[Congressional Record (Bound Edition), Volume 162 (2016), Part 9]
[House]
[Pages 13290-13294]
[From the U.S. Government Publishing Office, www.gpo.gov]




          IMPROVING SMALL BUSINESS CYBER SECURITY ACT OF 2016

  Mr. CHABOT. Mr. Speaker, I move to suspend the rules and pass the 
bill (H.R. 5064) to amend the Small Business Act to allow small 
business development centers to assist and advise small business 
concerns on relevant cyber security matters, and for other purposes, as 
amended.

[[Page 13291]]

  The Clerk read the title of the bill.
  The text of the bill is as follows:

                               H.R. 5064

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Improving Small Business 
     Cyber Security Act of 2016''.

     SEC. 2. ROLE OF SMALL BUSINESS DEVELOPMENT CENTERS IN CYBER 
                   SECURITY AND PREPAREDNESS.

       Section 21 of the Small Business Act (15 U.S.C. 648) is 
     amended--
       (1) in subsection (a)(1), by striking ``and providing 
     access to business analysts who can refer small business 
     concerns to available experts:'' and inserting ``providing 
     access to business analysts who can refer small business 
     concerns to available experts; and, to the extent 
     practicable, providing assistance in furtherance of the Small 
     Business Development Center Cyber Strategy developed under 
     section 5(b) of the Improving Small Business Cyber Security 
     Act of 2016:''; and
       (2) in subsection (c)--
       (A) in paragraph (2)--
       (i) in subparagraph (E), by striking ``and'' at the end;
       (ii) in subparagraph (F), by striking the period and 
     inserting ``; and''; and
       (iii) by adding at the end of the following:
       ``(G) access to cyber security specialists to counsel, 
     assist, and inform small business concern clients, in 
     furtherance of the Small Business Development Center Cyber 
     Strategy developed under section 5(b) of the Improving Small 
     Business Cyber Security Act of 2016.''.

     SEC. 3. ADDITIONAL CYBER SECURITY ASSISTANCE FOR SMALL 
                   BUSINESS DEVELOPMENT CENTERS.

       Section 21(a) of the Small Business Act (15 U.S.C. 648(a)) 
     is amended by adding at the end the following:
       ``(8) Cyber security assistance.--The Department of 
     Homeland Security, and any other Federal department or agency 
     in coordination with the Department of Homeland Security, may 
     leverage small business development centers to provide 
     assistance to small businesses by disseminating cyber 
     security risk information and other homeland security 
     information to help small business concerns in developing or 
     enhancing cyber security infrastructure, cyber threat 
     awareness, and cyber training programs for employees.''.

     SEC. 4. CYBER SECURITY OUTREACH FOR SMALL BUSINESS 
                   DEVELOPMENT CENTERS.

       Section 227 of the Homeland Security Act of 2002 (6 U.S.C. 
     148) is amended--
       (1) by redesignating subsection (l) as subsection (m); and
       (2) by inserting after subsection (k) the following:
       ``(l) Cybersecurity Outreach.--
       ``(1) In general.--The Secretary may leverage small 
     business development centers to provide assistance to small 
     business concerns by disseminating information on cyber 
     threat indicators, defensive measures, cybersecurity risks, 
     incidents, analyses, and warnings to help small business 
     concerns in developing or enhancing cybersecurity 
     infrastructure, cyber threat awareness, and cyber training 
     programs for employees.
       ``(2) Definitions.--For purposes of this subsection, the 
     terms `small business concern' and `small business 
     development center' have the meaning given such terms, 
     respectively, under section 3 of the Small Business Act.''.

     SEC. 5. GAO STUDY ON SMALL BUSINESS CYBER SUPPORT SERVICES 
                   AND SMALL BUSINESS DEVELOPMENT CENTER CYBER 
                   STRATEGY.

