[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]
DATA SECURITY: EXAMINING EFFORTS TO
PROTECT AMERICANS' FINANCIAL INFORMATION
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON FINANCIAL INSTITUTIONS
AND CONSUMER CREDIT
OF THE
COMMITTEE ON FINANCIAL SERVICES
U.S. HOUSE OF REPRESENTATIVES
ONE HUNDRED THIRTEENTH CONGRESS
SECOND SESSION
__________
MARCH 5, 2014
__________
Printed for the use of the Committee on Financial Services
Serial No. 113-68
______
U.S. GOVERNMENT PRINTING OFFICE
88-530 WASHINGTON : 2014
____________________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Printing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202�09512�091800, or 866�09512�091800 (toll-free). E-mail, [email protected].
HOUSE COMMITTEE ON FINANCIAL SERVICES
JEB HENSARLING, Texas, Chairman
GARY G. MILLER, California, Vice MAXINE WATERS, California, Ranking
Chairman Member
SPENCER BACHUS, Alabama, Chairman CAROLYN B. MALONEY, New York
Emeritus NYDIA M. VELAZQUEZ, New York
PETER T. KING, New York BRAD SHERMAN, California
EDWARD R. ROYCE, California GREGORY W. MEEKS, New York
FRANK D. LUCAS, Oklahoma MICHAEL E. CAPUANO, Massachusetts
SHELLEY MOORE CAPITO, West Virginia RUBEN HINOJOSA, Texas
SCOTT GARRETT, New Jersey WM. LACY CLAY, Missouri
RANDY NEUGEBAUER, Texas CAROLYN McCARTHY, New York
PATRICK T. McHENRY, North Carolina STEPHEN F. LYNCH, Massachusetts
JOHN CAMPBELL, California DAVID SCOTT, Georgia
MICHELE BACHMANN, Minnesota AL GREEN, Texas
KEVIN McCARTHY, California EMANUEL CLEAVER, Missouri
STEVAN PEARCE, New Mexico GWEN MOORE, Wisconsin
BILL POSEY, Florida KEITH ELLISON, Minnesota
MICHAEL G. FITZPATRICK, ED PERLMUTTER, Colorado
Pennsylvania JAMES A. HIMES, Connecticut
LYNN A. WESTMORELAND, Georgia GARY C. PETERS, Michigan
BLAINE LUETKEMEYER, Missouri JOHN C. CARNEY, Jr., Delaware
BILL HUIZENGA, Michigan TERRI A. SEWELL, Alabama
SEAN P. DUFFY, Wisconsin BILL FOSTER, Illinois
ROBERT HURT, Virginia DANIEL T. KILDEE, Michigan
MICHAEL G. GRIMM, New York PATRICK MURPHY, Florida
STEVE STIVERS, Ohio JOHN K. DELANEY, Maryland
STEPHEN LEE FINCHER, Tennessee KYRSTEN SINEMA, Arizona
MARLIN A. STUTZMAN, Indiana JOYCE BEATTY, Ohio
MICK MULVANEY, South Carolina DENNY HECK, Washington
RANDY HULTGREN, Illinois
DENNIS A. ROSS, Florida
ROBERT PITTENGER, North Carolina
ANN WAGNER, Missouri
ANDY BARR, Kentucky
TOM COTTON, Arkansas
KEITH J. ROTHFUS, Pennsylvania
Shannon McGahn, Staff Director
James H. Clinger, Chief Counsel
Subcommittee on Financial Institutions and Consumer Credit
SHELLEY MOORE CAPITO, West Virginia, Chairman
SEAN P. DUFFY, Wisconsin, Vice GREGORY W. MEEKS, New York,
Chairman Ranking Member
SPENCER BACHUS, Alabama CAROLYN B. MALONEY, New York
GARY G. MILLER, California RUBEN HINOJOSA, Texas
PATRICK T. McHENRY, North Carolina CAROLYN McCARTHY, New York
JOHN CAMPBELL, California DAVID SCOTT, Georgia
KEVIN McCARTHY, California AL GREEN, Texas
STEVAN PEARCE, New Mexico KEITH ELLISON, Minnesota
BILL POSEY, Florida NYDIA M. VELAZQUEZ, New York
MICHAEL G. FITZPATRICK, STEPHEN F. LYNCH, Massachusetts
Pennsylvania MICHAEL E. CAPUANO, Massachusetts
LYNN A. WESTMORELAND, Georgia PATRICK MURPHY, Florida
BLAINE LUETKEMEYER, Missouri JOHN K. DELANEY, Maryland
MARLIN A. STUTZMAN, Indiana DENNY HECK, Washington
ROBERT PITTENGER, North Carolina
ANDY BARR, Kentucky
TOM COTTON, Arkansas
C O N T E N T S
----------
Page
Hearing held on:
March 5, 2014................................................ 1
Appendix:
March 5, 2014................................................ 51
WITNESSES
Wednesday, March 5, 2014
Fortney, David, Senior Vice President, Product Management and
Development, The Clearing House Payments Company............... 38
Garcia, Gregory T., Advisor, Financial Services Information
Sharing and Analysis Center (FS-ISAC).......................... 36
Leach, Troy, Chief Technology Officer, Payment Card Industry
(PCI) Security Standards Council (SSC)......................... 34
Mierzwinski, Edmund, Consumer Program Director, U.S. PIRG........ 39
Noonan, William, Deputy Special Agent in Charge, Criminal
Investigative Division, Cyber Operations Branch, United States
Secret Service................................................. 7
Zelvin, Larry, Director, National Cybersecurity and
Communications Integration Center (NCCIC), U.S. Department of
Homeland Security.............................................. 9
APPENDIX
Prepared statements:
Waters, Hon. Maxine.......................................... 52
Fortney, David............................................... 54
Garcia, Gregory T............................................ 57
Leach, Troy.................................................. 67
Mierzwinski, Edmund.......................................... 73
Noonan, William.............................................. 84
Zelvin, Larry................................................ 95
Additional Material Submitted for the Record
Capito, Hon. Shelley Moore:
Written statement of the American Bankers Association (ABA).. 101
Written statement of the Credit Union National Association
(CUNA)..................................................... 111
Written statement of the Independent Community Bankers of
America (ICBA)............................................. 116
Written statement of the National Association of Federal
Credit Unions (NAFCU)...................................... 118
Written statement of the National Retail Federation (NRF).... 122
Heck, Hon. Denny:
Letter to Financial Services Committee Chairman Jeb
Hensarling requesting a data security hearing, dated
January 10, 2014........................................... 136
Sinema, Hon. Kyrsten:
Written responses to questions submitted to Larry Zelvin..... 138
DATA SECURITY: EXAMINING EFFORTS
TO PROTECT AMERICANS'
FINANCIAL INFORMATION
----------
Wednesday, March 5, 2014
U.S. House of Representatives,
Subcommittee on Financial Institutions
and Consumer Credit,
Committee on Financial Services,
Washington, D.C.
The subcommittee met, pursuant to notice, at 10:03 a.m., in
room 2128, Rayburn House Office Building, Hon. Shelley Moore
Capito [chairwoman of the subcommittee] presiding.
Members present: Representatives Capito, Bachus, McHenry,
Pearce, Posey, Fitzpatrick, Luetkemeyer, Stutzman, Pittenger,
Barr, Cotton, Rothfus; Meeks, Maloney, Scott, Green, Lynch,
Delaney, and Heck.
Ex officio present: Representatives Hensarling and Waters.
Also present: Representatives Royce and Sinema.
Chairwoman Capito. The subcommittee will come to order.
Without objection, the Chair is authorized to declare a recess
of the subcommittee at any time.
I now recognize myself for the purpose of making an opening
statement.
Over the last 6 months, we have learned about a series of
breaches of American businesses' data--millions and millions
have had their personal data compromised. We will not know the
true extent of the impact on American consumers until
investigators from Federal agencies and private entities are
done with the investigation.
These breaches raise, I believe, really legitimate
questions about the storage and usage of personal data by
private industry. The prosperous have long sought access to
this type of information, but the recent breaches demonstrated
an evolving sophistication of attacks that seek to exploit and
confuse consumers.
As we have learned in previous subcommittee hearings, these
criminals often reside in nations that fail to cooperate with
United States law enforcement agencies. In some cases, these
nations not only protect these criminals from prosecution but
they celebrate them as heros.
The data these criminals steal is often sold on the black
market and can potentially be used for fraudulent purposes.
While possibilities for such fraudulent charges may be the
source of stress and frustration for consumers, many payment
networks have zero fraud policies to protect consumers from
fraudulent transactions.
Today, we will learn more about why these breaches are
occurring, existing payment security standards, what happens
during and after a breach, and new payment technologies
authorized to help prevent future breaches.
One area that is of critical importance is information-
sharing, both during and after a breach.
We have representatives from the National Cybersecurity and
Communications Integration Center (NCCIC) and the Financial
Services Information Sharing and Analysis Center (FS-ISAC) who
will testify about the existing information-sharing efforts
between the private sector and government agencies. On February
13th, members of the retail financial services communities
publicly announced their efforts at information-sharing amongst
all parties that are a part of the payment system. I applaud
this effort instructing all parties to strive for a more
efficient, thorough, and effective information-sharing system
to prevent data breaches in the future.
The final area that this hearing will cover is future
payment systems that may provide consumers with a more secure
method of transmitting their financial data. I have great
interest in the progression and diversification of our payment
system. In the past, we learned about developments in mobile
payments. Today, we will learn about a cloud-based tokenization
proposal which will transfer payments without the need to store
significant amounts of consumer financial data.
If sensitive payment data is not being stored
unnecessarily, the payment systems could be much less
attractive to future hackers. The high degree of innovation in
the payment space is exciting for consumers, but we also need
to ensure that the new payment systems that are developed
increase the level of security and reduce the threat of future
breaches.
I would like to thank our witnesses for joining us this
morning. Each of you plays a critical role in helping to
prevent future data breaches.
I now yield time to the ranking member of the subcommittee,
Mr. Meeks, for an opening statement.
Mr. Meeks. Thank you, Madam Chairwoman.
In recent months, a number of banking and U.S. retailers
including Target, Neiman Marcus, and Nike have announced data
breaches which stole the payment card account and sensitive
personal information of millions of Americans. Although
forensic investigations of recent breaches are still ongoing,
news reports and announcements by the retailers themselves
indicate that these breaches may be the largest breaches ever
in the history of our country as of today.
On December 19, 2013, Target announced that 40 million
credit and debit accounts had been compromised through its in-
store credit card magnetic strips, allowing hackers to access
customer names, credit and debit card numbers, and security
codes. Less than a month later, on January 10, 2014, Target
announced that the breach was significantly larger and that the
personal information of 70 million customers was also stolen.
Americans need to have the security that when they shop at
a retail store, or when they use their credit or their debit
cards, their account and personal information will be
protected. We must make sure that happens.
It is further troubling that we see the line fall behind
Europe and Canada in terms of technology and security
standards. Some reports even indicate that we are behind
certain countries in Latin America and Africa, who are using
the latest mobile technology for processing payments, as a
result of the fact that they started late in adopting such
technology, and therefore immediately adopted the latest
innovations.
We have to improve our technology to make sure that we are
more up-to-date. We need to take our security more seriously in
this country. The security breaches at Target were only
reminders of existing national security issues, and there are,
indeed, a lot of issues which we will seek to clarify in our
hearing. How is it that this could happen in the world's most
advanced economy and financial market in the world?
What have we learned, and how do we prevent these serious
incidents from ever happening again? And what technologies and
standards need to be adopted instead so that we can protect
Americans and the Nation?
I want to thank all of the witnesses who are here, and I
look forward to your participation and to listening to your
testimony.
Chairwoman Capito. Thank you.
I now recognize Mr. Fitzpatrick for 2 minutes for an
opening statement.
Mr. Fitzpatrick. Thank you, Madam Chairwoman, for calling
this hearing, and I also thank the witnesses for their time
today.
I spend a considerable amount of time at home--as do my
colleagues--visiting my discrict, visiting with businesses and
financial instutions, and also talking to their customers. Most
if not all of these groups, when asked, would identify
cybersecurity, identity theft, and national safety as a
concern.
My staff and I spent some time looking into this and
quickly learned that hackers and thieves are by and large not
only attacking financial institutions directly and literally
downloading customers' back accounts to either deceive people
into giving up their security information or they are stealing
outright from some other source. Those sources are many times
unsuspecting businesses or financial institutions that are
storing or transferring personal information in ways that are
quite vulnerable to attack.
That is not to say that the burden of data security lies
disproportionately with any one group, but I think these facts
speak to the importance of working in a collaborative manner on
developing a system that protects personal financial data
through the process--from the individual, to the business, to
the processor, and then to the bank or credit union.
There is a level of trust necessary for an economy to
function in this new virtual era, where cash is becoming a
preferred payment method for fewer and fewer people. I look
forward to the testimony and hearing what these experts can
share with us about how we can protect people from theft and
maintain and possibly restore trust in our cybersecurity
system.
And I thank the Chair.
Chairwoman Capito. Thank you.
I now recognize Mrs. Maloney for 2 minutes for an opening
statement.
Mrs. Maloney. I want to thank you, Madam Chairlady, and
Ranking Member Meeks, for holding this incredibly important
hearing. I would say that most Americans have had their
identity stolen, including myself, and it is very costly to law
enforcement, and certainly to our stakeholders, our financial
institutions, and individuals.
And I am particularly interested in the second panel, the
industry itself, and what they have to say on new technologies.
Why can't we just protect the number and have transactions take
place?
This is something really, really important: When the data
breach occurs, the party who is most exposed when you look at
it is the consumer. It is typically the retailer that is in the
best position to know about the breach, although it is often
the bank who discovers the breach before the retailer because
the bank notices a spike in fraudulent transactions and then
traces it back to the retailer that was breached.
In my opinion, this makes it all much more reasonable to
make the banks and financial institutions liable for all the
fraudulent transactions that occur after the breach. This would
give the banks and financial institutions an incentive to
invest publicly in fraud-detecting technologies, which are
remarkably effective at identifying fraudulent activities on
your credit or debit card.
If retailers were liable for all fraudulent costs after a
breach, then there would be probably like a legal Fort Knox.
And if payment networks were liable, there would be more robust
security systems, as well. The point is that sometimes
assigning blame, and in this case, assigning liablitity, is, in
fact, important, because it incentivizes different parties to
invest or not invest in fraud-reducing technology to protect
consumers and our overall economy and it makes it more
difficult for criminals.
So I really look forward to this hearing. I think it is
incredibly important and I look forward to hearing of new
innovations to protect identity and therefore, hopefully, our
banking system.
Thank you very much. I yield back.
Chairwoman Capito. Thank you.
I recognize Mr. Pittenger for 2 minutes for an opening
statement.
Mr. Pittenger. Thank you, Chairwoman Capito, for allowing
me to properly make this opening statement.
And thank you to each of the witnesses for coming today to
testify.
We are here today to listen to experts from Homeland
Security and the Secret Service and representatives of industry
to learn about the ongoing effort to protect our fellow
citizens' private information. We have seen over the past
several years advancements in technology when Americans shop to
pay for goods.
But with these new advancements certainly comes the
responsibility of protecting the integrity of the system. As
payment systems increasingly rely on electronic transmissions
of personal financial data, Americans have a right and an
expectation to know how that data is being protected, where it
is stored, the extent to which the government has access to it,
and the protocols that ought to be in place in private or
public sector entities who mishandle, improperly disclose, or
otherwise fail to ensure the security of personal financial
information.
Over the last 6 months, several American companies and
universities have experienced significant data breaches--my
wife and I had a breach just yesterday--and while the details
of these breaches remain under investigation by Federal and
State law enforcement authorities, these episodes have
disclosed a serious threat to financial privacy and data
security posed by individuals and criminal syndicates.
