding, no. But I do----
Mr. WILLIAMS. You believe that?
Ms. CORNISH. I am encouraged by the partnership, the
public-private partnership that we are continuing to discuss
because I do also believe that that is part of it. But I do not
feel like I can speak to the roadblocks specifically at the
Federal level blocking that.
Mr. WILLIAMS. Well, public-private partnerships only work
better. No question.
I yield my time back, Madam Chair. Thank you.
Ms. HOULAHAN. Thank you. The gentleman's time is expired
and the gentleman yields back.
The gentleman from Maryland, Representative Mfume, the
Chairman of the Subcommittee on Contracting and Infrastructure
is now recognized for 5 minutes.
Mr. MFUME. Thank you very much, Madam Chair. Good morning,
everyone.
I have got a question for any of you or either of you who
may know the answer should feel free to address. With respect
to cyber attacks, what do you estimate the average loss to be
as a percentage of overall revenues to small businesses
regardless of their size?
Ms. TODT. So based on research and studies that we have
conducted with some of our member partners and the larger
global companies, we estimate that a cyber breach can cost
about $4 million per small business. So when you think about
the revenue that small businesses have, sometimes that does not
even cover their revenue. And the number of employees, whether
it is 2, 20, or 200, the significance of that piece. And I
think the challenge for small businesses is their awareness
that they are an access point to larger companies but that they
also hold data. And data a couple years ago surpassed oil as
the most valuable global commodity. And I think these issues
for small businesses require the education so that they are not
in a position where they are paying $4 million to respond
because the recovery takes quite a long time.
Mr. MFUME. And so how many small businesses does that wipe
out on an average per year?
Ms. TODT. So there are different statistics around this but
what we saw with the pandemic is that over 65 percent of small
businesses that suffered a breach did not go back online 6
months later. So that given a 6 month recovery time, those
small businesses did not recover.
And I think one of the things that we have learned again, a
lot from our large member companies is that the recovery piece
to this, it is like a hurricane. We get very involved in the
crisis response. It is on the front page of the paper. We are
looking to see how everybody is doing. But when you go back 6
months later into the community, or 12 months later, you are
seeing long-term and devastating impact. The same is true for
businesses, particularly with ransomware attacks because of the
impact it has.
Mr. MFUME. And what about 5 years ago. What would you have
said that same dollar amount would have been?
Ms. TODT. So I would say it would have been a lot less. I
cannot estimate but I think, you know, and I do not even
believe that small businesses were the target that they are
today. What has happened with IOD and the interdependencies of
the digital economy is that small businesses are such critical
parts of global supply chains that now to the point that we
have all discussed, they are a target because they are the
weakest link.
Mr. MFUME. And because of that, do any of you know or are
aware of the number of states that offer the kind of tax credit
that Ms. Cornish referenced earlier?
Ms. TODT. I am not aware of others. I do not know if----
Ms. CORNISH. I am not either.
Ms. TODT. I do think it is something the federal government
could look at.
Mr. MFUME. So let's talk about Maryland since we know about
that, Ms. Cornish. You said that that tax credit is being
underutilized.
Ms. CORNISH. It is.
Mr. MFUME. Why do you think that is?
Ms. CORNISH. I think partially there is an under awareness
among users as well as cybersecurity companies. So we certainly
have a cybersecurity audience, so we will continue to promote
among our membership and also among our strategic partners and
other trade associations and such.
Mr. MFUME. I think it would have to be an aggressive sort
of promotion. If you have been around offering a tax credit and
people are not taking advantage of it and yet they are being
hit by these attacks that we just heard could just completely
wipe them out. How are you going to do that over the next few
months?
Ms. CORNISH. Yeah. I can certainly reach out to our close
partners at the Department of Commerce because I do believe it
is a state-driven approach as well.
Mr. MFUME. And I do not know how much time I have left but
what, if any of you think the SBA should be doing to lower the
threat level? Have you got some concrete suggestions for us?
Mr. DUFAULT. I will take that one, Congressman. That is a
great question.
I think the SBA could, number one, provide personnel and a
certification program for SBA personnel to get up to speed on
the latest cyber threats and be in a position to counsel
companies from SBDCs and then provide some funding for those
programs on an ongoing basis. That is a great way to do it
because SBDCs are a great resource that folks use quite a lot.
And then the SBA could also create sort of a hub for
information sharing, a little bit like what CISA does through
NCCIC at the Department of Homeland Security. And so those are
two ways that small businesses could be better supported and
help them on a more cost-effective basis deal with----
Mr. MFUME. Mr. Dufault, I get the sense that you have more
than two ways to suggest. So could you write those down and
transmit those to the Committee? I want to specifically try to
follow up with the SBA to make sure that those sort of
suggestions get heard outside of this Committee room.
Mr. DUFAULT. That is excellent. Absolutely. We will do
that.
Mr. MFUME. Thank you. I yield back, Madam Chair.
Ms. HOULAHAN. Thank you. The gentleman's time is expired.
The gentleman yields back.
The gentleman from Minnesota, Representative Hagedorn and
the Ranking Member of the Subcommittee on Underserved,
Agricultural, and Rural Business Development is now recognized
for 5 minutes.
Mr. HAGEDORN. I thank the Chair and the Ranking Member for
holding this Committee. Thanks to the witnesses. And Mr.
Dufault, one of your members is in our district in Rochester,
Minnesota, Southern Minnesota, Advantage Software, and it
sounds like they have had a great business for going on 40, 50
years providing farmers with real-time data and inventory and
doing all sorts of things that production agriculture really
makes a big difference in that type of thing. So we appreciate
that work and all the other members that you have going quite
something. It seems to me this might be one of these areas
again where big government, some politicians think let's impose
standards. Let's force the small businesses to do all these
things to comply in order to do business with the government
and it becomes unreasonable, the mandates. And then they turn
around and say, well, let's subsidize it. That is kind of a
typical pattern that we see.
But one of the things that bothers me is I am concerned
that the agencies sometimes require the contractors, the
smaller businesses to comply and do things that they themselves
do not do. I mean, I am one of 21 million Americans who had
their records stolen from OPM. The Communist Chinese, I guess,
know whatever they want to know about me and yet nobody could
be sued. There was no liability. The government has a different
standard than they impose to others. Do you think small
businesses who work in good faith with the government provide
the information, do what they can in order to protect
themselves and the business operations? Do you think they
should have a liability standard similar to the government
where they are not sued?
Mr. DUFAULT. Congressman, it is a great question. I think
it points to two things. One, Federal agencies need to probably
do a better job when it comes to securing their networks. And I
think that points then to whether or not my member companies
and other businesses across the nation are willing to share
threat data and share sensitive, potentially sensitive
information that shows what the threats might be with Federal
agencies. They do not want that information to be breached.
And then secondly, the other point that you made, whether
or not there ought to be some sort of liability protection for
information sharing and other measures that my member companies
and other companies like them take to make sure that other
companies are ready and that other folks in the sector are
ready. Absolutely. I think CISA is a great start. I think that
other legislation that was introduced last Congress and I think
hopefully will be introduced again this Congress would ensure
that there is additional liability protections for small
businesses because we have to overcome the reputational damage,
not just as my fellow witnesses pointed out, the initial
problems.
Mr. HAGEDORN. I think most businesses have real incentive
to make sure that they can protect their customers and do work.
They do not want to lose business. They do not want to go
broke. They like to be able to continue to build their
business. So your industry is quite fascinating. You said
something like $1.7 trillion, all these millions of employees,
and that there is all these open jobs--3, 4 million open jobs,
some of which are paying $50,000, $60,000, $70,000, $80,000
just to get going.