       (a) Review of Current Cyber Security Resources.--
       (1) In general.--The Comptroller General of the United 
     States shall conduct a review of current cyber security 
     resources at the Federal level aimed at assisting small 
     business concerns with developing or enhancing cyber security 
     infrastructure, cyber threat awareness, or cyber training 
     programs for employees.
       (2) Content.--The review required under paragraph (1) shall 
     include the following:
       (A) An accounting and description of all Federal Government 
     programs, projects, and activities that currently provide 
     assistance to small business concerns in developing or 
     enhancing cyber security infrastructure, cyber threat 
     awareness, or cyber training programs for employees.
       (B) An assessment of how widely utilized the resources 
     described under subparagraph (A) are by small business 
     concerns and a review of whether or not such resources are 
     duplicative of other programs and structured in a manner that 
     makes them accessible to and supportive of small business 
     concerns.
       (3) Report.--The Comptroller General shall issue a report 
     to the Congress, the Administrator of the Small Business 
     Administration, the Secretary of Homeland Security, and any 
     association recognized under section 21(a)(3)(A) of the Small 
     Business Act containing all findings and determinations made 
     in carrying out the review required under paragraph (1).
       (b) Small Business Development Center Cyber Strategy.--
       (1) In general.--Not later than 90 days after the issuance 
     of the report under subsection (a)(3), the Administrator of 
     the Small Business Administration and the Secretary of 
     Homeland Security shall work collaboratively to develop a 
     Small Business Development Center Cyber Strategy.
       (2) Consultation.--In developing the strategy under this 
     subsection, the Administrator of the Small Business 
     Administration and the Secretary of Homeland Security shall 
     consult with entities representing the concerns of small 
     business development centers, including any association 
     recognized under section 21(a)(3)(A) of the Small Business 
     Act.
       (3) Content.--The strategy required under paragraph (1) 
     shall include, at minimum, the following:
       (A) Plans for leveraging small business development centers 
     (SBDCs) to access existing cyber programs of the Department 
     of Homeland Security and other appropriate Federal agencies 
     to enhance services and streamline cyber assistance to small 
     business concerns.
       (B) To the extent practicable, methods for the provision of 
     counsel and assistance to improve a small business concern's 
     cyber security infrastructure, cyber threat awareness, and 
     cyber training programs for employees, including--
       (I) working to ensure individuals are aware of best 
     practices in the areas of cyber security, cyber threat 
     awareness, and cyber training;
       (ii) working with individuals to develop cost-effective 
     plans for implementing best practices in these areas;
       (iii) entering into agreements, where practical, with 
     Information Sharing and Analysis Centers or similar cyber 
     information sharing entities to gain an awareness of 
     actionable threat information that may be beneficial to small 
     business concerns; and
       (iv) providing referrals to area specialists when 
     necessary.
       (c) An analysis of--
       (I) how Federal Government programs, projects, and 
     activities identified by the Comptroller General in the 
     report issued under subsection (a)(1) can be leveraged by 
     SBDCs to improve access to high-quality cyber support for 
     small business concerns;
       (ii) additional resources SBDCs may need to effectively 
     carry out their role; and
       (iii) how SBDCs can leverage existing partnerships and 
     develop new ones with Federal, State, and local government 
     entities as well as private entities to improve the quality 
     of cyber support services to small business concerns.
       (4) Delivery of strategy.--Not later than 180 days after 
     the issuance of the report under subsection (a)(3), the Small 
     Business Development Center Cyber Strategy shall be issued to 
     the Committees on Homeland Security and Small Business of the 
     House of Representatives and the Committees on Homeland 
     Security and Governmental Affairs and Small Business and 
     Entrepreneurship of the Senate.
       (c) Definition.--The term ``small business development 
     center'' has the meaning given such term in section 3 of the 
     Small Business Act (15 U.S.C. 632).

     SEC. 6. PROHIBITION ON ADDITIONAL FUNDS.

       No additional funds are authorized to be appropriated to 
     carry out the requirements of this Act or the amendments made 
     by this Act. Such requirements shall be carried out using 
     amounts otherwise authorized.

  The SPEAKER pro tempore. Pursuant to the rule, the gentleman from 
Ohio (Mr. Chabot) and the gentlewoman from New York (Ms. Velazquez) 
each will control 20 minutes.
  The Chair recognizes the gentleman from Ohio.


                             General Leave

  Mr. CHABOT. Mr. Speaker, I ask unanimous consent that all Members may 
have 5 legislative days to revise and extend their remarks and to 
include extraneous materials on the bill under consideration.
  The SPEAKER pro tempore. Is there objection to the request of the 
gentleman from Ohio?
  There was no objection.
  Mr. CHABOT. Mr. Speaker, I yield myself such time as I may consume.
  It is an honor to serve as chairman of the House Small Business 
Committee. It affords me the special opportunity of hearing directly 
from the very men and women who help drive our economy--America's 
small-business owners.
  At a hearing several months ago, a small business owner shared his 
personal experience with a serious cyber attack. He said:

       I logged into our bank accounts, and to my utter horror, I 
     found that my balance was zero. This was a payday, and I was 
     terrified that the paychecks that were issued that day would 
     not clear. We were supporting a number of families, many of 
     which live paycheck to paycheck and could not have made it 
     without the paycheck we issued that day. I was also very 
     worried about our business' reputation since a restaurant 
     nearby had just bounced their paychecks, and the company 
     never recovered from the bad publicity they received from not 
     making their payroll.