We have to remain vigilant in our fight against these
individuals and organizations. I know it is a difficult task to
ask to be prepared to prevent 100 percent of the cyber attacks.
But the consequences of not being equipped to handle the threat
could ruin the lives and threaten the security of millions of
Americans.
Thank you again for coming before the committee, and I look
forward to hearing your testimony.
Chairwoman Capito. Thank you.
I would like to recognize Mr. Scott for 2 minutes for an
opening statement.
Mr. Scott. Thank you very much, Madam Chairwoman. And this
is indeed a very, very interesting and important hearing as
more and more Americans shift to electronic payment systems and
online shopping.
One of my professors at graduate school in economics and
finance was an economist, John Kenneth Galbraith, and he
produced a book about 40 years ago called, ``The New Industrial
State.'' I bring that up because he made a very interesting
statement. He said, ``Very shortly we in our country, and
perhaps around the world, will soon become the victims and
servants of the very machine that was created to serve us.''
I think we are at that point now. As payment systems
increasingly rely on electronic transmission of personal
financial data, Americans certainly have a right and an
expectation to know how that data is protected. They need to
know where it is stored, who has access to that data, and to
what extent.
Americans have a right and an expectation to know the
protocols that are and ought to be in place when entities,
whether public or private, mishandle or improperly disclose or
otherwise fail to ensure the security of their personal
information.
We have the big picture here. We have to hold everybody
accountable. Financial institutions must be held accountable to
the same accountability as our retailers.
We have had over 110 million Americans impacted by this
situation. Earlier, I had a very interesting conversation with
one of our panelists, Mr. Troy Leach, and I think he is on to
something here with the Security Standards Council. Perhaps we
are indeed working on this, giving too much information, making
too much information available, and that maybe we can cut down
on some of that information so we don't make it so easy for
hackers to access it.
I look forward to the hearing, Madam Chairwoman, and I
yield back.
Chairwoman Capito. Thank you.
I now recognize the chairman emeritus of the full Financial
Services Committee, Mr. Bachus, for 2 minutes for an opening
statement.
Mr. Bachus. Thank you, Madam Chairwoman.
One of Yogi Berra's most famous quotes is, ``It is deja vu
all over again.'' A little more than a decade ago, this
committee investigated a series of data breaches involving New
York City restaurants, cable companies, retail businesses of
all kinds, banks, universities, and all branches of government
from local to State to Federal. People's credit was being
ruined, and their good names being used for criminal purposes.
But identity theft suddenly became a national issue.
I remember this because I was chairman of the Financial
Institutions Subcommittee at the time. I am proud of this
committee because at the time, we held numerous hearings like
the one today, that resulted in the Fair and Accurate Credit
Transactions (FACT) Act or (FACTA), which was bipartisan
legislation passed almost unanimously by this committee and
signed into law by President Bush in December 2003.
The legislation created a number of protections, which I am
convinced have helped prevent numerous cases of identity theft
over the last 10 years. That is why your full credit card
number is no longer on store or restaurant receipts, and you
can place fraud alerts on your credit report. Very
significantly, it is why consumers are entitled to be provided
with free copies of their credit report from the three major
reporting bureaus.
But I am having deja vu again because the same arguments
that were being used then are being used again today against
the adoption of marked chip and PIN cards. It won't be a total
solution, and it wouldn't have prevented the Target breach, but
it would prevent that information from then being used in
credit transactions.
It wouldn't be a total solution. It wouldn't be easy. It
would be complicated. It would be expensive. All of that is
true. It was then, and it is now. But still, something needs to
be done.
Let me close by saying, Mr. Noonan, you mentioned the
National Computer Forensic Institute, and I want to compliment
the Secret Service. They joined with the Alabama district
attorney's office in the State of Alabama, Shelby County, and
responded with that, and it has really helped, and I want to
commend the Secret Service for that.
That building that it is housed in was donated by a county
and a city in Birmingham--a modern facility at no cost to the
taxpayers. And it is a way that we can inexpensively respond
with innovative thinking. The people being trained there--it is
in his testimony on page 8, and I commend you for mentioning
that.
Thank you.
Chairwoman Capito. Thank you.
With that, I ask unanimous consent to allow members of the
full Financial Services Committee who are not members of this
subcommittee to sit in on today's hearing. Without objection,
it is so ordered.
And with that, I would like to recognize Ms. Sinema for 1
minute for an opening statement.
Ms. Sinema. Thank you, Madam Chairwoman.
And thank you, Ranking Member Meeks.
I believe that it is critical for public and private sector
leaders to continue to push for the development of a strong
cybersecurity industry that can protect our economic and
national security interests. The nature of cyber means that
nongovernment institutions and private sector companies alike
need tools and resources to protect Americans' personal
information from cyber attacks.
Several large companies such as Honeywell, Schwab, and
America's Best have some or all of their security space in
Arizona; and several smaller innovative companies like Bishop
Fox and Securosis are among the significant and growing number
of cybersecurity businesses in my home State.
Arizona is a hub for innovation. We are ahead of the curve
on tech growth, thanks to entrepreneurial programs at Arizona
State University, the University of Advancing Technology, and
America's community colleges.
Thank you for the opportunity to highlight this critically
important issue. Through your collaboration with government and
innovative private institutions, I believe we can meet the
cybersecurity challenges of today and tomorrow.
Thank you, Madam Chairwoman.
Chairwoman Capito. Thank you.
Mr. Green, for 2 minutes.
Mr. Green. Thank you, Madam Chairwoman. I will be pithy and
concise. I would like to thank you for the hearing, and thank
the ranking member, as well.
And I would like to, if I may, indicate to the public that
while a hearing is titled, ``Data Security: Examining Efforts
to Protect Americans' Financial Information,'' the actual
concern is much broader and much bigger. We are also concerned
about medical information. We are also concerned about your
travel history. We are concerned about the materials that you
purchase--your reading materials.
This has implications that are far-reaching, that can have
an impact on privacy beyond which we can't imagine currently. I
am excited about the hearing and I am interested to find out
how we can prevent this kind of encroachment on privacy.
I thank you, and I yield back.
Chairwoman Capito. The gentleman yields back.
All time has expired for opening statements, and I would
like to welcome our first panel of distinguished witnesses.
Each of you will be recognized for 5 minutes to give an oral
presentation of your testimony. And without objection, each of
your written statements will be made a part of the record.
Our first witness is Mr. William Noonan, Deputy Special
Agent in Charge, Criminal Investigative Division, Cyber
Operations Branch, United States Secret Service.
Welcome, Mr. Noonan.
STATEMENT OF WILLIAM NOONAN, DEPUTY SPECIAL AGENT IN CHARGE,
CRIMINAL INVESTIGATIVE DIVISION, CYBER OPERATIONS BRANCH,
UNITED STATES SECRET SERVICE
Mr. Noonan. Good morning, Chairwoman Capito, Ranking Member
Meeks, and distinguished members of the subcommittee. Thank you
for the opportunity to testify on behalf of the Department of
Homeland Security regarding the ongoing trend of criminals
exploiting cyberspace to obtain sensitive financial and
identity information as part of a complex criminal scheme to
defraud our Nation's payment systems.
Our modern financial system depends heavily on information
technology for convenience and efficiency. Accordingly,
criminals motivated by greed have adapted their methods and are
increasingly using cyberspace to exploit our Nation's financial
payment systems to engage in fraud and other illicit
activities.
The widely reported payment card data breaches of Target,
Neiman Marcus, White Lodging, and other retailers are just
recent examples of this trend. The Secret Service is
investigating these recent data breaches and we are confident
we will bring the criminals responsible to justice.
However, data breaches like these recent events are part of
a long trend. In 1984, Congress recognized the risk posed by
increasing use of information technology and established 18 USC
Sections 1029 and 1030 through the Comprehensive Crime Control
Act. These statutes define access device fraud and misuse of
computers as Federal crimes and explicitly assign the Secret
Service authority to investigate these crimes.
In support of the Department of Homeland Security's mission
to safeguard cyberspace, the Secret Service has developed a
unique record of success in investigating cyber crime through
the efforts of our highly trained special agents and the work
of our growing network of 35 electronic crimes task forces,
which Congress assigned the mission of preventing, detecting,
and investigating various forms of electronic crimes, including
potential terrorist attacks against critical infrastructure and
financial payment systems.
As a result of our cyber crime investigations, over the
past 4 years the Secret Service has arrested nearly 5,000 cyber
criminals. In total, these criminals were responsible for over
$1 billion in fraud losses, and we estimate our investigations
prevented over $11 billion in fraud losses.
Data breaches like the recently reported occurrences are
just one part of a complex criminal scheme executed by
organized cyber crime. These criminal groups are using
increasingly sophisticated technology to conduct a criminal
conspiracy consisting of five parts: one, gaining unauthorized
access to computer systems carrying valuable, protected
information; two, deploying specialized malware to capture and
exfiltrate this data; three, distributing or selling this
sensitive data to their criminal associates; four, engaging in
sophisticated and distributed frauds using the sensitive
information obtained; and five, laundering the proceeds of
their illicit activity.
All five of these activities are criminal violations in and
of themselves, and when conducted by sophisticated,
transnational networks of cyber criminals, this scheme has
yielded hundreds of millions of dollars in illicit proceeds.
The Secret Service is committed to protecting our Nation
from this threat. We disrupt every step of their five-part
criminal scheme through proactive criminal investigations and
defeat these transnational cyber criminals through coordinated
arrests and seizure of assets.
Foundational to these efforts are our private industry
partners as well as our close partnerships with State, local,
Federal, and international law enforcement. As a result of
these partnerships, we were able to prevent many cyber crimes,
by sharing criminal intelligence regarding the plans of cyber
criminals and by working with the victim companies and
financial institutions to minimize financial losses.
Through our Department's National Cybersecurity and
Communications Integration Center, the NCCIC, the Secret
Service also quickly shares technical cybersecurity information
while protecting civil rights and civil liberties in order to
enable other organizations to reduce their cyber risks by
mitigating technical vulnerabilities.
We also partner with the private sector and academia to
research cyber threats and public information on cyber crime
trends through reports like the Carnegie Mellon CERT Insider
Threat Study, the Verizon Data Breach Investigations Report,
and the Trustwave Global Security Report.
The Secret Service has a long history of protecting our
Nation's financial systems from threats. In 1865, the threat we
were founded to address was that of counterfeit currency. As
our financial payment system has evolved from paper, to
plastic, and now digital information, so too has the
investigative mission.
The Secret Service is committed to continuing to protect
our Nation's financial system even as criminals increasingly
exploit it through cyberspace. Through the dedicated efforts of
our special agents, our electronic crimes task forces, and by
working in close partnership with the Department of Justice--in
particular, the computer crimes and intellectual property
section--and local U.S. attorneys' offices, the Secret Service
will continue to bring cyber criminals who perpetrate major
data breaches to justice.
Thank you for the opportunity to testify on this important
topic, and we look forward to your questions.
[The prepared statement of Deputy Special Agent in Charge
Noonan can be found on page 84 of the appendix.]
Chairwoman Capito. Thank you.
Mr. Zelvin, you are recognized for 5 minutes.
STATEMENT OF LARRY ZELVIN, DIRECTOR, NATIONAL CYBERSECURITY AND
COMMUNICATIONS INTEGRATION CENTER (NCCIC), U.S. DEPARTMENT OF
HOMELAND SECURITY
Mr. Zelvin. Chairwoman Capito, Ranking Member Meeks, and
distinguished members of the subcommittee, thank you for the
opportunity to appear before you today. In my brief opening
comments, I would like to highlight the DHS National
Cybersecurity and Communications Integration Center (NCCIC's)
role in preventing, responding to, and mitigating cyber
incidents, and then discuss our activities during the recent
point-of-sale compromises.
As you well know, the Nation's economic vitality and
national security depend on a secure cyberspace where
reasonable risk decisions can be made on digital goods,
transactions, and online interactions so that they can occur
safely and reliably.
In order to meet this objective, we must share the
technical characteristics of malicious cyber activity in a
timely fashion so cyber defenders can discover, address, and
mitigate information technology threats and vulnerabilities. It
is increasingly clear that no single country, agency, company,
or individual can effectively respond to the ever-rising
threats of malicious cyber activity alone.
Effective responses require a whole-of-nation effort,
including close coordination among entities like: DHS's NCCIC;
the Secret Service; the Department of Justice, to include the
Federal Bureau of Investigation; the intelligence community;
sector-specific agencies, such as the Department of the
Treasury; private sector entities, who are simply critical to
these efforts; and State, local, tribal, territorial, and
international governments. In carrying out our particular
responsibilities, the NCCIC promotes and implements a unified
approach to cybersecurity, which enables the efforts of
bringing these diverse partners to quickly share cybersecurity
information in a manner that ensures the protection of
individuals' privacy, civil rights, and civil liberties.
As you may already know, the NCCIC is a civilian
organization that provides an around-the-clock center where key
government, private sector, and international partners can work
together in both physical and virtual environments. The NCCIC
is composed of four branches: the United States Computer
Emergency Readiness Team, or US-CERT; the Industrial Control
Systems CERT; the National Coordination Center for
Communications; and Ops and Integration.
In response to the recent retailer compromises, the NCCIC
specifically leveraged the resources and capabilities of US-
CERT, whose mission focuses specifically on computer network
defense, including prevention, protection, mitigation, and
response activities. In executing this mission, the NCCIC and
US-CERT regularly publish technical and nontechnical
information products analyzing the characteristics of malicious
cyber activities and improving the ability of organizations and
individuals to reduce risk.
When appropriate, all NCCIC components have onsite response
teams that can assist owners and operators at their facilities.
In addition, US-CERT has global partnerships with over 200
CERTs worldwide that allow the teams to work directly with
analysts across international borders.
Increasingly, data from the NCCIC and US-CERT can be shared
in machine-readable formats, such as the Structured Threat
Information Expression, also known as STIX, which is currently
being implemented and utilized.
In the recent point-of-sale compromises NCCIC/US-CERT
analyzed the malware provided to us by the Secret Service as
well as other relevant technical data and used these findings,
in part, to create a number of information-sharing products.
The first, which is publicly available and can be found on the
US-CERT Web site, provides a nontechnical overview of risks to
point-of-sale systems along with recommendations on how
businesses and individuals can better protect themselves and
mitigate their losses in the event of an incident that has
already occurred. Other products have been more limited in
distribution and they are meant for cybersecurity professionals
and provide technical analysis and mitigation recommendations
to better enable expert-level protection, discovery, response,
and recovery efforts.
As a matter of strategic intent, the NCCIC's goal is always
to share information as broadly as possible. These efforts
ensured that actionable details associated with major cyber
events are shared with the right partners so they can protect
themselves, their families, their businesses and organizations
quickly and accurately.
In the case of the point-of-sale compromises, we especially
benefited from the close coordination with the Financial
Services Information Sharing and Analysis Center, or the FS-
ISAC. In particular, the FS-ISAC's Payments Processing
Information Sharing Council has been useful in that they
provide a forum for sharing information about fraud, threats,
vulnerabilities, and risk mitigation in the payments industry.
In conclusion, I want to highlight again that we in DHS and
across the NCCIC strive every day to enhance the security and
resilience across cyberspace and information technology
enterprise. At every opportunity the NCCIC, in close
coordination with our partners, publishes technical and
nontechnical products to better enable our national critical
infrastructure, businesses, and our citizens to protect against
cyber threats, while also providing onsite technical assistance
whenever necessary.
We will accomplish our mission through voluntary means,
ever mindful of the need to respect privacy, civil liberties,
and the law. I truly appreciate the opportunity to speak with
you today and look forward to your questions.