Can you walk us through what the average person in your
industry would do in order to be trained up or get education?
And how are some of the small businesses, are they working with
them to try to bring them in and pay for some of that?
Mr. DUFAULT. That is a great question, Congressman.
Some of our member companies have just developed their own
training programs because they need access to more folks that
will write software. And so one of our member companies in
Denver created a coding academy and they sort of focus on
cybersecurity measures and secure coding. I think that is one
of the things that training programs are trying to emphasize
right now but write software that is secure at the beginning.
It is sort of like what the Federal Trade Commission says about
privacy by design. If you are designing a software product,
build security into it. And so they have developed training
program that have specific focuses like that. We also have a
member company, Bit Source in Kentucky that sort of specialized
in training former coal miners to code so that they would have
a bigger workforce base.
Mr. HAGEDORN. So one bill that we have introduced, I have
introduced, is the American Workforce Empowerment Act which
would enable people who have 529 education savings accounts to
use that for an array of different purposes, not just to go to
a 4-year college or whatever. It seems like there could be
areas here where folks could utilize those types of money in
order to get into your industry. So I would encourage folks to
cosponsor that bill and try to get things moving for you.
Thanks very much.
Mr. DUFAULT. Thank you.
Chairwoman VELAZQUEZ. The gentleman yields back.
Now we recognize the gentleman, Mr. Phillips from
Minnesota, Chairman of the Subcommittee on Oversight,
Investigations, and Regulations for 5 minutes.
Mr. PHILLIPS. Thank you, Madam Chair.
Ms. Cornish, you mentioned the DOD program that makes
funding available to contractors to perform assessments and
take steps to defend against cyber threats, of course. And we
all know that large firms like Intel and Google engage in what
are called bug bounty programs that provide rewards for
identifying security threats and vulnerabilities on their own
platforms. And just last month, CISA had launched the first
Federal Civilian Security Vulnerability Disclosure program--
boy, that needs an acronym, I think--to work with the hacker
community to secure its networks. So would you support the
establishment of a fund at SBA or NIST or CISA to support small
businesses that want to partner with bug bounty programs and
identify and repair weaknesses in their cyber defenses?
Ms. CORNISH. Certainly. That is a wonderful idea.
Mr. PHILLIPS. I like those easy answers. Thank you.
Ms. Todt, how do you feel about that notion?
Ms. TODT. I can continue to make it easy for you.
Absolutely, because I think small businesses need to be told
not only what to do but what is going on and the reasons behind
that. And I think the bug bounty programs help to demonstrate
where the threats are coming from. And as Graham said earlier,
if they can understand that approach, then they have a better
education for their employees, as well as for the businesses
themselves.
Mr. PHILLIPS. Wonderful. I appreciate that and happen to
feel the same.
Ms. Nichols, I want to thank you for your services that you
are providing to your community. You are bridging the gap for a
lot of businesses who need guidance about how to protect
themselves and their customers from malicious attacks.
Not long ago I Chaired an Oversight and Investigations
Subcommittee hearing that examined the challenges facing small
businesses seeking to adopt a CMMC certification and enter into
Defense Department contracts. At that hearing, we learned that
when the initiative is fully implemented, it has the potential,
the likelihood to shut out small firms who lack the expertise
or resources to navigate that certification process. So if this
Committee considers legislation empowering SBDCs to lead
cybersecurity outreach to small businesses, how would you
recommend that we instruct SBDCs to incorporate guidance about
CMMC into their outreach and training?
Ms. NICHOLS. Thank you for the question.
So last year, our association embraced the CMM model and we
recognize that we would not ever provide the certification
piece of that but we felt that their levels one through three
is something that we could embrace on the education piece. And
so we have worked with our association to develop a training
model to prepare the small businesses so that they will be
prepared, maybe not just for the DOD or defense contracts or
contracts with the federal government, but also just the
general small businesses.
So to prepare the SBDCs, I think that we are already on
that pathway because we did recognize that this would be a good
partnership and I hope that answered that question.
Mr. PHILLIPS. No, it did. Absolutely.
And I just want to thank our Chairwoman and Ranking Member
for holding this hearing. I cannot help but think that this
issue is going to grow in importance and it is our
responsibility to ensure that small businesses can defend
themselves and, of course, their customers.
So with that, I yield back.
Chairwoman VELAZQUEZ. The gentleman yields back.
Now we recognize the gentleman from Pennsylvania, Mr.
Meuser, Ranking Member of the Subcommittee on Economic Growth,
Tax, and Capital Access for 5 minutes.
Mr. MEUSER. Thank you, Madam Chairman. And thank you to our
Ranking Member.
So, certainly an interesting conversation. Interesting
hearing. In 2020, I think it is no surprise to any of us that
ransomware attacks were up double, over 102 percent. So let me
ask, let me start with Mr. Dufault, if I can.
The cyber attack, cybersecurity insurance I understand is
through the roof as far as expense goes. So is there any group
plan that any of your organizations perhaps work to try to
bring down that cost and create that as an opportunity for
businesses?
Mr. DUFAULT. I think, absolutely, thank you for the
question, Congressman. Cybersecurity insurance is very
expensive. I think Ms. Todt might have a good handle on this as
well. But for our member companies, they are looking for
affordable options here and they are looking for--and also as
Ms. Todt pointed out, $4 million is what it costs a small
company to have a cyber incident. So the level of investment
and the frequency with which our member companies are targeted
kind of leads us to believe that we are going to have to invest
a little bit more, even though we are small companies. And so I
will just say that, you know, they are willing to invest a lot
in cybersecurity insurance and in other measures but we are
definitely looking for those plans that will be group plans or
other ways of making the risk pool a little more affordable.
Ms. TODT. If I may add to that. So I think cyber insurance,
it is a challenging sector right now. The Cyber Readiness
Institute has focused a lot on it this year. The challenge is
that if you are a small business and you do not have cyber
insurance you are often seen as being negligent. But if you are
truly evaluating on an ROI perspective, it does not always make
financial sense.
There is a great opportunity for the insurance industry to
step up to say you have to do these basics in order to be
covered. That will both help the premiums stay down and it will
also create a momentum shift in doing the basic cyber standards
without having to talk about regulation or anything like that.
It is the choice. It is like a good driver discount. If you do
well by these standards then we will cover you. And I think
that is where the insurance industry really has an opportunity
to improve what it is doing.
Mr. MEUSER. I imagine the IT companies as well would find
some protection measures by charging for added security. And I
know that is certainly occurring as well.
In my district it is not like any other. I have many small
businesses, medium sized businesses, large businesses getting
hit, some more than once. Some pay, some do not. And they work
their ways around it but usually at quite a cost. Sometimes
just being shut down for 6, 7, 8 days. So it is a serious
issue.
I want to just backtrack for a moment. We had a hearing
with the Department of Defense, Cybersecurity Maturity Model a
few weeks back and we saw that small businesses that made for
the defense industry, it was very difficult to get the type of
levels of security that they wanted. In fact, I have one
business in my business that spent over $100,000 and they are
not even exactly sure what level that they are. They think they
are at level three. So it is discussed in the Mississippi SBDC
how small businesses would, or I guess my question is, are your
models helping gain compliance for the DOD?
Ms. NICHOLS. So ours is through education and training
because we cannot, and we can also provide guidance so that we
can say, you know, here is our situation. We can give them some
information. Again, we cannot provide that certification but
the education piece, and we have really outlined it so that it
is very clear. We have created training specifically right now.