[[Page 13292]]


  Stories like this show the real-world consequences of cyber attacks. 
Small businesses are at serious risk from a growing number of cyber 
threats.
  There is no doubt that the information technology revolution has 
provided small businesses with new tools and opportunities to compete 
in the global economy. However, technology changes mean hackers are 
coming up with more and more sophisticated methods to go after 
intellectual property, bank accounts, Social Security numbers, and 
anything else that can be used for financial gain or for a competitive 
edge.
  In 2015, the average amount stolen from small business bank accounts 
after a cyber attack was over $32,000; and according to a recent report 
by Verizon Enterprise Solutions, a shocking 71 percent of cyber attacks 
occurred in businesses with fewer than 100 employees.
  It is absolutely critical to both the economic and national security 
of this country that our small businesses have all of the necessary 
cyber tools to protect themselves from cyber attacks. Small businesses 
lack the resources to combat cyber attacks. The Federal Government 
needs to step up its game when it comes to protecting the cybersecurity 
of small businesses and individuals. That is why I support H.R. 5064, 
the Improving Small Business Cyber Security Act of 2016.
  This legislation will help small businesses that face cyber threats 
by providing access to additional tools, resources, and expertise 
through existing Federal cyber resources by allowing the Department of 
Homeland Security and other Federal agencies to provide assistance to 
small businesses through the Small Business Administration's non-
Federal partners, the Small Business Development Centers, or SBDCs. 
This increased coordination will lead to greater cyber support for 
small businesses.
  I commend Mr. Hanna for his hard work on this legislation. He has 
done a great job as chairman of his subcommittee. Unfortunately, he 
announced his retirement, and he will be leaving us after this term. He 
has really done a tremendous amount of work for small businesses all 
over the country because he, himself, has been a successful small-
business person; so he knows what the challenges are, and he has tried 
to put them to work in his years here in the House in helping small 
businesses all across the country. After all, 70 percent of the new 
jobs that are created in the American economy are created by small 
businesses, so they are absolutely critical. Again, I commend Mr. Hanna 
for his hard work on behalf of these folks.
  I urge my colleagues to support H.R. 5064.
  Mr. Speaker, I reserve the balance of my time.

                              {time}  2000

  Ms. VELAZQUEZ. Mr. Speaker, I yield myself such time as I may 
consume.
  I rise in support of H.R. 5064, the Improving Small Business Cyber 
Security Act of 2016. Technology has changed the way we all live, but 
none more so than for small businesses. It has afforded America's small 
employers a unique opportunity to sell their products not just 
nationally, but globally.
  Despite new occasions for economic growth, technology has also 
introduced profound risks. We hear too often of data breaches and cyber 
espionage. Yet, we never really think this could happen to us until it 
does. All it takes is one incident to have devastating impacts to small 
businesses. In fact, 60 percent of small entities go out of business 
after 6 months of being hacked.
  Clearly, cybersecurity should be a priority to protect our national 
security and economy. Failure to do so leaves us all at risk. Whether a 
business is adopting cloud computing or simply maintaining a Web site, 
cybersecurity should be part of their plan. However, only 31 percent of 
small firms take active measures to guard against such attacks, making 
them the ideal target for cybercriminals.
  A lack of awareness and the high cost to install security mechanisms 
leaves many small-business owners exposed. Those that are aware of the 
threat, like government contractors, must navigate demanding IT 
specifications and complex regulations in order to stay competitive and 
win Federal contracts.
  To help facilitate the preventive measures within the private sector, 
H.R. 5064, the Improving Small Business Cyber Security Act, will 
leverage the Small Business Administration's vast network of Small 
Business Development Centers.
  With 63 lead centers and 900 outreach locations, SBDCs have the 
capacity to reach small businesses throughout the country. They also 
have a proven record of assisting entrepreneurs with extensive courses 
in management and technical assistance. In the last fiscal year, SBDCs 
trained over 260,000 clients and advised almost 190,000 clients.
  This bill will utilize these existing resource partners by allowing 
the centers to assist small firms in developing and enhancing their 
cybersecurity infrastructure and employee training programs. The bill 
also calls for an SBDC cyber strategy to be designed to further support 
small employers to protect themselves, their employees, and their 
customers.
  This legislation ensures that our national efforts combating cyber 
attacks can be utilized by our Nation's more vulnerable businesses. We 
cannot continue to accept the bare minimum as our Nation seeks to end 
continued data breaches. Therefore, I ask my fellow Members to support 
this bill.
  Let me just take this opportunity, also, to commend the gentleman 
from New York (Mr. Hanna) for the great work that he has done on this 
issue.
  I reserve the balance of my time.
  Mr. CHABOT. Mr. Speaker, I yield 3 minutes to the gentleman from New 
York (Mr. Hanna).
  Mr. HANNA. Mr. Speaker, I want to thank Chairman Chabot, Chairman 
McCaul, Ranking Member Velazquez, and Ranking Member Thompson for the 
support of their committees on this bill. This bill was a collaborative 
endeavor and all of their staffs worked hard and long to help ensure 
this bill made it to the floor today.
  I also want to thank the bill's lead sponsor, Representative Kilmer, 
for working with us on this bipartisan legislation.
  America's small businesses are a critical part of our Nation's 
economy. There are 28 million small businesses, and in recent years 
they have increasingly become the victims of cyber attacks. By one 
estimate, nearly 70 percent of all cyber attacks are now being directed 
at our Nation's small businesses.
  The reason for this is clear. Small businesses too often lack the 
resources or the experience required to make prudent investments in 
cybersecurity.
  The Improving Small Business Cyber Security Act addresses this issue 
by empowering the more than 900 Small Business Development Centers 
across our country to provide cyber support to these small businesses. 
This support would be offered in accordance with a small business 
cybersecurity strategy, which would be developed jointly by the 
Department of Homeland Security and the Small Business Administration.
  Cyber attacks can decimate small businesses, potentially costing them 
tens of thousands of dollars to recover lost data and secure networks. 
It is clear to all of us that the upfront cost to invest in state-of-
the-art technologies are prohibitive for many businesses.
  This bill represents an opportunity to help small businesses bridge 
the knowledge gap in cyberspace by empowering the Small Business 
Development Centers to provide up-to-date relevant and cost-effective 
cyber support to service them.
  This bill also makes good financial sense. By relying on already 
existing programs and infrastructure, it improves the Federal resources 
we already have to ensure that they better work for America's small 
businesses and at no additional cost.
  I urge my colleagues to support this commonsense bill. Again, I would 
like to thank Chairman Chabot for his support.
  Ms. VELAZQUEZ. Mr. Speaker, I reserve the balance of my time.