[The prepared statement of Mr. Zelvin can be found on page
95 of the appendix.]
Chairwoman Capito. Thank you.
And I am offering my sincere apologies to you, as the first
panel, and to the next panel, and to the members of this
subcommittee, but we are going to call a recess subject to the
call of the Chair. We expect it to be a half hour, so that
would be 11:05; hopefully, we can call back in sooner.
Again, I apologize.
[recess]
Chairwoman Capito. I am going to go ahead and reconvene the
hearing. Thank you for your patience.
Mr. Meeks will be here in a few minutes, but I am going to
go ahead and begin my questioning so we can move along a little
bit.
Mr. Noonan, in your statement you mentioned that the Secret
Service had either arrested or gotten 5,000 criminals. Was that
the number that you used?
Mr. Noonan. Yes, ma'am.
Chairwoman Capito. Those, I assume, are all American
citizens in the United States? Because we hear about how a lot
of this is occurring offshore. Are you coordinating in any
international fashion, or--if you could just kind of give me a
little background on that?
Mr. Noonan. Sure, ma'am. That figure comprises all of the
cases that we have made arrests on that have any connection
back to the use of cyber in those crimes.
So to say that they are domestic or international, it is
both.
Chairwoman Capito. It is both.
Mr. Noonan. Yes. We have a very unique success of bringing
international, transnational cyber criminals to justice here
domestically, but that figure that we have provided for you
there is domestic and international.
Chairwoman Capito. Okay.
Mr. Zelvin, you are from Homeland Security, and Mr. Noonan
is with the Secret Service. I think sometimes we find that when
there is coordination between Federal agencies, who is in
charge, I guess is always a good question. I know it is a
collaborative effort, but who is really leading this in your
mind, from your agency's perspective?
Mr. Zelvin. Yes, ma'am. It is a team effort so there is a
variety, depending on which area you are looking at. As you are
looking at the law enforcement aspect, the Secret Service and
the Federal Bureau of Investigation have the primacy, depending
on the cyber case. When you look at the intelligence field,
obviously the National Security Agency, the Central
Intelligence Agency, and others have primacy, whether you are
talking about electronics intelligence or human intelligence.
We at the NCCIC specifically really focus on those network
defense measures--understanding the intrusions, understanding
how to plug those holes, and then preventing them from
reoccurring. We have the responsibility, as well, of protecting
the Federal dot-gov space, and that is a big part of our
effort, and then we work across the private sector at 16
critical infrastructures, and as I mentioned in my opening
statement, the international partnerships.
Chairwoman Capito. Mr. Noonan, would you concur with Mr.
Zelvin in terms of who is in charge or the coordinative aspect
of what you are doing? I know we talk a lot about coordination,
and both of you did in your statements, but I am trying to make
sure that if Mr. Meeks and I say we are both in charge, but
then something goes wrong, and I say, ``But he was in charge,''
so--
Mr. Noonan. Yes, for sure. In an investigation like this
law enforcement generally takes charge of the investigative
piece--
Chairwoman Capito. Right.
Mr. Noonan. --and information-sharing we do through a bunch
of different mechanisms. Our primary source for information-
sharing is through the NCCIC, but we also partner, as well,
with the FS-ISAC. Obviously, the Secret Service has a rich
history of working in the financial services sector.
Chairwoman Capito. Right.
Mr. Noonan. So the FS-ISAC, who is going to be on the next
panel, is another great partner that we use to push information
out to the financial services sector.
In addition to that, we have 35 electronic crimes task
forces. And those electronic crimes task forces that we have
aren't just made up of law enforcement; they are made up of the
private sector, so we have members from the private sector
working side by side with agents, where we share information
back and forth, as well as academia. So that is another method
that the Secret Service uses to push information that is going
to better protect the private industry and the critical
infrastructure that we have.
Chairwoman Capito. When there is a data breach from a
retailer, say, such as what happened with Target--and I know
the investigation is ongoing so not specifically that, I am
just using it as an example--is the way that you are made aware
of this through individuals whose cards have been corrupted, or
does the company itself, whatever company it is, is it
incumbent upon them to come to you? How does that reach your
level of understanding of what is going on?
Mr. Noonan. It depends on the case, ma'am. I brought up in
my oral remarks that we have a proactive approach to law
enforcement. And there is a reactive approach, in which the
crime has already occurred, and we are chasing the clues back
to the criminal to identify who the criminal is to affect an
arrest.
Chairwoman Capito. Right.
Mr. Noonan. The proactive approach of what we do in law
enforcement is we are out working with sources, we are out
working undercover operations, we are working with private
sector banking investigators, and in our proactive approach
there are many times where we identify a potential breach
before it has occurred. And we find that it is more valuable--
it is critical for law enforcement, then, to make notification
to that industry, to that private sector partner, to be able to
stop the crime from occurring.
Chairwoman Capito. Okay. Let me stop you there because I am
running out of time, but I am curious to know, in the case of a
retailer where this could have an effect on their future sales,
do you find that they are willing to make this breach public
and really better inform everybody who could be affected by
such a breach?
Mr. Noonan. Again, it depends on the company--
Chairwoman Capito. Right.
Mr. Noonan. --and it depends on the case, so--
Chairwoman Capito. Yes.
Mr. Noonan. --I can't give you a yes-or-no answer.
Chairwoman Capito. Right. You can see both sides of it. I
would think more and more it is in the company's best interest,
obviously, to be as open and transparent as possible in
something of this nature.
Mr. Meeks?
Mr. Meeks. Thank you, Madam Chairwoman.
Let me start with Mr. Noonan, and let me maybe ask a
question that might not even be fair because I am going to ask
you how to help me do my job. You urge Congress to take
legislative action that could help to improve the Nation's
cybersecurity, reduce regulatory costs on U.S. companies, and
strengthen law enforcement's ability to conduct effective
investigations. I think that was part of your testimony.
And, I am sure that all parties agree with this in general,
when you make the general assessment, but there are differing,
at times, interests, and sometimes even competing interests
that individuals would have. For example, there may be
different interests between card issuers, merchants, and
consumers. They can all overlap, but ultimately there could be
divergent visions of how the government can best solve these
problems.
So, we are going to be trying to dig into this and talking
to a number of different folks, but I would like to get your
opinion. How would you suggest as lawmakers we balance these
interests and create a plan that can satisfy the core concerns
of all parties? Because we have this balancing act that we have
to do but we need to--we want to help you also, so how would
you suggest we do that?
Mr. Noonan. Yes, sir. So from the law enforcement
perspective--and that is what I can provide to you--I think it
is important and it is critical for companies that have been
exposed, companies that have knowledge of a potential breach,
to bring that to law enforcement's attention. Law enforcement,
at that point, is critical in the fact that it can, obviously,
collect evidence to try to make a difference, make a physical
arrest of a criminal. But I think it is also important that at
that point in time, is when the information-sharing piece
begins. Because if law enforcement is brought in early and we
are able to draw the cybersecurity concerns out of the
investigation, the evidence out of that, and we are able to
take that information, we are able to minimize that information
and protect the victim. We are able to then share that
information with my partners over at the NCCIC and get that out
to the greater infrastructure of this Nation so that they can
better protect themselves from an additional potential attack
to other pieces or other avenues of infrastructure.
Mr. Meeks. Should the notification that goes out to you, go
out to the consumer or the customer at the same time? For
example, I was just wondering how long do most companies wait
before they even notify you and/or notify the customer that
their sensitive personal information may have been breached.
Mr. Noonan. I would agree, sir. I think that it should be
in a short period of time that the information should be put
out to the customers. I, too, fell victim to a data breach as
well, where it was inconvenient for myself and my family. So I
think I am able to better respond as a customer to help support
my family, but I think there is also a law enforcement concern
there, as well, where there are situations and there are points
in time wherein law enforcement may or may not need a window of
opportunity to run operations to determine what has happened or
who is behind the effort or the attack.
Mr. Meeks. Let me just also, in that regard, ask Mr. Zelvin
a question. I know in your testimony you also talked about the
various virtual currencies as a means of laundering illicit
proceeds, and I was wondering whether or not the Secret Service
or other regulators have taken any action to address some of
those concerns? And in your view, do regulators have--do you
have sufficient authority to address the risk that these
currencies pose as identified in your testimony?
Mr. Noonan. Yes, sir. Just as early as last year the Secret
Service, along with HSI and IRS, was successful in taking down
a virtual currency or a digital currency called Liberty
Reserve. Liberty Reserve was one of those digital currencies
which the criminal underground used in which they would launder
their money anonymously, and we were effective in taking that
marketplace out of the criminal underground, as well as we were
able and successful in arresting the people who were behind the
setup of that operation. So it is more important than just
taking the operation off, but we also arrested the people
behind it.
Mr. Meeks. Thank you.
Really quick, Mr. Zelvin, what about individual criminal
activity outside of the United States? What can be done to go
after these illicit actors? And what tools do you have to
ensure that foreign individuals are also held accountable? Does
that fit within our--
Mr. Zelvin. Ranking Member Meeks, that is a question I
would recommend for the FBI and the Secret Service--I will talk
from the US-CERT perspective. We work with 200 like-minded
CERTs around the world. We are in contact with them in many
cases on a weekly basis and we are able to work our
mitigations. I was in London about 3 weeks ago, and when we
were meeting with our counterparts, they said the point-of-sale
product that we had from US-CERT was very helpful to them
because they were bringing it to their industries, because what
had happened here in the United States they felt was probably
happening in the U.K. and around Europe, and this was
instructive for them, as well.
Mr. Meeks. Thank you.
Chairwoman Capito. Thank you.
Mr. Pearce?
Mr. Pearce. Thank you, Madam Chairwoman.
I appreciate both of the witnesses being here. Mr. Rothfus
and I have decided we are going to cut up our cards right here
among us while we are listening to you, so if you have any
scissors, pass them on up.
Mr. Zelvin, has the CFPB called you all? Are you all
working with them in any way?
Mr. Zelvin. Congressman, the CFPB?
Mr. Pearce. Yes.
Mr. Zelvin. The Consumer Financial Protection Bureau?
Mr. Pearce. Yes.
Mr. Zelvin. No, we haven't been in contact with them
directly.
Mr. Pearce. Mr. Noonan?
Mr. Noonan. No, sir.
Mr. Pearce. No. They are collecting 990 million records.
Target lost 40 million. They are collecting 990 million. It
seems like they would be calling the Nation's best to say,
``What do we do for data security?'' Amazing.
What kind of protection is available against a Snowden-type
attack? In other words, he is working inside and pulls those
records, downloads a three-mile-high stack of records, and is
there any protection?
Either one of you?
Mr. Noonan. From the Federal Government standpoint, when we
are talking about retail-type positions, there is nothing that
we have that would stop an insider threat.
Mr. Pearce. I guess I didn't make it clear. The CFPB is--
would be parallel to the NSA. I don't want to carry that
analogy too far, but they are a government agency and they are
collecting a massive amount of data--massive--almost a billion
credit cards. And so I guess I am interested in if somebody
inside the agency wants to release documents, like Mr. Snowden
was inside the agency, it wasn't planned, and the agency didn't
approve of it, so is there any protection for the Snowden-type
attack from inside the agencies?
Mr. Zelvin. Congressman, I can answer the question broadly,
not specifically. So broadly, the insider threat is one of the
most difficult things we face. I think the one that is probably
almost as bad is if somebody was into what we call the supply
chain.
The ability to defend against the insider threat is
developing quickly but we are not where we need to be by a long
shot. There are things in the financial community which are
leading the way that we are taking as lessons, but as you
rightly point out, it is a vulnerability and a weakness that we
need to get better on, and we need to do so quickly.
Mr. Pearce. Okay.
Mr. Noonan, your testimony had some numbers in it, but I
don't know that I saw the scope. In other words, I saw 4,900--
that is the people that we had--that you have had 4,900
arrests. What is the scope? How many cyber attacks are there
each day, roughly?
Mr. Noonan. I can't comment on the number of attacks that
occur every day.
Mr. Pearce. Because it is too secret, or you just don't
know?
Mr. Noonan. No, we don't compile our data in that manner.
We have active investigations, so--
Mr. Pearce. What would you guess? Hundreds of thousands a
day? Is that too high?
Mr. Noonan. I think there are cyber criminals who are
probing our systems every day. I think every moment, they are
probing our systems.
Mr. Pearce. Yes, every day, hundreds of thousands, and I
suspect that your agency is probably strained for resources. To
put it in perspective, in your testimony you talk about the 11
that you have indicted; how many convictions have you been able
to get through the system?
Mr. Noonan. Numerous convictions. We have had--
Mr. Pearce. Numerous. How many? Like 20,000?
Mr. Noonan. No, sir.
Mr. Pearce. 22,000? What is numerous?
Mr. Noonan. I would say that it is in the range of several
hundred a year.
Mr. Pearce. Several hundred. In the paragraph right above
where you are talking about the 11, you are talking about how
one system has 80,000 users. That is an illicit system--80,000
users and we are getting 11. That is absolutely frightening,
the scope that is coming at us and the system is, again, very
difficult to work in, with almost no protections against inside
attacks where people knowingly download and give away
information.
Snowden gave away, again, 1.8 million documents, and I
just--I worry the CFPB has not even talked to you. Mr. Cordray
got somewhat offended at the line of questioning and began to
rewrite the question. I didn't accuse him of--going to do it, I
just said that any agency--this information is widely viewable
by almost everybody in the agency and widely accessible, and
yet they haven't even called the best people in the Nation.
I would recommend that the next time we have the CFPB come
in and sit down and talk about the protections, maybe they have
better operations than these two guys were able to present, but
I find it stunning that they have not even contacted either one
of you.
Thank you. I yield back.
Mr. Luetkemeyer [presiding]. Thank you.
Now, the Chair recognizes the gentlelady from New York,
Mrs. Maloney.
Mrs. Maloney. Thank you so much. And I feel this is an
incredible challenge for our country. Just talking to four
friends on the panel, all four of us have had our identity
stolen. The fact that 40 billion people lost their--40 million,
I guess it was, from Target. That is staggering.
So the cost to individuals, law enforcement, and
institutions is absolutely huge. One of the problems I see is
that the reaction time is so slow. By the time we put something
in place, say the data breach chip by 2015, the hackers will
have gone on to the next stage of how to hack that.
And it seems to me the next phase is going to be online.
Most of the transactions are online. So the tokenism idea and
technology seems the most promising to me.
When you do find a breach, Mr. Noonan, and you said that
you are sometimes the first to notice it--who do you notify? Do
you notify the financial institution, the consumer, or the
retailer, or all three? What do you when you notice a breach?
What do you do?
Mr. Noonan. It depends on who the victim is, ma'am. If it
is a retailer, we would obviously contact the security
department of that retailer and we would suggest to them
different steps to look at their system to be able to determine
if, in fact--
Mrs. Maloney. Okay. Do you tell them to also notify the
bank and notify the consumer? Who does--
Mr. Noonan. Yes, ma'am.
Mrs. Maloney. Okay.
Mr. Noonan. So the part we would do is we would have them
work closely with the financial institutions and the processing
system which they use.
Mrs. Maloney. Now you also said that--and also retailers
have said--that the reason that they don't immediately disclose
a data breach is that public disclosure would hinder law
enforcement efforts to catch the criminal. Is that true?
Mr. Noonan. Not in all cases, ma'am.
Mrs. Maloney. And why would public disclosure hinder an
investigation?
Mr. Noonan. Just at a point in time where there was
potentially an undercover operation, it could hamper the
conclusion of that undercover operation. So the time that we
are talking is a very small window of time.
Mrs. Maloney. I believe most public policy and resources
are directed when we have good data, so who is keeping the data
on how big a problem it is in the United States? It is huge in
terms of the national security and financial security and
economic security of our country.