All it is posted is for level one because we believe that is
basic hygiene. And it is raising that awareness. And to
reiterate, it is important that they have that basic
understanding so that they can get that certification. A lot of
people do not think it is attainable because they do not
understand. And if you can educate them that it can be very
simple but yet very effective to get them to that level one
through level three.
Mr. MEUSER. Okay. All right. Thanks, Ms. Nichols.
Ms. TODT. Congressman, if I may just add a quick point to
that because we are actually working with Cyber Hawaii and the
Department of Defense to create a primer to help small
businesses get ready for CMMC. And it is taking that point
where most small businesses are, which is with no
understanding, and getting them ready for CMMC. And it is a
model that we hope to be able to replicate across the country
because it addresses the points that you are calling out which
it can be very costly and take a lot of time without the right
preparation.
Mr. MEUSER. Last quick question. I am out of time.
Does cryptocurrency affect this whole situation?
Ms. TODT. I think an unregulated monetary currency that is
being used for a malicious and criminal act cannot be expected
to be a positive force. If we are using cryptocurrency, it
should be regulated along other international monetary sources.
Mr. MEUSER. Thank you, Madam Chairwoman, I yield back.
Chairwoman VELAZQUEZ. The gentleman yields back.
The gentlelady from Illinois, Ms. Newman, is recognized for
5 minutes.
Ms. NEWMAN. Thank you, Madam Chair, and thank you Ranking
Member for putting this discussion together. Very helpful. And
thank you to our guests, illuminating and really helping us
understand the gravity and depth and width of this problem.
So mine is pretty simple, my line of questioning, and I
think it is likely for Mr. Dufault or Ms. Todt. So we are
looking at all these things to help small businesses. I think
all the suggestions today have been fantastic and we should
look at it as a Committee for sure to see if there is
legislation there to support small business.
My question is the other lane. So deterrence. Right? So how
is the SBA and all of these organizations represented here
working with law enforcement, whether it is FBI or CIA, once
these attacks occur, are they following them? Are they tracking
them? Are they investigating? What is happening there? And then
do you have any suggestions around deterrents? And what would
that model look like?
I will ask Mr. Dufault first.
Mr. DUFAULT. Thank you for the question, Congresswoman.
I think when it comes to the deterrents, one idea that we
talked about here and some of the witnesses mentioned was sort
of creating a clearinghouse for information sharing through SBA
but perhaps co-locating it with Department of Homeland Security
so that it is rapid intelligence sharing and that the Federal
agencies are on the same page. With that kind of apparatus that
kind of says to cybercriminals, well, I guess there is a good
mechanism in place for folks to learn about what I am trying to
do to deceive my intended targets. And that, in and of itself,
can be a little bit of a deterrent because suddenly you are
talking, back to cybercrime as a business, you are increasing
the cost of the attack because you might have to do a little
bit more to try and trick that one person that you need to fool
to get into the network. So that can go towards deterrence. And
sort of co-locating the SBA center with DHS can help advance
threat sharing and SBA's role as just sort of a facilitator of
information getting to law enforcement agencies is maybe the
appropriate role for SBA as well.
Ms. NEWMAN. And then Ms. Todt?
Ms. TODT. Yes. Building off of that, I think when we can
share the techniques, tactics, and procedures, the TTPs with
other businesses then they are aware of what needs to happen.
And I think that is one of the challenges that we have had, and
we saw this with Colonial Pipeline when Colonial did not share
what was going on the government was not able to then
distribute that TTP that was being used. And, oftentimes, what
we learn from large businesses we can apply to small
businesses. And so to Mr. Dufault's point, sharing the TTPs.
Also, when we talk about deterrence, we have to prosecute
criminals. The biggest challenge we have right now is that
ransomware is going to continue to be a very lucrative business
because you can do it without getting prosecuted and having any
repercussions. And so particularly for small businesses, this
is one of the challenges. And this is also why reporting
incidents and also when there is ransomware that particularly
small businesses have to pay to stay viable, being able to
share that with the government so that you can help to
prosecute the criminals, this gets us to a better place.
Obviously, we have talked about all the liability protections
that come with that but we are only going to be better if we
have better exchange of the attacks that are being used and the
tactics and the techniques.
Ms. NEWMAN. So if I may follow up, and either of you can
answer, is it that companies, small businesses are not
reporting these? Or is it that when reported they cannot be
investigated for whatever reason or are not being investigated?
Is it both or is it either?
Ms. TODT. You go first.
Mr. DUFAULT. Yeah, Congresswoman, I think it is both. There
is a real reluctance I think among small companies to notify
authorities and to notify maybe others of either an
unsuccessful or a successful attack, especially the successful
attacks because they are sort of an automatic conclusion that
folks draw fairly or unfairly that the company that is subject
to a successful breach was not taking the proper measures to
secure their networks. And so there is a lot of underreporting
I think.
Ms. NEWMAN. I think that needs to be a part of any
communication or kit that any of your organizations put out,
SBA puts out, and we can follow up. And if you can include
those recommendations in the recommendations that Congressman
Mfume talked about, I think that that would be great for the
Committee to take up as a whole. So I do appreciate your work
and thank you for sharing today. And I yield back.
Chairwoman VELAZQUEZ. The gentlelady yields back.
Now we recognize the gentlelady from New York, Ms. Tenney,
for 5 minutes.
Ms. TENNEY. Thank you, Chair Velazquez and Ranking Member
Luetkemeyer for this, and to our witnesses. I really appreciate
you being here.
I have a couple of questions. First, Ms. Cornish, in your
testimony you described your newest initiative surrounds the
critical lack of skill diverse cybersecurity professionals to
protect critical infrastructure and essential services. Do you
find that this shortage is in urban and rural communities? And
how can we meet those needs? And I am particularly curious
because we are looking at rural broadband in our communities
and trying not do, based on a municipal level, just like we
have municipal electricity and others, and that is going to be
particularly interesting to us as we move into that realm. And
how is that going to be something your taskforce is going to be
looking into?
Ms. CORNISH. Certainly. I think that is a huge challenge,
the lack of broadband, especially in rural communities,
especially when you are thinking about small and medium-sized
businesses. And really, how the workforce is distributed;
right? You want to make sure that your rural areas are still
competitive for that.
So our main task in the workforce initiatives is really to
connect the dots. We have 17 centers of excellence in Maryland
alone for cybersecurity, yet we have 19,000 unfilled positions.
So for us, it is really creating comprehensive and wraparound
services and connecting those who are doing the training with
those who really need the work. And to the point made already,
in small businesses it can be really challenging to take on
that training yourself. It can be challenging to have the
manpower to do that training and to support that. So we are
really looking to see how we as an association can take away
and kind of pool together all of our resources to put less onus
on the small businesses who really need that workforce.
Ms. TENNEY. More and more small businesses are going to be
depending on this rural broadband that we are trying to
explore, and actually, we have a test site in my own community
of Sherburne, New York, where we are going to be having
municipal broadband opportunities which we are trying to do
anything to minimize the risk of cyber attacks which is my
concern, and also on this, and I would like to address it to
the other witnesses. I know that SBA is going to be designated
as the single Federal entity for the small business
cybersecurity information sharing.