[[Page 13293]]


  Mr. CHABOT. Mr. Speaker, I yield 3 minutes to the gentleman from 
California (Mr. Knight), a member of the Small Business Committee.
  Mr. KNIGHT. Mr. Speaker, we talk a lot about cybersecurity in the 
context of national defense, and rightfully so. As a Nation, we ought 
to take steps now to ensure our security into the 21st century. But 
this is an issue that affects so many people. One that often gets 
overlooked is the small business community.
  As small businesses increasingly rely on Web-based products and 
services, they offer themselves more and more attacks from 
cybercriminals. Increases in technology have resulted in more 
sophisticated methods of cyber attacks, including hacking, malicious 
software, physical error, and lost or stolen devices.
  Even a simple cyber attack can effectively destroy a small business. 
In fact, 81 percent of small businesses are concerned about a cyber 
attack, but only 63 percent have a cybersecurity measure in place.
  Many businesses do not feel that they have the adequate legal 
protections to share cyber threat indicators with the National 
Cybersecurity and Communications Integration Center, the NCCIC. It is 
clear to me that the public and private sector must work together to 
protect our small businesses.
  The Improving Small Business Cyber Security Act of 2016 eases the 
burden on small businesses facing cyber threats by providing access to 
additional tools, resources, and expertise through existing Federal 
cyber resources.
  I am proud to cosponsor this legislation, and it will lead to 
increased security for our small businesses, which will lead to greater 
growth and opportunities for them.
  I urge this Chamber to support this important measure.
  Ms. VELAZQUEZ. Mr. Speaker, I reserve the balance of my time.
  Mr. CHABOT. Mr. Speaker, I yield 3 minutes to the gentleman from 
Texas (Mr. Ratcliffe), who is the chairman of Homeland Security's 
Subcommittee on Cybersecurity, Infrastructure Protection, and Security 
Technologies, which handles cybersecurity and a number of other very 
important issues.
  Mr. RATCLIFFE. Mr. Speaker, I rise today in support of H.R. 5064, the 
Improving Small Business Cyber Security Act of 2016. I thank the 
gentleman from New York (Mr. Hanna) for leading the charge on this very 
important piece of legislation. I also thank Chairman Chabot for his 
leadership on the Small Business Committee and Chairman McCaul for his 
leadership on the Committee on Homeland Security.
  Mr. Speaker, American small businesses are on the frontlines in the 
battle against cybercriminals, but right now many of them lack the 
resources to combat this growing and sophisticated threat. America's 28 
million small businesses constitute 54 percent of our annual sales here 
in the United States and, because of that, they are under cyber attack 
like never before. The frequency and high costs of such attacks on 
small businesses is causing ripple effects throughout our economy right 
now.
  H.R. 5064 amends the Homeland Security Act to ensure that Small 
Business Development Centers can leverage existing cybersecurity 
programs at the Department of Homeland Security. Additionally, this 
bill requires the Department of Homeland Security and the Small 
Business Administration to jointly develop a cyber strategy for small 
businesses so that they can better utilize cyber programs from DHS and 
from the Federal Government.
  H.R. 5064 also requires a review by the Government Accountability 
Office of current cybersecurity programs offered by the Federal 
Government to small businesses.
  Mr. Speaker, Small Business Development Centers have been on the 
ground helping small businesses in this country for more than 30 years. 
They have a presence in virtually every community in this country. This 
bill provides them with tools, resources, and the expert guidance that 
they need to tap into the already existing cyber resources in order to 
better meet the 21st century needs of small businesses in this country.
  Small businesses, Mr. Speaker, are the life blood of the American 