Somebody has to be tracking the overall picture of the
extent and the depth of it and the techniques. Who is doing
that if the CIA is not doing it? Who is doing the overall--we
have to be collecting that data in a broad way to analyze
trends and movements.
Who is collecting that data? Somebody has to be collecting
it. If they aren't, then someone should be. Who is collecting
that data--the FBI, the CIA, Homeland Security?
Mr. Zelvin. Congresswoman, let me answer the question this
way: We are all collecting data in areas in which we have the
ability to see the information.
Mrs. Maloney. Okay, but then who is getting the overall
picture for our national security and economic security?
Mr. Zelvin. Again, it is being looked at by Homeland
Security. We in the NCCIC look at the overall picture. But it
is a matter of looking at the Internet service providers, and
managed security service providers, and others, and taking that
data and aggregating it.
But I will tell you that we still don't have the visibility
on everything. It is still just a snapshot. But those snapshots
are useful because they show trends and then our ability to
provide mitigations.
So if you look at these security reports that Mr. Noonan
has here, they will talk about things like spearphishing and
man-in-the-middle attacks and all these other things, and we
are defending against those things, so we have a lot of work to
do as we take this data to build security measures so they are
not successful. But that aggregation, it doesn't exist; we are
just compiling data from a lot of sources.
Mrs. Maloney. Before 9/11, we had 18 different intelligence
organizations working independently, not sharing their
information. The most important reform was that we created the
Department of Homeland Security and combined all of our
intelligence so we are working in a coordinated way.
We have to do the same thing with cybersecurity. Somebody
has to be in charge of the overall picture.
And I know everybody is doing a good job in their
department, and I would say the private sector is doing a
pretty good job, too. Who is coordinating with finding the top
things the private sector is doing with the top things the
government is doing?
This is a number one national security issue; it is not
just an economic issue. And so, who is doing that? Is it
Homeland Security? Somebody has to be pulling it all together.
Who is in charge of doing that?
Mr. Zelvin. Congresswoman, I will tell you, I think it is
our responsibility at the NCCIC, as you describe it, to bring
that all together, especially on the network defense side--so
to be able to work with the private sector; to work with the
critical infrastructure sectors; to work with State, local,
tribal, territorial; to work with our international partners.
That is what we are doing on a daily basis.
Last year alone, the Center had 240,000 cyber incidents
reported to us. But again, that is probably a fraction of the
greater whole. But our numbers are increasing upwards at about
60 percent a year as far as--
Mrs. Maloney. And is the private sector also sending you
their information?
Mr. Zelvin. Yes, Congresswoman, they are, but it is done on
a voluntary basis. They have no requirement to do so. The
Federal Government has requirements to report to US-CERT under
policy and other requirements, but the private sector reporting
is voluntary and that is why one of the initiatives that has
been asked for is the data breach reporting requirement.
Mrs. Maloney. Okay. Thank you.
Mr. Luetkemeyer. I thank the gentlelady.
With that, it is my turn to ask the questions, so the Chair
now allows himself 5 minutes to engage the witnesses, as well.
I want to follow up on Mr. Pearce's comments with regards
to the CFPB. I was kind of stunned, taken aback that you
gentleman hadn't heard of or weren't aware of the CFPB, and I
would certainly echo the concerns of Mr. Pearce from the
standpoint that in committee, they actually testified
themselves that they have access and take in at least 80
percent of the credit card transactions per day that occur in
this country.
That sort of access, that sort of accumulation of data in
one agency is, quite frankly, scary. You are looking at what
happened with Target and Neiman Marcus and some of the other
merchants, and now you have a government agency that has 80
percent of all the credit card transactions going on in this
country on a daily basis accumulating in their files and they
are not coordinating with each of you? That certainly scares
the dickens out of me, so I would certainly urge you to contact
those folks and see once if there is a way that you can
coordinate with them to see if there is something that they
find which needs to be checked out.
With that, I was curious--I assume that you have
jurisdiction to go to any individual company or group or
industry, whatever, if there is a challenge or some sort of a
cyber breakdown within that group that deals with personal
information. Is that correct?
Mr. Noonan. The authority to go actually into the
organization itself?
Mr. Luetkemeyer. Yes.
Mr. Noonan. We would use the court process to be able to
work with that company so--
Mr. Luetkemeyer. Okay.
Mr. Noonan. --if somebody was reluctant or there was a
company that was reluctant, we could potentially use the court
process to do that, sir.
Mr. Luetkemeyer. The reason I asked the question is that
when--we are talking mostly this morning about financial
institutions and merchants, but there are other entities out
there that have personal information, sometimes have monetary
transactions that occur. One of the things, for instance, you
are looking at different kinds of, for instance, schools,
associations--I kind of made a list here of other groups--
hospitals--medical information is huge these days, as well as
credit bureaus.
So have you taken any actions or coordinated with any of
those kind of groups before with regards to this?
Mr. Noonan. Yes, sir. Again, through our electronic crimes
task forces, we would partnering with those different
institutions, as well.
We go after any sort of cyber criminal which is seeking to
benefit through the monetization of whatever that they are
trying to accomplish or steal. So in many of these situations
that you have brought up, personally identifiable information
is a piece that is of great concern to us, which the criminal
underground can monetize and gain from.
So any opportunity that we can work with a potential victim
company before it occurs or as it has occurred to be able to go
at those cyber criminals who are--
Mr. Luetkemeyer. One of the reasons I bring that up is a
lot of those folks, for instance, are not as aware of the
ability of somebody to get into their records because they
probably don't deal with financial matters as much. But yet,
they are probably more at risk than anybody else because their
systems probably aren't protected as well as, I would think,
for instance, financial institutions. So, just kind of an
observation.
One of the questions I also had was, what about penalties?
Do you guys ever catch anybody? How many folks have you caught
in the last 5 years?
Mr. Noonan. As a matter of fact, yes. I am talking about
international, the higher-level cyber criminals.
Going back, starting in 2005, the Secret Service
successfully arrested Roman Vega out of the Ukraine. He was
sentenced to 18 years, sir. In 2008, out of Estonia, Alexander
Suvorov was sentenced to 7 years. In 2010, Russian Israeli
citizen Vladislav Horohorin received 88 months, and Igor
Shevelev, a citizen of the Ukraine, was sentenced to 13 to 40
years in New York.
Mr. Luetkemeyer. Are they serving time in the United
States?
Mr. Noonan. They are serving time here domestically, sir.
Mr. Luetkemeyer. They sound like they are all--and you
indicated they are all from foreign countries--
Mr. Noonan. They are all international, transnational--
Mr. Luetkemeyer. Okay.
Mr. Noonan. --cyber criminals that we were able to
successfully arrest internationally, and have extradited back
to the United States where they are serving their sentences
domestically here in the United States--
Mr. Luetkemeyer. Now, are there other tools or other things
that you need to be able to do your job better or to have
better access to be able to bring charges against individuals?
Is there something we need to do to help you do your job
better?
Mr. Noonan. Sir, what we are doing, which is bringing great
success in the arena of going after international cyber
criminals, is our partnerships with our international law
enforcement partners as well as the international offices that
we have and the international working groups that we have
overseas. Because cyber crime knows no borders, we think it is
important to be working outside of our own borders and
developing these partnerships.
So anything that we can get--continue to grow in the area
of our international partnerships is where we find value right
now in bringing these targets to justice.
Mr. Luetkemeyer. Okay. Thank you.
My time has expired.
Mr. Noonan. Thank you.
Mr. Luetkemeyer. With that, we will recognize the ranking
member of the full Financial Services Committee, Ms. Waters.
Ms. Waters. Thank you very much. And I ask unanimous
consent to submit my opening statement for the record.
Mr. Luetkemeyer. Without objection, it is so ordered.
Ms. Waters. I would like to thank our witnesses for being
here today. We are also very interested in this subject, and I
think that there was a bipartisan effort to support this
hearing.
I would like to know, in light of the fact that the
intrusion of Target came through a set of compromised vendor
credentials, what, if any, updated guidance is being given to
companies to heighten their due diligence of vendors to ensure
they are, in fact, legitimate actors?
Mr. Noonan. So surrounding the information of the
potential--of the attacks that have occurred over the past
several months, as we learn information on those attacks we are
able to learn what criminal tools the perpetrators are
utilizing. We take that information, and we analyze that
information with the help of the NCCIC, and the NCCIC is the
main operation that sends out the information to other
industry.
It is also partnered closely with the FS-ISAC, which is the
Financial Services Information Sharing and Analysis Center, to
take the information learned and push the tactics and trends of
what is happening out to industry. And Mr. Zelvin could
probably comment a little bit more on exactly how they are
doing that.
Mr. Zelvin. Yes, ma'am. We got the malware, or the
malicious software, from the Secret Service. We analyzed it.
We actually put out three different products. Informational
products--the first one went to law enforcement so they could
go out and hopefully find the actors who did this. The second
one was a more technical product that went out to cyber
defenders not only at the financial services companies and the
retailers but also to the cyber defense community, managed
security service providers, and Internet service providers, but
the people who really understand one-zeros and backslashes and
hashtags. Lastly, we have on the US-CERT Web site for consumers
and the general population guidance on what they can do to
protect themselves, and if they have been a victim, what they
can do to recover from these events.
Ms. Waters. So you do have some specific vendor information
so that these companies can make a decision about whether or
not they are credible vendors?
Mr. Zelvin. Yes, ma'am. The government has put out
information, the Financial Services ISAC has put out
information, and also, the industry writ large is working hard
at the problem. So, it is being attacked from a number of
areas.
Internationally, I will tell you we have gotten some focus
there in working with our partners, because this is a global
problem, not just a U.S. problem.
Ms. Waters. I would like to ask Mr. Noonan a question about
Attorney General Eric Holder's recent urging of Congress to
establish a national standard for notifying Americans of data
breaches in light of the theft, of course, of customer data at
Target and other major retailers. Would you support a national
breach notification standard? And if so, do you have any
specific recommendations for how that should be crafted?
I heard what you just said about all the things that are
being done, but I think what is being urged by Attorney General
Holder is a little bit different. Are you familiar with that?
And what do you think?
Mr. Noonan. Yes, ma'am. The Secret Service does support any
initiative which would bring a data breach to the attention of
a law enforcement agency with jurisdiction to be able to help
bring criminals to justice and also to help in the aid of
information-sharing.
Ms. Waters. So you would consider that Congress does not
need to establish a national standard for notifying Americans
of data breaches? I appreciate that you have come up with some
ways to approach this, including the notification of Americans,
but there is nothing in law where we have set a standard.
Do you think Congress should do that or could be helpful to
you in doing that? Would you want to put something like that
together as a recommendation for us to place in law?
Mr. Noonan. Yes. Absolutely.
Ms. Waters. Okay. Mr. Zelvin?
Mr. Zelvin. Ma'am, I would absolutely agree. Last year at
the Center, we had 240,000 incidents reported, but we know that
is only a fraction of what is actually happening out there.
There is no requirement.
We would be supportive of that. We think it should be a
public-private discussion to build what is the most appropriate
way to come up with that standard, but we would support it.
Ms. Waters. Thank you so very much.
Mr. Chairman, I yield back the balance of my time.
Mr. Luetkemeyer. Thank you.
With that, we recognize the gentleman from Alabama, the
chairman emeritus of the full Financial Services Committee, Mr.
Bachus, for 5 minutes.
Mr. Bachus. I thank the gentleman from Missouri.
The Target incident has focused a lot of attention on data
breaches at the point of sale, and I will ask Mr. Noonan, does
the National Computer Forensic Institute (NCFI) have experience
with these type of cases, and are there any lessons we can draw
or any successful prosecutions?
Mr. Noonan. Yes, sir. NCFI is an operation where the Secret
Service brings State and locals to understand cyber crime the
same way that Secret Service understands cyber crime.
We teach them computer forensics; we teach them network
intrusion capabilities; we teach them cell phone forensics, as
well, and a litany of other courses to bring State and local
law enforcement to the same level of understanding of cyber
crime as the Secret Service. We utilize that facility as a
capacity-building to help local law enforcement understand and
be able to go after the small and medium-sized compromises, as
well.
A great success that we have out of the NCFI is a case in
which a national restaurant chain was compromised in the same
way that Target was compromised, through a POS case--intrusion
case. Our office in Manchester, New Hampshire, worked this case
and they worked it with the support of State and local law
enforcement. And it was the State and local law enforcement
that we were able to train at NCFI in understanding the
forensics that were going on that actually were critical in
bringing, in that case, three international, transnational
cyber criminals to justice.
So it is a force multiplication effort of the Secret
Service, by training State and local law enforcement that are
in your communities to have the same level of training, the
same level of tools that the Secret Service has to go after
these types of criminals.
Not to mention that State and locals can't use that same
equipment and that same training to do other types of cyber
crime that is important to them in their communities, as well.
So we know that agents or officers that we have trained and
detectives that we have trained have also used those skills to
bring homicide suspects to justice, pedophile suspects to
justice, and a litany of other suspects.
It doesn't stop at State and local law enforcement. We also
have trained numerous State and local prosecutors as well as
judges at that facility. So in the past 4 years, we have
trained over 2,000 State and local members there.
Mr. Bachus. Let me ask both of you this question, and it
really goes into what Congresswoman Waters was saying: With
Target, they delayed announcing anything until a blogger
basically put on his blog that there had been a security
breach, and then they disclosed the 40 million on their debit
cards. But I think, Mr. Zelvin, you may have referred to this,
they didn't report the 70 million on the personally
identifiable information, which actually is almost a worse
problem than the credit or the debit cards, because you can
change the debit card. They didn't change the PPIs, and it is
pretty hard to change your address or your grandmother's maiden
name or the community you were born in, which are all used for
passwords, so, there was all kinds of information. You are
probably not going to change your phone number, and so those
things are pretty difficult.
And there has been a lot of discussion, and I have
advocated before for some uniform Federal standard for
disclosing this information--who you disclose it to and the
timeframe. Because right now, they operate under--it depends on
what State, and the disclosure laws are all different in
different States.
So if you would like to address the need for a--what we
will call a uniform Federal standard?
Mr. Zelvin. Congressman, I think one of the better examples
is on the Federal side, the dot-gov side, the Federal
departments and agencies, at least in the Executive Branch. You
have a requirement to report if you had an intrusion, if you
had a denial of service, if you have had a number of cyber
events. That doesn't exist outside the dot-gov domain.
So it really is incumbent upon that company to decide what
they want to do and how they want to do it, and I know they
talk about it at the highest levels, they bring in their
security professionals who bring their attorneys, and then
there is a decision made and the decision is either to disclose
or not to disclose. They have to make a risk management
decision of whether or not it is better to say something.
I think we would--what I worry about is someday there could
be that cyber 9/11, Pearl Harbor, whatever your analogy is, and
the Congress will be asking, ``What do you need?'' This will be
top on our list because if we don't know, we can't help to
protect and secure the Nation.
Mr. Bachus. Mr. Noonan?
Mr. Noonan. Yes, sir. I would agree that a lot of times
companies have to make a decision based on--they do make a
decision based on a business need as opposed to what is right
for the victim.
Mr. Bachus. Right.
Thank you.
Chairwoman Capito. The gentleman's time has expired.
Mr. Scott?
Mr. Scott. Thank you very much.
In light of everything that has happened, do each of you
believe that our retailers are held accountable and responsible
for cybersecurity at the same standard and level as our
financial institutions?
Mr. Zelvin. Congressman, let me answer your question this
way: We don't have national standards; we are building them
now. That is part of the President's Executive Order and--
forgive me--let me make sure I get the name right--there is the
Cyber Critical Infrastructure Community Voluntary Program, the
C3 program.