I have a concern though. I come from New York State and
there was a point in time where we consolidated all of our
services, including all banking and insurance into the New York
State Department of Financial Services and we felt that that
could put us at great risk for cyber hacks because the
government typically does not have, and the taxpayers are
paying for maintenance of this when banks were spending
billions of dollars to protect their customers. Because of the
liability and insurance was referenced before, how can we make
sure that SBA is going to be able to handle this kind of burden
and making sure that our small businesses are going to be
protected when you are consolidating this type of issue? I do
not know if you want to address it, either Mr. Dufault or----
Mr. DUFAULT. Sure, Congresswoman. It is a great question.
That is one of the reasons that you see some hesitancy among
the member companies and other small companies that are being
asked to share data with Federal agencies. The question is,
well, we have seen the recent headlines where other Federal
agencies and maybe SBA have been the victims of compromise. So
they want to be assured, basically, that these Federal agencies
are taking the steps that they need to take to ensure that that
data is protected adequately and that all of the personnel that
work at these agencies are observing the proper protocols
because as we have discussed throughout this hearing, all it
takes is just the one employee that has the weak password or
that otherwise makes the wrong move to compromise the network.
And so, anything that the Committee can do to ensure that there
are greater resources, more accountability and other levers
that would ensure that the agency is taking the proper
precautions, those would help our cause quite a lot.
Ms. TENNEY. Yeah. Thank you. Because I have concern as a
small business owner. We obviously spend a lot of money in
making sure we do not get hacked. We have a lot of heavy data
downloads in our business. And so to be hacked at some point
and finding out that it is SBA without any duplication of
protections or redundant storage areas, where are we going to
be? And that concerns me.
I do not know if anyone else wanted to weigh in on it.
Ms. TODT. If I may, Congresswoman. Yes.
Ms. TENNEY. I have got 30 seconds left.
Ms. TODT. Yes. Absolutely. I think certainly when we talk
about a single point of success, it is also a single point of
failure. But that is really what the new money and the new
authorities for CISA are supposed to address. And I believe if
we look at agencies, SBA is not going to be the only agency
that has this type of responsibility and this type of
challenge. And so what we should expect and you are seeing some
of the beginnings of this happen already, which is looking at
how CISA will work with the agencies to ensure that there is
that redundancy and that resilience built in. Because, as we
know, small businesses cannot afford to not have that safety
net. But again, with those additional authorities, this is not
going to be SBA on its own. It will be SBA in collaboration
with the other cybersecurity infrastructure and the federal
government.
Ms. TENNEY. Thank you. I appreciate it. Great testimony.
Thank you.
Chairwoman VELAZQUEZ. The gentlelady yields back.
Now we will recognize the gentlelady from Pennsylvania, Ms.
Houlahan, for 5 minutes.
Ms. HOULAHAN. Thank you, Madam Chair. And thank you to
everybody for joining us today. And I think I would like to
follow up on many of the different lines of questions that we
have heard today. They all seem to have a real common thread.
One is to try to understand how much of all of this has to do
with just changing culture and changing the ways that people
perceive their responsibility and their role in cybersecurity
for their companies. I am trying to cess out, you know, that
seems to be a very large part of the problem. And then kind of
the other 20 percent of the problem seems to be what kind of
software and hardware that you should have and you should
invest in the types of teams that you should have to be able to
protect from the rest of the 100 percent of the universe. My
understanding is that is in the thousands of dollars of range
in cost. My understanding is that the consequences is in the
millions of dollars of range in cost. My other understanding
having run and owned and operated a lot of businesses and been
responsible for IT is that there is a need for seats or logins
for some subset of software that people do not have the ability
to afford. Is there any sort of universe where, imagine a
cloud, imagine, you know, certified or approved vendors that
are part of that cloud that the Small Business Administration
can administer or some other organization can administer that
would allow you to pick up logins rather than seats so to
speak, you know, to be able to defray the costs that small
businesses are experiencing in their cybersecurity? Is that
something that already exists and I just do not know about it?
Is that something that could be useful to design is sort of a
clearinghouse of software that would defray the costs for
smaller businesses?
And I guess, Mr. Dufault, you seem to be doing most of the
conversation on that. And we will start there.
Mr. DUFAULT. Thanks, Congresswoman.
It is a good idea. And I think there could be a role for
SBA there, whether it is providing just a grant program or
funding or something more hands-on where the agency is sort of
designing a fulsome sort of program. So I think it is worth
discussing. It is a good idea and I think we would want to just
continue to engage on this because it is a need that was
identified sort of by a couple of our member companies and
that, you know, I think it is worth further discussion probably
at this point. Yeah.
Ms. HOULAHAN. Okay. Thank you.
Ms. Todt?
Ms. TODT. Thank you. It is actually something that we are
hearing from small businesses at the Cyber Readiness Institute
because we do not advocate for vendors but we are hearing we
need to have a clearinghouse to know which ones to turn to or
at least the general categories. And it is something that we
are looking at this year because we want to be prescriptive and
not leave everybody in the dark and recognize that when you
outsource the function as a small business, you still have a
responsibility and you do not outsource the responsibility.
If I may address your question about culture. I do think
this is the 80 percent component of cybersecurity, particularly
for small businesses. And cultural change takes a lot of time.
If we think about, we have all heard the analogies, seatbelts.
It was inconvenient for a long time and then you saw the safety
requirements. Or if you even make the analogy to physical
hygiene and health, we are not doctors, but we have learned
over time from doctors that we should have certain tests taken
on a regular basis. And so you do not need to be an ID
specialist to know that these are the basics that need to
happen.
And we have talked a lot about workforce training. And to
your point about culture, I think it is important when we see
all these cybersecurity positions that people out there
recognize it is not just about math and science. Cybersecurity
is interdisciplinary and we need capabilities and
qualifications in sociology, history, politics, psychology,
that those all play into this so that the workforce that we are
talking about for cybersecurity is much larger than I think we
conceptualize because it is not just math and science.
Ms. HOULAHAN. Ms. Cornish, anything?
Ms. CORNISH. Certainly. We have experience curating these
lists by business protocols and also specific needs. So if you
would like to speak further about building this clearinghouse,
I would be happy to answer that more specifically.
Ms. HOULAHAN. Thank you. I appreciate that.
And with what is left of my time, I want to focus on a
piece of legislation that I am a co-sponsor of, the Small
Business Development Center Cyber Training Act of 2021, which
would certify 5 or 10 percent of the number of employees of a
small business development center to provide cybersecurity
assistance to small businesses. If enacted into law, this
program would provide expertise to small business owners on the
proper steps towards cybersecurity.
With my last remaining seconds, what are some of the best
practices that SBA could showcase their cybersecurity efforts
on? Do you know also similarly of best practices that the DOD
has had? How can we encourage interagency best practice
sharing?
Ms. TODT. If I may, this is what the Cyber Readiness
Program is. We focus on four issues. Strong authentication,
which is a pass phrase of 15 characters or more. Phishing
training. Not using USBs but instead looking at the cloud. And
software updates. Helping individuals understand that every 24
hours they should actually download the patch. Those are our
foundation and I am certainly happy to talk to you more about
that because this is the core of how we can help small
businesses and I commend the act and the legislation.
Ms. HOULAHAN. Thank you.
And with that, I yield back, Madam Chair.
Chairwoman VELAZQUEZ. The gentlelady yields back.
Now we recognize the gentlelady from California, Ms. Young
Kim, Ranking Member of the Subcommittee on Innovation,
Entrepreneurship, and Workforce Development.
Ms. KIM of California. Thank you, Chairwoman Velazquez and
Ranking Member Luetkemeyer for holding this important hearing.