economy, so we need to ensure that resources are available to all of 
them to combat these cyber threats. This bill works to achieve that 
goal.
  I, therefore, ask my colleagues to join me in supporting H.R. 5064.
  Ms. VELAZQUEZ. Mr. Speaker, I yield myself such time as I may 
consume.
  Our committee hears from small businesses too often about the cost 
and complexities associated with cybersecurity. With businesses having 
to be familiar with small business data regulations, ever-changing 
cyber threats, and the cost to install and maintain a cybersecurity 
system, many small-business owners wonder when they will have time to 
actually operate their business.
  The changes made by H.R. 5064 will unify our efforts and create a 
streamlined process for small employers seeking to install cyber 
safeguards. Utilizing the existing national network of SBDCs--many of 
which small businesses already seek assistance from--as a source for 
cyber education and awareness provides a critical tool for American 
entrepreneurs.
  I, once again, urge my colleagues to support this measure.
  I yield back the balance of my time.
  Mr. CHABOT. Mr. Speaker, I yield myself such time as I may consume to 
close.
  Mr. Speaker, I would, first of all, like to thank my colleague, 
Ranking Member Velazquez, for, once again, working in a bipartisan and 
cooperative effort. That is one thing on the Small Business Committee 
we always try to do, and we have a very good working relationship. I 
want to thank the gentlewoman for continuing that on this bill and 
bills in the past and, hopefully, bills in the future as well.
  Relative to cybersecurity attacks, we have seen the United States 
under a legion of attacks in recent years. They happen virtually every 
day. The Federal Government itself has been hit a number of times. The 
Office of Personnel Management had 20-plus-million personal individuals 
who had their files hacked in the government. We have seen the Postal 
Service, we have seen the State Department, and we have even seen the 
White House hacked. So it is a big problem.
  Now, this happens to large corporations. We have had some of the 
largest corporations who have really taken it on the chin, and 
literally it cost them millions of dollars. Corporations like Target 
and you name it, they have really been hit. They generally have the 
resources that they can recover from this. As detrimental as it is to 
their business, they survive.
  When this happens to small businesses, it may virtually be the death 
knell for them. You may have families who no longer have their source 
of support because the business just can't take a hit like this.
  In my opening statement, I mentioned the person who knew the 
restaurant down the street that it happened to them. The businessowner 
wanted to pay his employees, and he couldn't pay them because his 
balance was zero. So this is a serious threat.
  The small business community needs help. This is a step in the right 
direction. Representative Hanna, whom we have all praised, really does 
deserve the praise because he took this and worked very hard to get 
this bill to the point where we are here tonight. Hopefully we are 
going to pass the bill.
  So I think this is a great piece of legislation. H.R. 5064 would 
offer much-needed cybersecurity support to America's small businesses. 
It would also better coordinate the Federal Government's overall 
strategy in helping small businesses to thwart cyber attacks.
  I would urge my colleagues to support this bill.
  I yield back the balance of my time.

                              {time}  2015

  The SPEAKER pro tempore (Mr. Poliquin). The question is on the motion 
offered by the gentleman from Ohio (Mr. Chabot) that the House suspend 
the rules and pass the bill, H.R. 5064, as amended.

[[Page 13294]]

  The question was taken; and (two-thirds being in the affirmative) the 
rules were suspended and the bill, as amended, was passed.
  A motion to reconsider was laid on the table.

                          ____________________