Mr. Scott. But don't our financial institutions have
standards now? My point is that, are the retailers held to that
same level as our financial institutions? Because quite
honestly, if not, much of what we are doing here is in vain:
110 million Americans have suffered mainly because, in my
humble opinion, retailers are not held to as high a standard in
this issue as the financial institutions, and it is critical
that we get those two on the same page quickly.
Mr. Zelvin. Agreed, sir. The standards can be legislated;
they can be put out by regulators; they can be enforced by the
industry themselves. And I think your point is there are
certain places in industry where they don't have standards and
it would be very helpful to do so.
Mr. Scott. Let's talk about that for a moment because, as
you notice from the questions from our committee, we are eager
here in Congress to respond to this issue. This is almost like
a Poseidon tidal wave coming at us.
As you rightly point out in your testimony, there are now
over 2 billion Internet users. There are over 12 billion
computers and other instruments that are used, and satellite
devices, and so forth. And in the next 10 years that is
estimated to possibly double.
So the issue becomes, can we win this? Can we with this
battle? That is especially true because not only--even if we
just existed over the next 10 years at the same level of
sophistication of these technical devices, which we have become
sort of servants to instead of servants to us.
So the question becomes, with the rapid advancements in
technology--just think: Ten years ago, we didn't have what we
have now, and what we have now, my God, is going to be ancient
10 years from now and we are going to have double the people
with it. So I think the American people are looking for some
confidence here that their vital security is at stake, and then
more than that, the Nation's security is at stake.
Let me ask you an interesting question, Mr. Noonan. What
was very interesting about your comment, because I wanted to
get to--you said you caught some people and you mentioned
sentencing of these people. Are there any possibilities for
parole in this or negotiation or anything like that?
Mr. Noonan. In the Federal system, my understanding is that
there can be downward departures of sentences, but not that I
know of as--
Mr. Scott. That is interesting. Why so? Because you see,
these national conspiracies, as you so aptly put it, are very
sophisticated. And it could be that they are even more
sophisticated than you or us or where we are.
So why are there plea agreements? Why don't we have stiff,
hard criminal sanctions and put these folks who do wrong in
jail for what they are doing to the country?
The other point I wanted to ask is that you mentioned that
all of these were foreigners attacking us. Now, that begs the
question, why aren't they attacking--I don't want them to
attack France or Germany or Great Britain--but the question is,
why us? Is there something that these other nations are doing
that deters them, and we are vulnerable where other nations
aren't? Is that a possibility, since the only ones that you
have been able to get ahold of and put away, hopefully for a
while, are foreigners?
Mr. Noonan. Sir, we know that these cyber criminals are not
just attacking the United States. This is a global issue. This
is not just a national issue to the United States; this is a
global issue.
These particular criminals are attacking wherever they can
find wealth and monetize that data.
Mr. Scott. How are we doing compared to these other
nations? Are these other nations putting them away as they
should? Is there coordination with other nations?
Mr. Noonan. Yes, sir. We are coordinating very closely with
other nations. And to be honest, we have a very, very rich
success rate of getting some significant, stiff sentences.
Albert Gonzalez was a domestic target that we arrested in
the TJX and Heartland Payment Systems breach. He was sentenced
to 20 years in prison here in the United States.
We also have a litany of other huge sentences. I brought up
earlier Roman Vega out of the Ukraine was sentenced to 18 years
in prison. Recently, out of Romania, Mr. Oprea was sentenced to
15 years in prison here domestically for, again, point-of-sale
breaches we are talking about today.
Chairwoman Capito. The gentleman's time--
Mr. Scott. And the national breach law is what you
recommend we do?
Mr. Noonan. Yes, sir.
Mr. Scott. Okay.
Chairwoman Capito. Thank you.
Mr. Stutzman?
Mr. Stutzman. Thank you, Madam Chairwoman.
And I thank both of the witnesses for being here today.
I would like to follow up just a little bit on the
questions that you just talked about in, I guess, retailers. I
come from a small business background and have small business--
or a retail small business as well, and obviously any sort of
credit card is a convenience for both consumer and for the
retailer, but the role that retailers play--granted, I am
small, but there are large retailers out there. Can you share
with us a little bit of what--how is that data stored? Do they
keep that data?
For us, we don't--we have no interest in it other than the
transaction, and so I guess I am trying to follow up and
understand why would we expect the retailers to be held to a
different standard--or at the same standard as the financial
institutions? Is there an effort out there by retailers even
trying to do that?
I guess I would be concerned about that to some extent,
because the more information that is held in different groups'
hands, the more opportunity there is going to be for breaches.
I don't know if either of you had a comment on that?
Mr. Noonan. Yes, sir. Actually on your next panel you have
a witness from PCI who is going to be able to discuss some of
those issues, but regulations have changed over the course of
the years, so back in 2005, TJX intrusion happened where cyber
criminals were able to go after a database where retailers were
able to, at that time, store credit card data unencrypted in
servers. So, the criminals were able to exfiltrate a whole
database of stored credit card data in 2005.
Because of that intrusion, industry changed. No longer can
you store credit card data on a database within your system.
So what the criminals then did is they looked at, where is
the path of least resistance, and they attacked Heartland
Payment Systems, which was a credit card processing company.
Credit card data during that period of time crossed over the
system from the retailer to the credit card processing company
to the bank, and in that system it was not encrypted data
during that period of time.
Again, after that intrusion happened, the standards changed
and from point to point credit card data and data information
had to be encrypted.
Today, the criminals are going after, again, where is the
edge of the fence? So, they have gone after the point-of-sale
systems.
In domestic retail shops, from the point that you swipe
your credit card at the terminal, that data goes to a back-of-
the-house server, to a computer in the back that you see it, it
is probably in the storage room or something of that nature.
And that data, from the point that it is swiped at the keypad
to the back of the computer, that is where it is vulnerable and
it is not encrypted. Once it hits that computer and goes
through the processing system, that is where it is encrypted
and protected.
So what happens is continually we change the standard and
these complex, sophisticated criminal actors are going to go
after and have been going after this data in whatever they see
as the most advantageous, weakest point in the system.
Mr. Stutzman. So are you saying that typically, the weakest
point is through retailers' entry points? How do they use the
retailers' entry points? When I am swiping a card, are they
able to follow that data from--
Mr. Noonan. What they have done is they have actually
installed malware into the computer system where it makes the
switch from the swipe into the encryption piece, so before it
is encrypted they have malware which actually captures the data
at that point and exfiltrates the data back out to a different
system where the criminal is able to collect it.
Mr. Stutzman. Do retailers have the ability to--is there
software out there that can prohibit that sort of activity, or
what could retailers do to protect that information?
Mr. Noonan. I am unsure at this point. That would be an
industry question to bring up, sir.
Mr. Stutzman. All right.
Thank you. I will yield back.
Chairwoman Capito. The gentleman yields back.
Mr. Heck?
Mr. Heck. Thank you, Madam Chairwoman.
I would like to begin by asking unanimous consent to enter
into the record the letter dated January 10, 2014, from 17
signatories to Chairman Hensarling requesting this hearing. At
the same time, I would like to express my public appreciation
to you for conducting this hearing.
Chairwoman Capito. Thank you. Without objection, it is so
ordered.
Mr. Heck. Thank you.
Mr. Noonan, it is a little hard to look at this phenomenon
without coming away with an answer to the question of, ``Are we
winning or losing?'' of, ``We are losing,'' at least as
measured--not in terms of the number of attacks, but the number
of successful attacks and the dollar amount that has
successfully been effectively stolen.
So for those of us who aren't especially geeky, among whom
I would count myself, can you put this in the simplest terms
possible: What is the most important takeaway for those of us
sitting here about what it is we can do as Members of Congress
to help change that trend line? What is the most important
action we could take, policy we could enact, in whatever form,
to help?
Mr. Noonan. It is my belief that if Congress were to assist
in coming up with a reporting requirement where if there is a
data breach or a company has knowledge of a data breach, that
they were to bring that to law enforcement's attention. That is
my perspective. That is the Secret Service perspective. Because
we are able to, at that point, help with the information-
sharing piece that has to go forward to better protect what is
going on after the fact.
In other words, it is best for industry to have a point of
contact at law enforcement--I make the analogy with a fire:
Don't wait until your house is on fire to have the phone number
to the fire department.
If industry partners with law enforcement and already has a
personal, a trusted relationship with law enforcement, we, law
enforcement, are better able to assist a victim company walk
through the process. And in doing so, we are able to grab and
gather the cybersecurity-related information and share that,
then, with the greater infrastructure in an effort to prevent
other attacks.
We use, again, a number of different efforts to share that
information. We use the NCCIC, where they are able to push it
out through their sources to greater industry. We are able to
use our electronic crimes task forces. We are able to push that
out to our trusted partners in the private sector as well as
academia. And we are able to use our partners at the FS-ISAC to
be able to take that information and push it.
So I think the important part of this whole mechanism that
we are talking about is the information-sharing apparatus of
when a breach does occur, what can we learn from that breach,
and how can we share that information to prevent others?
Mr. Heck. I want to ask a follow-up corollary to that,
which is really a follow up to the question--he has left now--
Mr. Luetkemeyer asked, which I didn't think you answered; I
didn't think you were evading it but I didn't think you
actually answered it, and I really thought it was a very good
question, especially given that the nature of this activity
does not respect boundaries of countries whatsoever. He asked
you, ``What could we do to help you be more effective
internationally?''
And basically what you said is, ``Well, these international
partnerships are really important to us.''
But the question, sir, is, what can we do to help you be
more effective as it relates to your ability to engage in
effective enforcement internationally?
Mr. Noonan. You can continue to support the Secret Service
in our efforts of continuing to expand our presence in our
international field offices and expanding that footprint. You
can help us in furthering our international working groups that
we have. We have working groups in the Ukraine; we have
international working groups--
Mr. Heck. Just use one example.
Mr. Noonan. I'm sorry.
Mr. Heck. I got it. I have one other question that I want
to ask, and I apologize--
Mr. Noonan. Sure. No problem.
Mr. Heck. --for interrupting. I want to go back to Target.
It is my understanding that neither Target-branded debit
cards or credit cards were breached, or successfully--and first
of all, I would like to know if I have accurate information in
that regard. And if it is true, what was the difference? And is
there a lesson to be learned there if it is true? What were
they doing such that information wasn't used against--
Mr. Noonan. Sure. So, I just checked, and that information
is not accurate. Those cards--
Mr. Heck. They were breached.
Mr. Noonan. --were breached as well, so that was taken.
Mr. Heck. Thank you.
Mr. Noonan. Yes, sir.
Mr. Heck. I yield back the balance of my entire 6 seconds.
Thank you, Madam Chairwoman.
Chairwoman Capito. The gentleman yields back.
Mr. McHenry?
Mr. McHenry. I thank the chairwoman.
I just have a broad question for both of you, and if you
could answer this. I read news reports that merchants and
universities are finding out about data breaches from the
government, from financial institutions, from credit card
companies, banks, the whole lot. Why are merchants failing to
detect those security breaches?
Mr. Noonan. I can't answer why they are not detecting the
security breaches, but law enforcement as well as other parts
of the private sector--banks, processing companies--have a
unique perspective of looking at compromised data. So we can be
working with bank investigators--you can take any bank for
example--and when they start seeing different anomalies with
their customer base of reporting fraud losses, the initial
point of report is going to be back to the bank investigator or
back to the bank.
So when they start seeing high percentages of fraud loss
coming from the same merchant or the same retailer, that is a
concern, so they would either bring it to law enforcement's
attention or actually bring it to the retailer's attention at
that point. So not necessarily would the retailer have the
exposure themselves of that--
Mr. McHenry. Okay. But to that end, Mr. Noonan, when you
announced the data breach with Visa and Target in August of
2013, right, it was made public then. Am I right on the
timeline?
Mr. Noonan. Negative. On Target? It wasn't until December
at some point.
Mr. McHenry. Okay. So when did you all identify the malware
for that data breach?
Mr. Noonan. The data breach, when it was brought to--when
we were working closely side by side with the forensic
examiners that--the third-party forensic examiners that Target
had hired, within a week we were able to have that data and be
able to push that out to--
Mr. McHenry. So, you turned it around in a week's time?
Mr. Noonan. Yes, sir.
Mr. McHenry. Okay. So on the next panel, we have a witness
from the Financial Services Information and Sharing and
Analysis Center, and they are going to--they are actually
conducting a study which, ``engages machine-to-machine threat
intelligence exchange in a way that will more quickly inform
financial infrastructure front line operators and aid their
preventative and incident response decision-making.'' They are
calling this the Cyber Threat Intelligence Repository.
Are you both familiar with this initiative?
Mr. Zelvin. We are, sir. At the NCCIC, we are one of the
leading proponents and creators of the STIX and TAXII framework
to which you are referring.
Mr. McHenry. So will this speed the response? Tell us the
value of it.
Mr. Zelvin. Sure, Congressman. I think one of the best ways
to highlight this is in September 2012, our financial sector
was being attacked about 3 times a week with something called
``distributed denial of service attacks.'' We were getting
information by the hundreds of thousands, and technical
information. We were getting those--and I am going to use some
generalisms just to illustrate the point--in PDFs, so, in a
very user-unfriendly format for a cybersecurity defender.
We started using spreadsheets like Excel, which was a
little bit better, but there are a variety of different data
formats that companies use so there wasn't a one-size-fits-all.
The STIX and TAXII format will enable to us adjust the
information so somebody doesn't have to e-mail it, we don't
have to process it, we then e-mail it back. This will do it in
an automatic way so what had been taking us days that we got
down into hours will hopefully take us seconds.
Mr. McHenry. So you move from PDFs to Excel--
Mr. Zelvin. To a machine-to-machine format that will take
the human out of the equation. Again, it will be up to the--
where the destination goes how they are going to want to
process--
Mr. McHenry. My time is short, but can you tell us the
legal restrictions that prohibit greater data-sharing? What are
the things we could do to make the dissemination of data
better?
Mr. Zelvin. Congressman, I am going to highlight something
that is--the question that was asked of Mr. Noonan, and you may
have asked it. One of the things that we would really ask
Congress to do is just better define clarity on information-
sharing. What is information that the private sector and others
can share with us?
I will tell you, we meet with a lot of C-suite executives,
the security folks, and they say, ``By all means, government,
here, you can have this information. Proliferate it widely.
Others are being attacked. This will help us all.''
Then they have others in the company who are giving good
advice--their lawyers--saying, ``Look, there is no legal means
that allows this. We are assuming some risk, some liability
here.'' If we could get some clarity as to what can be shared
with us and have that in law, that will really speed the
process. And also, it should be respectful of privacy and civil
liberties.
We should not do this without having some governance on us,
but it should not stop us from doing it, either.
Mr. McHenry. I thank the chairwoman for her advocacy on
this important issue.
Chairwoman Capito. Mr. Rothfus?
Mr. Rothfus. Thank you, Madam Chairwoman.
In Pittsburgh, we are fortunate to have premier academic
institutions like Carnegie Mellon University and the University
of Pittsburgh right at our doorsteps. Both of these
universities are doing exceptional work in the area of data
security.
And, Mr. Noonan, you highlighted in your testimony the work
of Carnegie Mellon.
As you, I think, would both agree, we need to be using
these great resources in our fight to combat data-breachers.
I am wondering, Mr. Noonan, if you would elaborate a little
bit on how the Secret Service--and then, Mr. Zelvin, if you
could perhaps comment on what DHS has been doing with these and
similarly situated universities around the country?
Mr. Noonan. Yes, sir. Thank you.