And I want to thank the witnesses for being with us today to
discuss the ways of strengthening our cybersecurity for small
businesses.
I am very troubled by the increase of cyber attacks. They
just seem to be designed not only for monetary purposes but
also to instill distrust in our economic system and our
institutions. Just between 2019 and 2020, our country saw 400
percent in cyber intrusions. Successful cyber attacks on our
small businesses also discourage future entrepreneurs from
establishing a small business and creating jobs. Some estimate
that 60 percent of small businesses go out of business within 6
months of a cyber incident.
So let's think about that. Cyber attacks are putting 6 out
of 10 of our entrepreneurs out of business. So given this
urgency of the moment, I was happy to join my colleague,
Representative Crow, to introduce the SBA Cyber Awareness Act
to find ways to improve the SBA's cybersecurity infrastructure
and share information with Congress if there is a reasonable
basis to believe that a cybersecurity incident occurred at the
administration.
Let me pose the question to all witnesses. Let me start
with Mr. Dufault.
In your testimony, you indicated that threat-sharing for
small companies is complicated because usually they lack the
resources to join and participate in information sharing at
analysis centers. Can you elaborate on what can Congress do to
incentivize higher participation of small businesses in NCCICs?
Mr. DUFAULT. Thank you, Congresswoman. It is a difficult
task to create an incentive that would really cause small
companies to participate in a robust way in these information
sharing enterprises. One of the ways that we can at least start
on that task is to provide potentially additional liability
protections at least, right, because the couple of issues that
small companies face when they are being asked to share
information about the threats that they receive or even
incidents that they are victims of is that, number one, the
reputational fallout will cost quite a lot of money, over and
above the cost of actually remediating the breach, and then
number two, it is just a matter of am I going to be liable for
anything associated with sharing this information? Whether it
is a privacy cause of action or just simply that they did not
take the precautions necessary to protect their networks. And
therefore, they run afoul of data security laws in the states
or at the Federal level, the Federal Trade Commission Act. So
it is the liability and the reputation. And so a good start is
to help them defray some of that potential liability.
Ms. YOUNG KIM. Ms. Todt, could you briefly elaborate on
that, too?
Ms. TODT. Thank you.
I think the other piece is that when we look at the supply
chains that small businesses are a part of, there is a
responsibility on the larger companies to work with them to
incentivize because those large companies, as we saw with solar
winds in Kaseya, can be taken down if the small businesses are
vulnerable. And there is a better infrastructure of support
that can happen within supply chains. And I think as we have
seen the interdependencies grow with the digital economy, this
is another opportunity to incentivize that engagement, that
threat sharing. We work with large manufacturing companies and
one of them has put out very specific efforts and information
to their small businesses to help them understand where the
threats are but also to facilitate that sharing because they
know that as a large company, if their small businesses get
taken down that will affect them. So there is more
responsibility and collaboration that can happen across supply
chains than we have seen before.
Ms. YOUNG KIM. Thank you very much.
You know, I am a big proponent of advancing STEM education,
especially with underrepresented communities to increase our
21st Century talent pipeline and our economic competitiveness.
So I am sure you understand the importance of STEM education
and computer science in training and expending our
cybersecurity workforce.
How could our small businesses and our economy benefit from
increasing the cyber workforce?
Mr. DUFAULT. Thank you, Congresswoman.
One of the most significant problems my member companies
face is access to folks that are trained in software
development or computer science more generally. And so my
member companies would benefit quite a bit I think from
investments in K-12 education, but also in workforce
development programs.
I mentioned earlier that some of our member companies
developed these training programs on their own but there is a
role for Federal investment as well and that is why we support
the Computer Science for All Act and also the Master Teacher
Corps, which is a training program for K-12 educators to
provide computer science education.
Ms. YOUNG KIM. Thank you. I see that my time is up. I yield
back.
Chairwoman VELAZQUEZ. The gentlelady yields back.
Now we recognize the gentleman from Louisiana, Mr. Carter,
for 5 minutes.
Mr. Carter, you need to unmute.
Mr. CARTER. Yes, thank you.
Madam Chair and Ranking Member, thank you very much for
giving us this opportunity for this hearing. Much has been said
and many questions have been answered. But Ms. Cornish, if you
could perhaps touch on this and any other member, maybe Ms.
Todt can as well.
We know that we obviously are concerned about small
businesses and making sure that they have the security to
operate their businesses via Internet, and cybersecurity is
certainly an issue that touches us all. I know my credit card
has been breached several times with large companies. I will
not say what the company is but I will say that it has been
breached. And I know that they have all of the algorithms, all
of the security known to man to secure them. I know that cities
have had their systems breached. The City of New Orleans has
had ransomware. What have we learned from what the large
companies are doing that we can pass on to our smaller
businesses, best practices, if you will. Even at their highest
level of security they have still been caught in ransomware and
cybersecurity threats.
Ms. CORNISH. So I would reiterate the importance of human
behavior and training of our staff and our employers because in
addition to being our largest threat, they are also our largest
defenders. So we can empower them to treat data care instead of
cybersecurity and empower them to protect the data they are
entrusted with.
Additionally, I think the thing that has not been belabored
here a lot but as documented policies and procedures, there are
many holes that we are missing simply because there are not
checklists or we do not really understand all of our assets
that we are managing. So I think documentation and training is
key in this.
Mr. CARTER. But could you elaborate? If we talk about the
larger companies that have a robust security system where they
are empowered with significant tools to counteract these
threats, yet they are still caught in the lurch, if you will,
what can we as Congress, what can SBA, what suggestions would
you give us that we can aid in this battle? Because obviously,
on many fronts we are losing.
Ms. CORNISH. Sure. I think Ms. Todt's outline of the Cyber
Readiness Institute does a great job of how we can empower our
employees because, again, that is really our biggest threat.
Mr. CARTER. Ms. Todd, can you weigh in, please?
Ms. TODT. Sure. I think, you know, the good news and the
bad news is that these large companies are getting breached by
very basic attacks. So when we look at Colonial Pipeline, they
were breached because they were not using multi-factor
authentication, and they actually did not need to shut down the
pipeline. They were just worried about getting paid because
their payment system shut down. And so that showed the
interdependency of the systems and the importance of separating
IT technology with your operations. And so those lessons, the
sophisticated attack of a nation state adversary is separate
and distinct, but when we have seen the other issues with solar
winds and others, those are getting breached through
authentication. Through network access. And so what we are
talking about for small businesses, obviously at a smaller
level, really holds true for the large businesses as well. And
that is where I think we have learned the most from these
breaches over the last 6 to 12 months is that we have got to
create those basic standards in helping businesses do all of
those. And this is, again, we talked earlier about where I
think insurance companies can play a role and others to have
those incentives so that those basics become a requirement for
further resilience.
Mr. CARTER. And real quickly before my time expires. As a
member of Congress with tons of small businesses throughout my
congressional district, what can we do in the way of Town Hall
meetings or ways of better educating our small businesses in
our communities to utilize these resources? Are there leave
behinds? Are there handouts? Are there things that we can do?
We often do Town Hall meetings for various issues. This could
be one that certainly can benefit our small businesses. What
suggestions would either of you have as to how we could better
serve and provide resources? You have about 43 seconds.
Ms. TODT. What we have seen, what we are hoping to see with
CISA and with SBA is this collaboration of resources focused on
human behavior. So taking the work of the nonprofits and making
those available to you so that when you go to these town
meetings there is a simple, accessible, basic protocol. These
are the things you need to be doing on your personal devices as
well as your professional devices, an education campaign that
does this.
One of the points in my testimony talks about an awareness
campaign. If we get every business to use multifactor
authentication, the decrease in cyber attacks would be
exponential.
Chairwoman VELAZQUEZ. The gentleman's time has expired.
Mr. CARTER. Fantastic. Thank you very much.
Chairwoman VELAZQUEZ. Now we recognize the gentleman from
New York, Mr. Garbarino, for 5 minutes.
Mr. GARBARINO. Thank you, Madam Chair and Mr. Ranker for
holding this hearing.
As the Ranking Member on the Cybersecurity Subcommittee,
Department of Homeland Security Committee, I have learned a lot
over the last 6 months about cyber attacks and ransomware,
which is why I have worked on several pieces of legislation.
Ms. Nichols, this question is for you. Yesterday, I
introduced H.R. 4515, the Small Business Development Center
Cyber Training Act. I am honored to have the support of my
fellow colleagues on the Committee here, Mr. Evans and Ms.
Houlahan, and I encourage others on the Committee to co-sponsor
this bipartisan piece of legislation.
Small businesses often lack the resources or technical
knowledge to prevent cyber attacks, and with the high cost of
hiring specialized employees and cybersecurity experts, it can
be difficult to bridge the sizeable education gap. My bill
would help small businesses get the information they need to
implement their own cyber strategy and take appropriate steps
in the event of a cyber attack against their business.
Ms. Nichols, given your position as the state director of
the Mississippi SBDC, would you share your thoughts and provide
feedback on the bill, the Small Business Development Center
Training Act, please?
Ms. NICHOLS. Thank you. I have not reviewed the whole bill.
I was given a little bit of information this morning in regards
to that. However, just like Ms. Todt and several of the other
people said, communication and education and the consistent
messaging is very key. And I think that raising the awareness
to be able to be that voice for the small businesses and given
that information, I think we are at this time where we need to
create those base standards and create an information--I do not
want to say an overload--but be very consistent in how we
provide the information to our small businesses.
And as an SBDC, we have to serve all 82 counties of
Mississippi and so it is not just rural. It is every aspect.
And it does not matter if it is a small business, medium-size
business, or large business, they are still at risk. And I
think it is very important and we appreciate that the
government is passing this legislation or is attempting to in
proposing these bills because it is so imperative that our
companies are prepared for cyber.
Mr. GARBARINO. And we feel that since you already have the
employees and have been coming up with this program where your
employees, or at least a number of them are trained to address
these cyber issues with small businesses, especially ones that
you are helping develop and create and get started up, that
this would be very helpful.
I want to move to Ms. Cornish and Ms. Todt. You talked
about, in your testimony, Ms. Todt, you talk about doing a tax
Credit. Ms. Cornish, you run an agency that deals with tax
credits. One thing I have seen is major corporations and
governments can spend a lot of money on cybersecurity. Small
businesses, they cannot. They cannot hire a dedicated person.
And it is not just about best practices. You know, okay, making
sure that you change your password. That is one thing that we
have to do and CISA has been great with that in coming up with
best practices and what businesses and small governments should
do, local governments should do. But there is also a cost of
keeping your system upgraded. You cannot just buy a good piece,
the best piece of equipment today because 6 months from now or
3 weeks from now it is going to be outdated. That is a heavy
cost especially for small businesses. Is a tax credit the best
way to help offset that cost? What is the best way to do this?
And Mr. Dufault, you can jump in, too, if you have an answer.
Ms. CORNISH. For us, it was a great place to start, but
certainly, I think there needs to be more incentive, financial
incentive, perhaps I heard some mention of grants, projects to
get that off the road because, as you mentioned, it does take
money to maintain it but there is certainly a lot of startup
costs that that could help defray as well.
Ms. TODT. Tax incentives are certainly not the only answer.
One of the things that we were looking at particularly with the
pandemic was could you use some portion of the PPP loans that
could turn into a grant if it were used towards cybersecurity.
And so looking at the tools available to small businesses for
money to incentivize them to allocate a percentage towards
cybersecurity. And I think it is a piece of the pie in all of
this and we have just got to find those tools that together can
help incentivize small businesses to be motivated to invest and
to understand why they need to be, the role that they have and
their vulnerabilities.
Mr. DUFAULT. I will mention, Congressman, it is a great
question and we are supportive of H.R. 4515. When we were
preparing it did not have an H.R. number yet but happy to see
that. And we are supportive. We were supportive last Congress,
too, of substantially similar legislation. So tax credit is a
great idea. I also do not want to underappreciate what our
member companies rely on when it comes to a software platform.
So app stores and operating systems and the ways in which they
harden those systems and ensure that unvetted software is not
accessing personal data, not accessing device features and
things like that, these are baseline practices that software
platforms use and that our member companies sort of rely on at
this point to ensure that there is protection from threats in
the mobile space in particular. And so that is a piece that I
think we want to make sure is on the record here. And so to
ensure that the Committee is sort of on the lookout for
proposals that would make it harder for companies to use those
measures.
Chairwoman VELAZQUEZ. The gentleman's time has expired.
Now we recognize the gentlelady from Georgia, Ms.
Bourdeaux, for 5 minutes.
Ms. BOURDEAUX. Thank you so much. And thank you to our
witnesses for joining us to discuss an issue that really is top
of mine for many small business owners, and large business
owners, which is cybersecurity.
In my home state of Georgia, we saw what happens when
critical infrastructure is not secured from cyber attacks when
the Colonial Pipeline attack left many of my constituents high
and dry at the gas pump for several days. But the Colonial
Pipeline is just one rather extreme result of cyber
vulnerability. The Department of Homeland Security, Secretary
Mayorkas said at a recent event that 50 to 70 percent of cyber
attacks are aimed at small to medium-sized companies, costing
an estimated $350 million in 2020. And this threat is not going
anywhere anytime soon. Ransomware attacks against smaller
businesses have increased 300 percent over the past year.
Listening to some of the testimony and discussions today,
it occurs to me that there are several ways that you can
approach this. And there are a lot of great ideas out there
about how to change the behaviors of small businesses,
training, you know, all of that kind of outreach. And that is
very, very important. But one other way to approach all of this
is to require the software that is sold to small businesses or
the products that are sold to them to be more conscious of
security and ways to protect from breaches.
Ands o I just wanted to check in with I guess Ms. Todt
might be a good person to talk on this, are there recommended
practices for software developers or for people who are selling
to small businesses to help protect them from cyber attack?
Ms. TODT. It is an important question and it is something
that we have spent a lot of time looking at. So to your point,
right now, the market does not incentivize security. It
prioritizes first to market, convenience, ease of use, before
security. As a result, we are seeing software go to market that
has holes and bugs in it that is not being secure. When you
look at the research that has been done, it is absolutely
possible to build secure software but the economic incentives
are not there.
So I commend what the Biden administration has done in the
executive order, which is to look at software transparency, a
software bill of materials to understand what goes into it, but
as a nation and as a government, we have to create. This is
where I do think regulations and standards around building
secure software need to be discussed because right now if you
look at where the vulnerabilities are coming from, often it is
because of holes in the software. The Kaseya attack most
recently was a result of that. And we have an opportunity to--
we call it secure by design, choose your phrase--but the idea
is building that safety and security. Again, if we use the car
analogy, we would not think about building a car without an
airbag anymore. And we have got to be thinking about safety and
security when it comes to software and hardware development.