The University Carnegie Mellon, we work closely with their
Software Engineering Institute. We actually have a full-time
agent who is assigned there, so he is sitting at Carnegie
Mellon, partnered with them. Through academia and observing
what is occurring in a lot of these cyber incidents, we are
able to develop other tools--technical tools--which the
Software Engineering Institute is able to help us identify
different situations, different forensic solutions, different
ways of looking at data, which better helps us do our cases,
our investigations, our information-sharing.
Like the institution at Carnegie Mellon, we also have
representation at the University of Tulsa, where we have the
Cell Phone or Mobile Device Forensics Facility, which we worked
closely with students--graduate student level students there--
and we look at how mobile devices can be affected by criminals.
We take highly complex criminal cases and we push them to our
agent who sits with the University of Tulsa to examine how to
get at those forensic capabilities and those forensic hurdles
in mobile devices, too.
So it is very important for us to team with academia to
decide what is on the horizon of the next threat.
Mr. Rothfus. Mr. Zelvin, is DHS similarly engaged with the
academic institutions?
Mr. Zelvin. Congressman, we are. Carnegie Mellon is one of
our most critical partners in not only understanding threats
but also in the mitigation, so it is an intimate relationship
and something that we hold in the highest regard.
Mr. Rothfus. I want to follow up a little bit on what
Representative McHenry was talking about. I think everyone can
agree that effective data security is dependent on a voluntary
collaboration between the government and members of the private
sector. Key to establishing this sort of trust-based public-
private partnership is adequate legal liability protection for
private entities that share information with the government.
And to that end, could you please elaborate on the current
policy regarding legal liability protection for private
entities that opt to share threat information with agencies
like yours? Maybe each of you can--
Mr. Zelvin. Congressman, that is one of the central issues
with sharing at government is the concern of either breaking
the law or potentially having court action in a civil case. So,
there is great desire on behalf of the Executive Branch to have
the legal liabilities in place so one would not be punished for
sharing with government. Again, the information should be
clarified as to what can be shared, but if you do share that
information, one should be able to do so without penalty.
Mr. Rothfus. Mr. Noonan, can you comment on, from your
perspective, the current policy with respect to information-
sharing?
Mr. Noonan. Yes, sir. I don't believe there is a policy as
of right now. So I would concur with Mr. Zelvin. I think there
is an issue with companies coming forward so they are given
some sort of protection, but I cannot comment on existing
policy, sir, no.
Mr. Rothfus. In both of your written testimonies, you
discuss the increasingly international nature of the threat
landscape and the need for close partnerships with foreign law
enforcement agencies. Which countries are you most concerned
about in terms of data security?
Mr. Noonan. A number of the international cases that we are
talking about today are Eastern European, Russian-speaking
cyber criminals. I don't want to affiliate these type of
criminals with one particular country because again, there are
no borders.
We see Eastern European, Russian-speaking cyber criminals
who are here domestically in our country that we are able to
arrest and bring to justice. We see these types of criminals
all over the world.
I say this in the fact that these are the most
sophisticated, in our opinion, cyber criminals who are
attacking our Nation's financial infrastructure. So as far as
saying--in trying to lock it down to a particular country of
origin, there is not one in particular. We are seeing them
across-the-board.
But again, the Russian-speaking cyber criminal is using the
Russian language as a form of OPSEC, if you will, to provide
some anonymity to them. Because they use the Internet, they are
wallowing in the anonymity of the Internet.
Mr. Rothfus. Mr. Zelvin, would you agree with the Russian-
speaking actors out there? Are there other countries about
which you have particular concerns?
Mr. Zelvin. Congressman, I worry about actors in Asia; I
worry about actors in Europe, to include Eastern Europe. It is
literally a global threat environment. So on the financial
side, I would agree with Mr. Noonan, it is more the Eastern
European criminal actors, but there is also extraordinary
criminal activity in Asia, as well.
Mr. Rothfus. Thank you.
And thank you, Madam Chairwoman.
Chairwoman Capito. Thank you.
Mr. Barr?
Mr. Barr. Thank you, Madam Chairwoman.
I wanted to kind of know from the witnesses what the worst-
case scenario would be. In your all's professional judgment,
what would be the greatest cybersecurity threat to America's
financial system?
Mr. Noonan. In my opinion, it is a financial services
attack that goes unnoticed. So a long, long period of exposure
to a financial services sector company is my opinion of what
the worst case could be.
It is through the actions of law enforcement that
proactively go out and seek these out that brings it to
industry's attention. And I also think it is important that
when industry itself notices it, that they bring it to our
attention.
It is important for us--law enforcement, the government--to
be able to either prevent the attack from happening or see it
as it is happening to be able to stop the bleeding from
happening. If the bleeding occurs for a long, long period of
time and there is a long period of exposure, that, in the
financial services sector, would be probably the more
important, more area of concern for that sector.
Mr. Barr. Mr. Noonan, what would prevent a victim or
targeted company from failing to notice this attack?
Mr. Noonan. In my opinion, it is how advanced these
criminal actors are. So when we are talking about significant
criminal actors that--you have to understand, when they are
going after the financial services sector, they are going into
these targeted victim companies stealthily. Their job is to go
undetected, because if they are detected and they go into these
situations loud and disrupt everything, they are going to lose
what their goal is and that is their financial gain; that is
their grabbing the data and being able to monetize that data.
So if law enforcement and industry learns about the theft
of that data and we are able to do something about it, it
minimizes the criminal profit in what they are attempting to
do.
Mr. Barr. Have we been able to assess or gauge the
capabilities of some of these hackers? Specifically, the kind
of nightmare scenario would be something along the lines of a
hacker being able to erase electronic data from a large
financial institution, or worse, effectuate transactions
through hacking into a large, systemically important financial
institution.
Are we aware of whether or not cyber terrorists have that
capability at this point?
Mr. Zelvin. Congressman, let me answer that and then maybe
go back to your original question. There are actors out there
who have extraordinary sophistication, who are patient and are
looking for vulnerabilities and are absolutely capable of
finding them quickly, and it is just whether or not they have
the intent and the access and then the ability.
As I look at the worst-case scenario, to answer the first
part of your question, I think that if somebody was to find an
intrusion in the transactional systems that the financial
sector uses, that would be pretty catastrophic. If there is a
loss of confidence within the systems themselves where data has
been compromised, that would be pretty catastrophic. If
consumers lose the convenience that they rely upon, are unable
to use their credit cards and their ATMs, that would be pretty
catastrophic.
There are others but those are the three that really come
to my mind. You really get to that high impact, low
probability.
The sector, the institutions are doing extraordinary work
at this every hour of every day. But ultimately, there are
vulnerabilities and the actors are using some very creative and
clever means to come at us, so you have to be very good every
single day because they are trying to come at you every single
minute of every day.
Mr. Barr. And in terms of technological advancements in
terms of creating defenses to this, there is talk about these
chip cards and more extensive use of PINs, particularly with
credit cards. But I did notice that in the case of the Target
situation, that PINs were procured by the hackers, as well. So
how effective is expanded use of PINS as a defense mechanism?
Mr. Noonan. Any added security measure is going to
definitely help in the monetization of whatever data is stolen.
It would not assist in the theft of the data itself.
Mr. Barr. Right.
Mr. Noonan. Chip and PIN technology will help in limiting
the criminal monetization of that data, but it would not help
in the theft of that data. That data could still be used on
card-not-present purchases.
So a cyber criminal, though he cannot re-encode that data
onto a credit card and use that counterfeit credit card, he
could go online and type in the 16-digit number and the other
information that is exposed there and still accomplish
financial loss to the victim bank or the victim institution.
Mr. Barr. Thank you.
I yield back the balance of my time.
Chairwoman Capito. Thank you.
The gentleman yields back, and that concludes questioning
for the first panel.
I want to thank both of you gentlemen. I think this has
been very enlightening, and I again apologize for the delay and
thank you for your patience. You are dismissed.
While we are changing over, I am going to ask for unanimous
consent to submit several statements for the record from the
Independent Community Bankers of America; the National Retail
Federation; the National Association of Federal Credit Unions;
the American Bankers Association; and the Credit Union National
Association.
Without objection, it is so ordered.
All right. I want to thank the second panel for coming in.
We have a second panel of distinguished witnesses.
Again, thank you for your patience. I know you have been
sitting here, as well, while we had our technical difficulties.
Each of you will be recognized for 5 minutes to give an
oral presentation of your testimony. And without objection,
each of your written statements will be made a part of the
record.
Our first witness is Mr. Troy Leach, chief technology
officer, PCI Security Standards Council.
Welcome, Mr. Leach.
STATEMENT OF TROY LEACH, CHIEF TECHNOLOGY OFFICER, PAYMENT CARD
INDUSTRY (PCI) SECURITY STANDARDS COUNCIL (SSC)
Mr. Leach. Thank you.
My name is Troy Leach, and I am the chief technology
officer for the PCI Security Standards Council, a global
industry initiative that is focused on security payment card
data. Our approach to an effective security program is people,
process, and technology as key parts of data protection. Our
community of over 1,000 of the world's leading businesses
tackles security challenges from simple issues--for example,
the word ``password'' is still one of the most commonly used
passwords--to very complex issues, like proper encryption key
management.
We understand when consumers are upset when their payment
card data is put at risk and the harm that is caused by
breaches. The Council was created as a forum for all
stakeholders--banks, merchants, manufacturers, and others--to
proactively protect consumers' cardholder data against emerging
threats.
Our standards focus on removing cardholder data if it is no
longer needed. Our mantra is simple: If you don't need it,
don't store it. If you do need it, then protect it through a
multilayered approach and devalue it through innovative
technologies that reduce incentives for criminals to steal it.
Let me explain how we do that. The data security standard
is built on 12 principles that cover everything from strong
access control, monitoring and testing of networks, risk
assessment, and much more. This standard is updated regularly
through feedback from our global community.
In addition, we have developed other standards that cover
payment software, security manufacturing of cards, point-of-
sale devices, and much more. We also develop standards and
guidance on emerging technologies, like tokenization and point-
to-point encryption, that remove the amount of card data that
is kept in systems, rendering it useless to cyber criminals.
Another technology, EMV chip, has widespread use in Europe
and other markets and is an extremely effective method of
reducing card fraud in face-to-face environments. That is why
the Council supports the deployment of this technology. In
fact, today we already certified a securing of chip terminals
and manufacturing of chip cards.
However, EMV chip is only one piece of the puzzle. In
addition, controls are needed to protect the integrity of
payments online, on the telephone, and in other channels. These
controls include encryption, proper access, response from
tampering, malware protection, and more.
These are all addressed within the PCI standards today.
Used together, EMV chip and PCI standards can provide strong
protections for payment card data.
But effective security requires more than just standards
and technology. Without ongoing adherence and supporting
programs, these are only tools and not solutions.
The Council makes it easy for businesses to choose products
that have been independently lab-tested and certified as
secure. The Council's certification and training programs have
educated tens of thousands of individuals including assessors,
merchants, technology companies, and government. And finally,
we conduct global campaigns to raise awareness of payment card
security.
The recent compromises demonstrate the importance of a
multilayered approach to payment card security, and there are
clear ways in which the government can help--for example, by
leading stronger law enforcement efforts worldwide,
particularly because of the global nature of these threats; and
by encouraging stiff penalties for these crimes. Promoting
information-sharing between the public and private sector also
merits attention.
The Council is an active collaborator with government. We
work with NIST, DHS, and many other government entities, and we
are ready and willing to do more. We believe that the
development of standards to protect payment card data is
something that we are uniquely qualified to do. The global
reach, expertise, and flexibility of PCI have made it an
extremely effective mechanism for protecting consumers if
implemented correctly.
The recent breaches underscore the complex nature of
payment card security. A multifaceted problem cannot be solved
by a single technology, mandate, or regulation. It cannot be
solved by a single sector of society.
Businesses, standards bodies, policymakers, and law
enforcement must work together to protect the financial and
privacy interests of consumers.
Today, as this committee focuses on recent breaches, we
know that criminals are focusing on inventing the next attack.
There is no time to waste. The PCI Council and business must
continue to provide multilayered security protections while
Congress leads efforts to combat global cyber crimes that
threaten us all.
We thank the committee for its attention to this, and we
look forward to finding a way forward with addressing large
security concerns of our time.
[The prepared statement of Mr. Leach can be found on page
67 of the appendix.]
Chairwoman Capito. Thank you.
Our next witness is Mr. Greg Garcia, advisor, Financial
Services Information Sharing and Analysis Center.
Welcome.
STATEMENT OF GREGORY T. GARCIA, ADVISOR, FINANCIAL SERVICES
INFORMATION SHARING AND ANALYSIS CENTER (FS-ISAC)
Mr. Garcia. Thank you, Chairwoman Capito, Ranking Member
Meeks, and members of the subcommittee.
I am Greg Garcia, president of Garcia Cyber Partners, a
cybersecurity policy and business development consulting firm.
I am testifying here today as an advisor to the Financial
Services Information Sharing and Analysis Center, or FS-ISAC.
In light of the recent data breaches in the retail sector,
this hearing is timely as we consider how commercial and
critical infrastructure sectors can prevent and defend against
such attacks from happening in the future.
During my tenure as Assistant Secretary at Homeland
Security and as an executive with the financial services sector
and IT sectors, I have consistently held up the FS-ISAC as a
model operation. It is a model for how trusted collaboration,
timely intelligence, and information-sharing are essential
elements of any risk management strategy. They are effective
tools against cyber adversaries who would subvert the integrity
of the critical infrastructures that maintain the cyber,
physical, and economic security of this country and the world.
So accordingly, I would like to spend just the next few
minutes describing some of the major elements of the model and
put it in the context of the recent data breaches that are the
subject of this hearing.
The FS-ISAC was founded in 1999 in acknowledgement of a
Presidential Directive, PDD 63, which urged private industry to
self-organize around the mission of sector-specific critical
infrastructure protection. The FS-ISAC provides a formal
structure for its 4,500 member institutions to share valuable
and actionable cyber intelligence within the sector and with
their industry and government partners. This collaborative
activity ultimately benefits the Nation.
At FS-ISAC, we use all the tools at our disposal to stay
ahead of adversaries. And just a few of these tools include the
secure FS-ISAC member Web portal, where threat indicators are
published; e-mail listservs; threat assessment conference
calls; best practices advisories; incident response and
mitigation protocols; cyber exercises; and information-sharing
partnerships across the sector, with other sectors, and with
government and cyber operations and intelligence entities, such
as the NCCIC.
We recognize that the threats we face are sophisticated and
are frequently changing, and that immediate sharing of threat
details and patterns is effective in heading off the changing
nature of the threats.
We also share this sensitive information without the risk
that any member company would exploit another's misfortune from
cyber attack for competitive advantage. Members know we are all
in this together, that an attack on one can very quickly
escalate to attack on many if all eyes and ears are not working
together.
And our organization ensures that even smaller community
institutions have access to threat information alongside the
largest financial institutions in the Nation. By way of
specific example, allow me to walk you through some of the
actions taken by the FS-ISAC in the wake of the retailer data
breaches that recently occurred.
First, when information from forensic investigations became
available FS-ISAC published a joint document with the DHS
National Cybersecurity and Communications Integration Center
(NCCIC), the U.S. Secret Service, and ISAC partners regarding
the breach. We provided relevant mitigation recommendations and
network security best practices from an industry owner and
operator perspective. These security practices are intended to
help vendors and merchants to secure their point-of-sale
systems and to defend against malware that are used in those
system attacks.
Second, FS-ISAC encouraged its association members to share
the joint document broadly with their members, and we also met
with and provided the document to a number of retailer
associations and encouraged them to share the document with
their members.
Third, as information about the attacks was becoming
available, members were able to leverage FS-ISAC's all-hazards
playbook and related best practices to better protect and
communicate with their customers and the general public.
Fourth, FS-ISAC provided an assessment of the point-of-sale
malware to its members on its biweekly threat calls and the
assessment examined the malware in several ways--the usage
patterns in the short term, the growing popularity and
availability of the malware tools, and threat indicators for
network defenders.
Finally, we continue to work with multiple associations
representing the retailers to explore ways in which we can help
them enhance the security of their systems.
Since these data breaches occurred, there has been
considerable discussion in the public domain about
accountability and assignment of costs associated with these
breaches. Indeed, financial institutions have absorbed
considerable costs associated with canceling and reissuing
credit and debit cards to their customers.
But as I stated at the beginning of my testimony, it is
clear to us that we are all in this together, that security is
a shared responsibility, and that is why the FS-ISAC was
pleased to see the announcement on February 13th of a new
partnership between merchant and financial trade associations
that will focus on exploring the paths to increased
information-sharing, better card security technology, and
maintaining the trust of customers. Discussion regarding the
partnership was initiated by the Retail Industry Leaders
Association and the Financial Services Roundtable and was
joined by a dozen other influential financial associations.
Madam Chairwoman, that concludes my testimony and I look
forward to answering any questions the subcommittee may have
for me.
[The prepared statement of Mr. Garcia can be found on page
57 of the appendix.]
Chairwoman Capito. Thank you.
Our next witness is Mr. David Fortney, senior vice
president, product manager and development, The Clearing House
Payments Company.
Welcome.
STATEMENT OF DAVID FORTNEY, SENIOR VICE PRESIDENT, PRODUCT
MANAGEMENT AND DEVELOPMENT, THE CLEARING HOUSE PAYMENTS COMPANY
Mr. Fortney. Thank you. Good afternoon, Chairwoman Capito,
Ranking Member Meeks, and members of the subcommittee.
My name is David Fortney. I am the senior vice president of
product management for The Clearing House, and I thank you for
the opportunity to talk today about issues that are critical to
all Americans--the security of our payment system and also the
protection of sensitive consumer financial information.
The Clearing House is the Nation's oldest bank association
and payments company. Our mission includes ensuring the safety,
soundness, and efficiency of the payments system.
We provide payment services to our 23 owner banks and other
financial institutions, clearing and settling nearly $2
trillion daily. The organization's owner banks collectively
represent over half of the Nation's deposits and over 70
percent of Visa and MasterCard-branded credit cards.
The recent escalation of merchant data breaches
demonstrates the increasing sophistication of cyber criminals
and also underscores the urgent need for financial
institutions, merchants, and all who touch the payment system
to work together to protect against current and future threats.
I will focus my testimony today on two payment systems
technologies that are on the horizon and will reduce the risk
of future breaches: EMV; and tokenization.
First, EMV cards contain computer chips and they are
designed to protect against counterfeiting, as compared to the
magnetic stripe-based cards used today. However, EMV alone
would not have prevented the theft of card information in the
recent breaches, as it relies on merchants receiving and
processing the same static information that account numbers
have today. As we have heard from prior testimony, those
account numbers would still be significantly valuable to cyber
criminals for committing fraud online, where most fraud occurs.
Additionally, as EMV was designed prior to the Internet,
prior to mobile phones or tablets, it does not address
transactions initiated via those means.
The second technology I would like to discuss is one that
we have been directly involved in at The Clearing House. It is
called tokenization.
Tokenization addresses online and mobile phone payments by
substituting a limited-use random number, called a digital
token, for the customer's account number during the
transaction. Working behind the scenes, the secure digital
token acts just like a regular account number as it goes
through the system and requires very little change in how
customers and merchants operate. A customer's true account
number is never present in the smartphone or in the merchant's
system, preventing any malware residing on those systems from
capturing that sensitive information in the first place.
The implementation of these two technologies--EMV and
tokenization--will require cooperation amongst the banks and
merchants as the tangible benefits can only be achieved by
moving in tandem.
Turning to e-commerce, today customers provide personal
financial and other data to e-commerce merchants, online
wallets, alternative payment providers, merchant aggregators,
and others. This proliferation of live sensitive customer
account data increases the risk of breach-related fraud. When
my bank recently sent me a new card after a compromise, I
needed to update that card information on 47 different merchant
and payment provider Web sites. In a tokenized environment,
customer account data is held securely behind the bank
firewalls and consumers won't need to update account
information when cards are reissued.
The scale of the payment system is enormous, with hundreds
of millions of consumers, millions of merchants, thousands of
banks and credit unions, and hundreds of networks and
processors. The only way to gain broad adoption of a new
technology such as tokenization is to develop an open standard
that is scalable and widely adopted. Open standards promote
innovation and allow customers and merchants to choose the best
point-of-sale technology that works best for them.
Two years ago, The Clearing House and its owner banks began
working together to create an open tokenization standard that
we call Secure Token Exchange. We are working with mobile
wallets, networks, merchants, and payment processors to pilot
and trial the standard. The initial pilot began late last year
and we will soon expand the trial phase to encompass additional
banks, merchants, and cities.
This initiative has acted as a catalyst with an increasing
number of payment system participants now working on
tokenization. We remain very much at the center of this
activity.
For example, The Clearing House is now working with the
card networks, standard bodies, merchants, and processors on
digital tokenization efforts with the goal of upholding the
core openness, safety, and soundness principles. We also joined
the coalition referred to by the prior witness, a coalition of
merchant and financial industry trade associations, to form a
cybersecurity partnership.
Thank you again for the opportunity to testify on these
critical issues, and I would be happy to answer any questions
you may have.
[The prepared statement of Mr. Fortney can be found on page
54 of the appendix.]
Chairwoman Capito. Thank you.
Our final witness is Mr. Edmund Mierzwinski, consumer
program director, U.S. PIRG.
Welcome.
STATEMENT OF EDMUND MIERZWINSKI, CONSUMER PROGRAM DIRECTOR,
U.S. PIRG
Mr. Mierzwinski. Thank you, Madam Chairwoman, Ranking
Member Meeks, and members of the subcommittee.
As I did at a Senate hearing last month, I want to try to
shift the discussion from what it has been in the media anyway,
which is simply data breach notification--I am glad today we
are talking about a lot more than data breach notification--to
many of the other issues surrounding data security.
First, regarding the Target breach, I am very concerned
that Target dragged out notification to consumers for a long
time. If it was because of investigations conducted with law
enforcement that is one thing, but if it is simply because they
wanted to drag it out for a long time, I am very disappointed.
I am also disappointed in the product that they gave
consumers--credit monitoring lite, a product that only tells
you if your Experian credit report has any changes made to it,
but not if your other two major credit reports have any changes
made on them. Further, in order to accept that product, even
though it was free, consumers had to agree to a mandatory
arbitration clause limiting their rights against Experian in
the future, and that is simply unacceptable to me.
But at the same time, I don't hold Target, Neiman Marcus,
or any other company completely to blame for the breaches that
have occurred in their stores or in their payment systems. The
reason for that is they are working with the banks and the card
networks, and the banks and the card networks are forcing them
to use an obsolete payment system known as the mag-stripe card.
For 50 years, or maybe 40 years, we have used the mag-stripe
card without upgrading it.
I am very pleased to hear that the banks are now talking
about open standards to upgrade the systems out there. That is
very encouraging to me. But for 40 years, they acted as
monopolists with closed standards and required merchants to
accept a card essentially like a car from the 1950s--no
airbags, no ABS brakes, no additional safety features, no
safety glass.
Merchants were forced to continue to adopt new and
different and ever-changing changes to their systems. It was
just very difficult for them and it is not all the merchants'
fault, and the banks need to be held accountable and the card
networks that were formerly owned by the banks and still are
largely controlled by the banks.
I have in my written testimony 10 recommendations that I
want to go through quickly.
First, Congress should make all plastic equal. Credit cards
are safe by law; debit cards have zero liability by promise
only. Plus, with a debit card, again, you are required to use
an unsafe system on the signature-based network instead of a
PIN-based network.
You are encouraged, anyway, to use it without a PIN, and
that is just unfair and unreasonable to consumers who not only
are breached, who will not only face the problem of fraud or
identity theft, but also lose money from their existing account
until the bank replaces it, if it honors the zero liability
promise. So first, why shouldn't debit cards have the same
consumer protection as credit cards?
Second, be careful not to endorse any specific
technologies. Go forward with open standards that push
innovation and that all participants in the system are subject
to the same rules. Previously, the banks have forced merchants
to be subject to a different set of rules than they have been
subject to, and companies that are under Gramm-Leach-Bliley are
subject to a different set of rules than the merchants are
subject to--an easier, softer set of rules.
Third, look into whether the open standards bodies are
truly open. I don't think they have been in the past; I am
encouraged to think that they may be in the future.
Fourth, Congress should stay away from an issue that has
been debated in State legislatures, which is that banks try to
get the merchants, by law, to pay all of their costs. They
already do pay most of the banks' costs. It is impossible to do
that by law.
Finally, don't preempt the States. Even if you come up with
a uniform standard, don't preempt the States. You don't need
to. The States will move onto other issues as long as your
standard is good enough, but if it isn't, we need the States as
first responders.
Make sure you allow for private enforcement by consumers of
any law in State attorneys general as well as a good Federal
law.
Don't include a harm trigger in your law. Force companies
that lost their information to tell us about it.
Investigate overpriced credit monitoring. I have already
talked about the fact that it is given for free to consumers,
but it is something the committee should investigate and the
CFPB has been looking into quite a bit, as well.
Finally, Congress should investigate the over-collection of
consumer information generally on the Internet by companies we
don't even do business with--not only by our banks, and not
only by the retailers with whom we do business. There are
dozens if not hundreds of additional business-to-business
companies collecting information about us that are not
regulated.
Thank you.
[The prepared statement of Mr. Mierzwinski can be found on
page 73 of the appendix.]
Chairwoman Capito. Thank you very much, and I want to thank
all of the witnesses.
I will yield myself 5 minutes to begin the questioning.
My first question is for Mr. Garcia. On the FS-ISAC, it is
a sharing organization with the financial services community,
are there now private entities who are in that--retailers and
such that are a member of that community or is it mostly just
financial services?
Mr. Garcia. It is mostly financial services, although we do
have a retailer member now and we include insurance companies,
and payment processors. Any organizations that have--that
essentially are regulated as financial institutions or have
banking credit subsidiaries are eligible for membership in the
FS-ISAC.
Chairwoman Capito. Would, say, like a Target be eligible
for membership to--
Mr. Garcia. Yes. And they are a member.
Chairwoman Capito. And they are a member.
Mr. Garcia. Yes.
Chairwoman Capito. So are you going to encourage other
retailers--because obviously this is where the--some of the
breaches most recently have taken place--
Mr. Garcia. Absolutely. We have had a lot of conversations
with the retail sector, and certainly Target's membership in
the FS-ISAC, I think, serves as leadership and opportunity to
bring on the broader retail sector, provided each individual
organization is eligible for ISAC membership according to the
regulatory status, as I mentioned.
Chairwoman Capito. All right. Thank you.
Mr. Fortney, you mentioned two different types of
technologies, the EMV chip and the tokenization. Is anybody
using the tokenization now in the United States with whom we
would all be familiar?
Mr. Fortney. Tokenization has been used in what I would
call point-to-point or proprietary type of environments, but
what is--
Chairwoman Capito. Give me an example of that.
Mr. Fortney. So, an example would be that instead of using
a true account number in a product that maybe one bank issues,
instead embed a digital token. That has been done. Or
individual merchants--
Chairwoman Capito. In financial transactions, not retail.
Mr. Fortney. Correct.
Chairwoman Capito. Okay.
Mr. Fortney. What is new with this is really talking about
it in terms of an open standard that could be used widely in
which everyone agrees to the same rules--
Chairwoman Capito. Is anybody outside the United States
using tokenization in a retail spectrum?
Mr. Fortney. I believe the United States is ahead in this
particular area, although there is a lot of interest for the
technology globally, and some--
Chairwoman Capito. Okay.
Mr. Fortney. For instance, some of the institutions in our
owner base do operate globally. They have strong interest in
using this technology across the globe.
Chairwoman Capito. Okay. The EMV chip is used in Europe,
correct?
Mr. Fortney. That is correct.
Chairwoman Capito. Okay. Now I think I read this or heard
that Target--and I am using Target as an example, but it might
not be the correct example--had originally looked at the EMV
chip as one of the mechanisms that they would use and actually
might have even used it at some point and then ceased using it.
Is that correct?
Mr. Fortney. I read the same thing, and I think it really
goes to--it is really impossible for a single entity to
introduce a new technology in payment with--and have impact
without moving in tandem with a number of other retailers at
the same time and the banks at the same time.
Chairwoman Capito. Yes. I think in that same article it
said that it was discontinued because of the ease of service at
the checkout. It was holding people up for one reason or
another. Anyway, yes, I was just curious about that.
Mr. Leach, I know from our previous conversation when we
talked about the EMV chip, it is not the be-all and end-all to
solve these issues. Could you expound on that a little bit for
us, please?
Mr. Leach. Sure. I would be happy to do so.
As you know, our PCI standards are applied in Europe
already today, and so we are looking at ways that we can remove
the exposure of card data. So in a chip transaction, mag-stripe
transaction, the card information is still exposed. And as Mr.
Noonan in the previous panel explained, you can take that
information and create fraud in online, telephone order, and
other channels.
So our focus is on removing that card information
completely from the merchant environment through tokenization,
point-to-point encryption, and other means, so as soon as the
customer puts their information into a point-of-sale terminal,
it is removed, and it is no longer available to the criminal if
they are able to get into that system.
Chairwoman Capito. Okay. We have been talking a lot about
cards, and one of the things I mentioned in my opening
statement is my interest in mobile payments, and I don't think
of those as cards, although they are attached to a card number.
What about security around these? Is that something that is
part of what you are looking at for standards, Mr. Leach?
Mr. Leach. It is. And we think that this new, innovative
technology--and there is actually going to be a press release
on the framework next week on this--is very exciting. We think
that by removing card data, we can actually improve the
security of mobile transactions, as well.
Chairwoman Capito. Okay. Thank you.
Mr. Meeks?
Mr. Meeks. Thank you, Madam Chairwoman.
And let me, as a guy who is not tech-savvy at all, say that
I appreciate your testimony.
I guess I will start with Mr. Leach. Again, in trying to
figure out what we can do as Members of Congress, there is
currently no Federal law establishing security standards that
merchants and data brokers are required to meet.
My first question is, does this matter? And what is the
appropriate role of the Federal Government, in your estimation,
in setting a dynamic and effective security standard, and what
should the private sector's role be?
And then, in light of the recent breaches at major U.S.
retailers, do the existing PCI standards need to be updated?
Mr. Leach. I will start with the last question, because it
is very interesting the timing of these breaches and our most
recent update to the standards. Many of the actual incidents
that are being reported in the media of how these criminals
were able to get into these systems are actually already
addressed in our PCI standards today. When these forensic
investigations are completed, they typically provide a report
of what PCI requirements have failed in those environments in
order for a criminal to actually access and steal consumers'
cardholder information.
There is enforcement of our standards in the industry
today. It is by contract, so it is a financial institution and
their contractual relationships with their merchants is how we
enforce in our industry today.
For government involvement, I think the FS-ISAC and
information-sharing so that we can take what we learn from
these investigations and put that into our standards is where
we need to have improvement. I think there has actually been in
the last couple of years more engagement between the government
and the private sector, and we encourage that to go forward.
Mr. Meeks. Let me ask, I guess, Mr. Mierzwinski: You
testified today, as you did before the Senate Banking Committee
in early February, where you urged that we should not embrace
any specific technology but use and encourage the users to use
the highest existing standard to prevent by action of rules of
existing players from blocking additional technological
improvements and security innovations.