Ms. BOURDEAUX. Thank you. It is very, very difficult to
change individual behavior at massive scale to deal with
security. It is much quicker if we could catch it early on
through the product itself.
Just kind of on that vein, and I do not know, Ms. Todt,
maybe you would have an answer on this or Ms. Cornish, what has
been done in terms of the policing side of things? So one of
the things we see an awful lot of is we have these attacks and
then, you know, we get out from under it somehow, we deal with
the ransomware situation, and then what kind of policing
capacity do we have or do we need to build up in order to bring
people who do this to justice?
Ms. TODT. This is a huge gap in our defense right now
because criminal actors are getting away with a lot of attacks.
And whether it is a simple lone wolf in the United States or it
is a nation state, but we have to be able to prosecute
criminals who are committing these types of actions. If you
think about Colonial Pipeline again, if someone had put a bomb
in that pipeline to prevent the gas and jet fuel from going to
the East Coast, we would have no qualms about what to do with
that individual. Essentially by shutting down--I live in
Virginia so I had a similar--we saw the lines a few blocks down
the road. There was an impact and it was a psychological impact
because people were afraid. And when we look at that type of
impact, we have to think about what are the repercussions for
these types of actions? And I think this is something that the
United States just should not do by itself. This is where we
would look to cooperate with our likeminded economic partners,
our allies, to understand what are the boundaries and the lines
that are being crossed for criminal actors, and what are the
consequences for this type of activity? Because even though we
are not seeing the immediate devastating effect if we look at
solar winds, the repercussions continue to cascade. And this is
why we have to create those boundaries and the definitions
around what is a criminal act and what are the consequences for
that act?
Ms. BOURDEAUX. Thank you so much.
I yield back the balance of my time.
Chairwoman VELAZQUEZ. The gentlelady yields back.
Now we recognize the gentleman from Minnesota, Mr. Stauber.
Mr. STAUBER. Thank you, Madam Chair and Ranking Member
Luetkemeyer for holding this. And to the panelists who spoke
with us today. Very informative.
As we have seen over the last few years, cybercrime is
becoming more and more common. The cyber attacks affect our
small businesses both directly and indirectly. Most recently as
we talked about, the Colonial Pipeline was hacked by the
Russians and created a huge gas shortage in the nation. Small
businesses that relied on any sort of transportation or travel
for daily operations were adversely impacted. While big
businesses have the capital to proactively protect themselves
from cyber attacks, as well as recover from them, small
businesses do not have that same luxury.
And so to the panelists, what can the federal government do
to help small businesses protect themselves from and/or recover
from cyber attacks? And does this assistance need to look
different for small businesses with 10 employees versus 100
employees and so on?
Mr. Dufault, go ahead.
Mr. DUFAULT. Congressman, that is a great question.
Congressman Garbarino and Congresswoman Houlahan mentioned a
bill that they just introduced which urged folks to support
H.R. 4515, which would require the Small Business
Administration to develop a certification program for SBA
employees and then to deploy them to SBDCs (small business
development centers), and to provide cybersecurity expertise
and counseling for small companies in the area that they cover.
That is one thing that the federal government can do, and a
little can go a long way in that respect because a lot of small
companies use SBDCs as sort of a clearinghouse for help in a
number of different ways. Now, if you had personnel there that
could help with cyber readiness but also, as you said,
remediating after a breach, that would be very helpful and that
is something that the federal government can do specifically
for small companies.
Mr. STAUBER. And I think that it is important to get that
small business back up and running as soon as practicable
because the days, I mean, you are losing a lot of money each
day.
If the other two witnesses would like to comment on that
question, please?
Ms. TODT. Sure. In addition to the piece of legislation
that was introduced, which just to reiterate, I think really
calls upon the resources of the Small Business Administration
by using SBDCs and the effectiveness of that. One of the things
that we recommend in a white paper at the Cyber Readiness
Institute earlier this year was an opportunity to curate the
resources that are out there. There are a lot of nonprofits, a
lot of organizations that are looking to help small businesses.
But if you are a small business, and this goes to another
question, that has been attacked, you often do not even now who
the first call should be. Is it an IT provider? Is it the local
police? And just being able to provide a prescriptive roadmap
for small businesses on incident response plans as well as what
to do when attacked, I think that this is something that CISA,
in coordination with the SBA, could just provide a resource and
curate those tools to help small businesses.
Mr. STAUBER. Well said.
Ma' am?
Ms. CORNISH. I would just add to that, having a documented
incident plan as mentioned is not often enough. People are in
panic. They are not taking the proper channels. So supporting
something or exploring something like we have in Maryland as a
Federal Cyber SWAT team or, you know, even organizing it maybe
at the SBDC level to have a response line to support small
businesses when they are going through a breach, to connect
them to the different types of resources they need.
Mr. STAUBER. Yeah.
And my last question, and this is specific to
cybersecurity, specific. What would you caution the government
from doing?
Mr. Dufault?
Mr. DUFAULT. One thing that comes to mind for us is, I
mentioned this a minute ago where a lot of our member companies
are specifically concerned with security in the mobile space.
So what measures are we taking to harden our devices and to
prevent unwanted software on our mobile devices? Because these
mobile devices now have very sensitive personal information on
them. Health care information, financial information, and then
real-time location data. So all of the measures that software
platforms take, (software platforms like the app stores and the
operating systems) to ensure that unvetted software and
software that has not been reviewed for security flaws is not
inadvertently downloaded via clickbait or some other vector.
Those are really important measures to be able to take. So I
would caution the federal government not to overreach on
antitrust, for example, because these are companies that are
larger firms that have a lot of customers and they are sort of
in the crosshairs right now when it comes to antitrust. There
are proposals in House Judiciary that would make it illegal to
take those measures to prevent access to personal data on
antitrust grounds. And we are very concerned with those.
Mr. STAUBER. Thank you. My time is up. And thank you very
much, and I appreciate this opportunity.
Madam Chair, I yield back.
Chairwoman VELAZQUEZ. The gentleman yields back.
The gentlelady from Texas, Ms. Van Duyne, Ranking Member of
the Subcommittee on Oversight, Investigations, and Regulations,
is recognized for 5 minutes.
Ms. VAN DUYNE. Thank you. Thank you much, very much,
Chairwoman Velazquez and Ranking Member Luetkemeyer.
Yesterday, the Biden administration announced China was to
blame for the sweeping cyber attack on Microsoft earlier this
year that left hundreds of thousands of small businesses
vulnerable to cyber intrusion. And then just a month ago
Russian hackers were able to cripple operations at both the
world's largest meat supplier and one of the largest pipelines
in the United States. In 2021 alone, cybercrimes could cost $6
trillion, which would make it the third largest global economy.
Cybersecurity, for a number of reasons, is very, very
important for small businesses, both real and rapidly
intensifying as we have heard today. It is a new way for our
adversaries to wage war. Companies need to be ready and we must
determine the appropriate role for the federal government in
prepping the businesses that we serve as the engine of our
economy. And while the need for improved cybersecurity is
clear, adding too many requirements can be overly complicated
and counterproductive. And one example is the DOD's new
cybersecurity assessment framework (CMC). Last month, the
Oversight Committee, which I serve as the Ranking Member, we
held a hearing to review this program. And one image that just
stuck in my mind is the sheer amount of paperwork that was
needed for a small business to complete just be certified. One
of the witnesses held up this three-ring binder that I swear
took him two hands to hold up because it was just so intense.
And pretty much most of their guidance was coming from LinkedIn
because DOD and SBA simply were not helpful.
So moving forward, we have to make sure that we have simple
framework, which is easy to understand, but also , companies
need to know how they can be secure, who they can turn to for
help and how to respond when they are attacked.
I want to thank the witnesses all for being here today, but
I also want to reiterate my concern that we are discussing such
a significant small business issue without a representative
from SBA present. And if we are going to have a collaborative
solution to address this matter, it is crucial that SBA is here
to at least demonstrate their willingness to discuss their
plans. And I hope they can join us in the future.
Ms. Nichols, in your experience working with small
businesses, when they have an issue regarding cybersecurity or
they get breached, who do they typically turn to for help? Is
it the SBA or a private partner? And who do you believe they
should turn to?
Ms. NICHOLS. That is a good question.
When they get to us, they are really not sure who to talk
to. They do try to reach to a private industry and to have help
with that. Because they do not initially think to refer to the
government, specifically SBA, because they do not know the
resources that are there and we would like to change that.
Ms. VAN DUYNE. Okay. That makes a lot of sense.
In your testimony, you said the average time--and this will
still be for Ms. Nichols--you said the average time to identify
and contain breaches is around 120 days. I am sorry, 280 days.
Can you explain why it takes this long and how Congress can
help to shorten that period?
Ms. NICHOLS. Well, it has to do with they have to find it
and they may not be prepared to figure out how to do that so
they have to hire and it is very expensive. And it is just like
any other IT issue. You have to rule out everything that is
going on. And again, I am going to default to this. I am a
state director. I do not run the department. And it is very
challenging because when you deal with a small business who
knows nothing and they have a data breach, that was not what
their initial concern is because they are delivering a service.
They are trying to make money. And so they are trying to still
stay in business and mitigate that data breach and get past
that. So that is just going alongside the business. And I am
looking at this as a business approach. It does take a long
time because they are not going to shut down while they try to
deal with this. They are going to try to keep it as far under
the table as possible and just keep moving forward. And it does
take time. So it does take time for any other type of disaster.
Ms. VAN DUYNE. So, no, I was not being critical that it
took so long. I am asking how can Congress help to shorten that
period?
Ms. NICHOLS. Oh, I do not know. I do not know. Any other
suggestions?
Ms. VAN DUYNE. Yeah. I was not being critical. This is just
how long it takes so what can we do to help?
Mr. Dufault, overall small businesses are unprepared when
it comes to cybersecurity. A recent report said that 70 percent
of small businesses are unprepared for a cyber attack and only
about half are allocating any money towards cybersecurity. With
small businesses running on such tight margins, especially
after a pandemic, how can we make it easier for small
businesses to be prepared without breaking the bank?
Mr. DUFAULT. It is a great question, Congresswoman. And
again, I go back to H.R. 4515, which would provide some
expertise via the Small Business Development Centers for
cybersecurity. And by creating a certification program inhouse
at the SBA, you are creating a Federal resource that can be,
sort of that can reach a lot of small companies via on-the-
ground folks that are at the SBDCs. And so that would go some
distance toward helping ensure that folks are aware of the
current cyber threats but also the best practices that Ms. Todt
has referred to on authentication, software updates, and just
training around social engineering and phishing scams. So that
is what I would point to.
Chairwoman VELAZQUEZ. The gentlelady's time has expired.
Now we recognize the gentleman from Wisconsin, Mr.
Fitzgerald.
Mr. FITZGERALD. Thank you, Madam Chair. Thank you very
much.
I do not want to rehash some of the earlier questions and
kind of discussions but let me go back to the idea of the cloud
and the applications associated with it. So maybe, Mr. Dufault,
you could comment.
Obviously, when COVID-19 struck, many of the businesses
moved to remote work and it seemed like the only way for them
to kind of survive what was going on. But they did switch up
kind of their cloud applications at the time. And you know, in
some instances that may have helped them streamline kind of
their business practices and they may adopt those permanently
now; right? But it also increased the security risk is the
assumption that is being made by some, not all, who think maybe
that is not the case. But you know, do you share those
concerns? And you know, I think it is something that small
business specifically struggles with because of not necessarily
having the resources and the personnel and the ability to kind
of track this on a regular basis. So I just wanted you to maybe
comment on that.
Mr. DUFAULT. Well, thank you for the question, Congressman.
And it is something that we are concerned about. As more work
is being done, more education is happening remotely, certainly
during the pandemic, and as you said, going forward, more
commerce I think, in general is going to be transacted in the
cloud and on smart devices. And so it does point to the need as
I mentioned earlier for us to allow software platforms, like
the app stores and the operating systems to take measures to
remove and keep out sideloaded software. That is where you
click a link accidentally and it downloads something onto your
devices. Those measures in place to keep that software off of
the device are really important.
I would also point to the fact that, for example, we have
got a member company in the Minneapolis area, Vemos, that
provides remote services for restaurants. So you can split a
check just with one click on your handheld device. I think
there is an assumption that if more of that is happening online
and over the Internet, that there are more potential attack
surfaces, and so I think that observation is correct and that
that should cause us and your Committee to look closely at what
the opportunities are to ensure that the threats are adequately
being dealt with and that small businesses are taking
precautions.
Mr. FITZGERALD. And some of these managed service
providers, you know, they are going to have to adapt kind of
new, standard operating procedures when it comes to cyber
hygiene; right? So I am just wondering, you know, how far
behind the 8-ball are we on this stuff? Because it came at us
so quickly and now trying to adapt to it, it is probably going
to take a while; right? I mean, we just do not have the ability
to make this kind of do a 180 like small business is being
asked to do.
Mr. DUFAULT. Well, one thing that came up earlier in the
discussion was, you know, are people at greater risk if they
are using on-premises servers? And that is not necessarily
true. And to your point that folks are using the Cloud a little
bit more, one of the aspects I pointed to in my written
testimony was the fact that if you are using off-premises Cloud
services, then you do have access to a faster patches and
updates, software updates that can address the newest threats
and the newest vulnerabilities. Whereas, if you have on-
premises servers, you are manually installing those updates and
you are trying to keep up with those threats manually and on
your own. And you also do not have access to sort of the real-
time updates for indicators of compromise that others are
experiencing that are using the same Cloud service.
And so from that perspective, we may be in a little bit
better of a position to the extent that we are relying more on
Cloud services because we have better access to real-time
threat sharing and we have better access to real-time updates
to software. So that is one dynamic that sort of cuts the other
way that I wanted to point out.
Mr. FITZGERALD. Very good. Thanks for being here today. I
yield back, Madam Chair.
Chairwoman VELAZQUEZ. The gentleman yields back.
Well, thank you again to our witnesses for being here today
to testify on this critical topic. Your words have highlighted
the significant risks that small businesses face without
adequate cybersecurity measures. With more entrepreneurs online
and more bad actors looking for targets, cyber preparedness has
never been more important. Today's hearing has made it clear
that Congress must take an aggressive approach to shield small
businesses from cyber attacks. It is also vital that federal
agencies and the private sector continue to collaborate on
resources, training, and technical assistance to understand and
reduce small businesses' cyber vulnerabilities.
I look forward to working with my colleagues on both sides
of the aisle to make this happen as we consider three
cybersecurity bills at our markup next week.
I would ask unanimous consent that Members have 5
legislative days to submit statements and supporting materials
for the record.
Without objection, so ordered.
If there is no further business to come before the
Committee, we are adjourned. Thank you.
[Whereupon, at 12:11 p.m., the committee was adjourned.]
A P P E N D I X
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
[all]