And I am listening, and I am hearing, on one end, and if I
get a chance, I will ask Mr. Fortney about tokenization and how
that can become a large-scale viable--but could you please
elaborate on some of the basic pros and cons of each smart chip
card variation, keeping in mind the differences in cost and the
susceptibility to fraud, and how any of the resulting fraud
losses are divided between merchants and card issuers and
consumers?
Mr. Mierzwinski. Thank you, Congressman. Again, today is
really the first time that I have heard the words ``open
standards'' from the bank and card network industry. They may
have talked about it in the past but I have understood the PCI
standards body to be totally controlled by the banks and the
card networks, and that has been harmful to innovation.
Today, EMV is kind of a standard, but it has different
levels of protection, and the card networks would like you to
believe that they are moving toward something called ``chip and
signature,'' and that is good enough. But chip and signature is
designed by them to ride on the old signature-based platform.
Anybody can forge a signature.
Chip and PIN is a better solution. Tokenization is also a
better solution to part of the problem. Online, using virtual
account numbers for each transaction, is another part of the
solution.
So I think as long as we are developing standards in a
truly open body where you can promote innovation, we are much
better off.
Mr. Meeks. Mr. Fortney, would you alter your answer at all?
What is your opinion on the same question?
Mr. Fortney. Yes, so, first of all, in the United States,
as Mr. Mierzwinski points out, as the chip cards are introduced
it is not necessarily going to be mandating a PIN. You can call
it chip and choice, that there will be certain transactions
that require a PIN just as they do today, such as an ATM
machine or certain retailer transactions. Other transactions
may be requiring the signature, and certainly underneath a
certain dollar amount there may not be either of those.
But regardless of all that, that chip card is fundamentally
more secure than the mag-stripe card and is a big advance
forward.
Mr. Meeks. Thank you.
Mr. Luetkemeyer [presiding]. Thank you.
With that, I will yield myself 5 minutes.
One of the things that is concerning to me is at this
point, from what I understand, the banks normally are the ones
left holding the bag normally whenever you have one of these
breaches, and is there something, Mr. Leach, in the discussion
with your group, to find a way to put some liability on the
other--the merchant who didn't maybe have the latest technology
or didn't exercise the greatest care with his data so that it
was breached? Or am I wrong on that? Is there a sharing of
liability there?
Mr. Leach. The PCI Council is a technical standards body,
so liability and all of the enforcement of our standards is
managed through those banking relationships between the bank
and the merchant. What we do is we try to remove that card
information from ever being stored in a merchant location.
We heard from other Congressmen earlier who recognize that
security is a very hard thing to do day in and day out, and
what we are trying to do, to the gentleman's point earlier
about tokenization, is remove cardholder data from ever being
exposed in merchant locations so there is no longer an ability
for criminals to monetize that data.
Mr. Luetkemeyer. Mr. Garcia, is there a movement to have
higher standards for the merchants so that they share some of
the liability there?
Mr. Garcia. We discussed just this recent partnership
consortium that has been established between the financial
services sector and merchants and payment processors, and I
think that is going to go a long way to sort of gaining a
common understanding as to what are our respective
vulnerabilities, our respective responsibilities, and how do we
work together to stay ahead of the adversaries.
Mr. Luetkemeyer. Okay. You made mention a while ago that
there was a February agreement to that effect. Is that correct?
Mr. Garcia. That is correct, February 13th.
Mr. Luetkemeyer. Can you explain that just a little bit
further?
Mr. Garcia. There are about a dozen industry associations
that are signatory to this. It is just in the beginning phases.
It is a partnership that is based on the recognition that we
all--this is a shared challenge and therefore a shared
responsibility, and over the coming months we are going to be
looking into what are the various initiatives and programs we
can engage in together to think about not just new
technological capabilities, but what are standards of practice?
How do we interact among each other to have a more secure
ecosystem for the commercial and retail financial environments?
Mr. Luetkemeyer. Okay. Do you work with foreign countries,
as well, foreign clearinghouses?
Mr. Garcia. No, not that I am aware of at this point. It is
U.S.-based.
Mr. Luetkemeyer. Okay. With your chip technology changing--
or perhaps changing--where do you go with that when it comes to
discussing it with merchants who--for instance, if I want to
take a trip to Italy and now I want to use my credit card, how
is that going to work if they don't have that same technology
to be able to accept that card?
This is going to have to be worldwide, I assume. Either Mr.
Garcia or Mr. Fortney here?
Mr. Fortney. You have hit upon an issue that has been out
there for people who travel from country to country, and maybe
the card technology they work in one country doesn't work fully
in the other. There are a number of banks today that will issue
cards that will work internationally, using EMV, and as the
rest of the U.S. industry issues those cards over the next year
or two, that problem should diminish greatly.
Mr. Luetkemeyer. One of the problems that we have is with
convenience comes more exposure, more risk, and that means more
responsibility on an individual's part, too. Is there something
an individual can do to protect his cards, his information
better by the way he uses it?
Mr. Fortney?
Mr. Fortney. You are asking an interesting question because
I don't really put a lot of the responsibility on the end user.
The end user, when they are in a payments environment, they
need to enter their card information in the way in order to get
the purchase done. So I guess I would prefer to focus on what
are ways that we can actually improve the system, get rid of
these card numbers and live static information out of the
system and protect the consumers in that way?
Now, to further answer your question, sure there are some
things that we all would agree are very bad practices, like if
you have a PIN, don't write it on the back of your card, and if
you are missing a card or you see a fraudulent transaction,
report it promptly. I would encourage people to sign up for the
mobile banking alerts that most financial institutions offer so
that you have rapid information if your card has been used, and
if you don't recognize that transaction, take quick action.
Mr. Luetkemeyer. Does a consumer need to change his cards
regularly? In other words, if I have a MasterCard, for
instance, do I need to call the company and say, once every 6
months get a new card with new numbers and--is that a
protection or is that just a waste of my time?
Mr. Fortney. I don't think that is really necessary because
if your card number were to be breached then your institution
would most likely reissue that card. This really would be a
tremendous hassle for a consumer to proactively go about asking
for a new card.
If you have reason to believe it has been breached,
absolutely, but not just as a preventative measure. I wouldn't
recommend that.
Mr. Luetkemeyer. My wife, this past couple of weeks, has
been in a different State, and as a result, she has used her
credit card, and because it was a different State, immediately
the credit card company, zam, they said, ``Hey, your card is
being used in a different State. Is this what you want to--are
you there or did somebody steal your card?'' It was very quick
because the first transaction she did, immediately it was like
that, the thing popped up on our e-mail and I was immediately
notified to that effect.
It was very helpful and it is nice to know that they are
that quick to respond. So I guess that is another way that the
companies are trying to prevent some folks from being abused
with regards to that.
Mr. Fortney. Yes, that is correct. And as you saw in your
personal experience, many of the banks--really all of the banks
now have this kind of fraud detection technology and they are
looking for anything that is outside of the pattern.
That can certainly create a hassle if you are traveling and
it happens to you erroneously, but typically you can call and
get that--verify the last transaction and the card gets opened
up again for a full purchase.
Mr. Luetkemeyer. Very good. Thank you.
With that, we will move to the gentleman from Georgia, Mr.
Scott.
Mr. Scott. Thank you very much, Mr. Chairman.
Certainly, first, I just want to commend Mr. Leach and the
PCI. I think you guys are on the right track in lessening the
available information out there for the bad guys to work with
in the first place, and I encourage you to continue with that.
But what really disturbs me about this hearing is that
earlier I asked the Secret Service and Homeland Security why
the United States was targeted, is there something other
nations are doing that we are not doing, and their answer was
not an accurate one, if I may say, and I want to address that.
Because this is a serious problem and there is a reason why we
are being targeted, and I want you all to respond to this.
The Economist, in its February 15th article, said that
America--this Nation, the United States--leads the world in
payment card fraud. It is the only country in which counterfeit
card fraud is consistently growing. In fact, the United States
currently accounts for nearly half--47 percent--of all global
payment card losses.
It goes on to say, in part, that fraudsters target the
United States because that is where the cards are. At the end
of 2013 there were 1.2 billion debit, credit, and prepaid cards
in circulation in America. That is over half of the 2 billion--
more than in any other region. That is nearly five cards per
adult here.
But America also makes things easy for fraudsters. Alone
among developed countries, it still relies exclusively on cards
with magnetic strips, which are far less secure than the chip
and PIN technology used elsewhere. So clearly, the gentlemen
with Homeland Security and the Secret Service are probably not
aware of this.
But now that we are aware of this, Mr. Mierzwinski, let me
ask you, given this information from The Economist, given how
big this issue is, let me ask you: What makes the United States
payment card so vulnerable to fraud more than any other nation,
and what is it that we do differently than other countries
around the world regarding this?
Mr. Mierzwinski. Mr. Scott, I think you answered the
question already. I don't know how much I can add to it, but we
are still using a 40- or 50-year-old magnetic stripe obsolete
technology. We are now starting to move slowly toward chip and
PIN, tokenization, virtual card numbers on the Internet, and
other solutions that are going to be better.
But the second thing that we do in this country is we
aggressively rolled out debit cards to be used without PINs.
When they were exclusively ATM cards they required a PIN, but
the big card networks wanted them to ride along on their
signature-based systems and so they said, ``Merchants and
consumers, use the unsafe product on the signature-based
system.''
So that is why we say, let's give consumers greater
consumer protection when they use debit cards. And let's go
back to encouraging the use of PIN-based networks. There are
competitor PIN-based networks but the big banks don't want you
to use them because they don't own them.
Mr. Scott. I see.
Let me ask you this, because I am anxious--and all of us on
this committee are anxious--to see what we in Congress can do.
So let me ask you, is there any reason why Congress shouldn't
mandate that payment card security standards use the most
effective technology in the marketplace?
Mr. Mierzwinski. I agree with you on that completely, and I
will leave it up to your legislative counsel to help draft it,
but absolutely it should be a standard-based system that
promotes the highest and most innovative standards.
Mr. Scott. And so don't you feel--let me just ask you this:
Why is it important, in your opinion--and others can comment on
this as well--for Congress to improve debit ATM card consumer
rights and make all plastic equal?
Mr. Mierzwinski. Very simply, cards are not protected and
your bank account is not protected, and that is a real problem
for consumers. I believe that if the consumer rights were
increased to the level of credit cards--I only use credit
cards, by the way, on the Internet, and I only use credits
cards at the store. It is the safer way to go. But if debit
cards had higher consumer rights that would focus the mind of
the banks on improving protections for those cards.
Mr. Scott. And you also mentioned that if fraud victims are
reimbursed at what you refer to as zero liability, is this zero
liability policy ubiquitous among all credit card and debit
card users?
Mr. Mierzwinski. As far as I--zero liability is something
that the debit card industry promotes. The credit card law
maximizes our liability at $50, but with a debit card, you
could lose all the money in your account under some
circumstances.
Mr. Scott. Okay. My--
Mr. Mierzwinski. But as far as I know, all the card
companies do use zero liability but some have more asterisks,
more exceptions.
Mr. Scott. And so my final point is, because I think the
American people--I think this is a problem of soaring
magnitude, and we are going to be in trouble if we don't get a
handle on this. We in Congress, there is no national directive
here, so I just want to ask each of you, do you feel that the
most important thing we can do right now is this national
breach legislation that we have been talking about, that we
have a national standard, or do you see just leaving it at the
State level--the various State levels, this hodge-podge that we
have?
Mr. Mierzwinski. If you are starting with me, I have
already testified that I think that we don't really need a
national standard, but if you do establish one--because a good,
smart company can just comply with the strongest State law, but
if we are going to focus on that as part of the solution, just
don't preempt the States. Go to a high, good national standard.
You won't need to preempt the States.
Mr. Scott. Okay.
Anyone else?
Mr. Fortney. Yes. We would support a national standard. We
just think the most efficient way to deal with these sorts of
threats is to be consistent and provide standard consumer
protection versus a haphazard, State-by-State approach.
Mr. Scott. Yes.
Mr. Garcia?
Mr. Garcia. Yes. I would agree with that. I think if you
have 40-plus State laws that differ in various respects as to
what are the requirements for breach notification, it doesn't
necessarily improve consumer protection to have multiple
different forms of communication, and to the extent that you
can standardize that kind of communication to the consumer base
nationally, I think that would be more effective and less
costly.
Mr. Scott. Okay. Thank you.
Mr. Leach, would you--
Mr. Leach. Consistency is good. Again, we need to find ways
to get after these bad guys and remove the monetization of card
data, period.
Mr. Scott. Okay.
Thank you very much, Mr. Chairman. I appreciate the extra
time.
Mr. Luetkemeyer. Thank you.
I just have one follow-up question here, and then I think
we are done for the day and we will let you guys go.
We have seen in the last year or so a number of breaches,
and my concern is, how many more are yet to come? And as a
result of that, when are we going to get some action taken to
stop this?
And so if you could answer those two questions succinctly
here, we will start with Mr. Mierzwinski?
Mr. Mierzwinski. I apologize--
Mr. Luetkemeyer. I guess the question is, how susceptible
are we to further breaches, and then where are we going to be 5
years from now? Are we going to take action?
Mr. Mierzwinski. I think that further breaches are going to
occur. I just saw Brian Krebs who is tweeting that--he is the
guy who broke the Target story; he is a cyber journalist, I
guess--that there was another breach today of a beauty company.
And so, there will be continued breaches. The question is, what
do we do about them?
Five years from now, I predict we are going to have a much
more sophisticated system. There is innovation coming from
phone companies, coming from Internet companies, coming from
alternatives. It is going to force the banks to do a better
job.
Mr. Luetkemeyer. Mr. Fortney?
Mr. Fortney. I would agree with most of that. I think it is
not just on the banks, however.
It is really on the banks and the merchants and everyone to
work together to introduce these new technologies. It can't be
done from one side.
Mr. Luetkemeyer. Mr. Garcia?
Mr. Garcia. Asking when we are going to stop cyber attacks
is tantamount to asking when we are going to stop crime. It is
an ongoing challenge. As long as there is technological
innovation, there is technological innovation on the side of
criminals as well, finding ways to exploit that.
So, as I mentioned before, it isn't just about technology,
but it is about your practices and your information-sharing and
your collaboration. We are all in this together and no single
one of us is as smart as all of us combined, and that is really
what the FS-ISAC is here to talk about today is how we
collaborate when those technological solutions aren't going to
fully protect us, but what can we do together as a team.
Mr. Luetkemeyer. I guess the follow-up to you would be,
okay, we recognize we have a problem. Your group is one who
tries to solve a problem. Are you going to kick it into another
gear to get this done ASAP?
Mr. Garcia. As a matter of fact, we have initiated a new
program that tries to automate--that does automate our
intelligence and information-sharing and incident response,
because as we know, many cyber attacks happen at Internet
speed, and as long as we are operating at human speed, we are
one step behind. So we have invested quite a lot of resources--
FS-ISAC and its membership--in developing--in automated tools
using standardized language for how we characterize threats and
attacks such that the front-line cyber operators and analysts
who are protecting our systems are able to make decisions in a
more real-time way and take action in a more real-time way
against those threats and attacks.
Mr. Luetkemeyer. Very good.
Mr. Leach?
Mr. Leach. I would say we can't address 2014 threats with
2004 controls. We need to remove the legacy systems that we
have--and part of that is legacy business process and educating
merchants that there is no longer a need to store cardholder
information beyond the point of getting an authorization.
I think with the legacy systems that we have today, there
is opportunity for us to improve. You asked about what we will
see in about 5 years. I see us no longer having these value
card information for criminals to attack. That is where I hope
we are going to be in 5 years.
Mr. Luetkemeyer. I thank each of the witnesses for being
here today. As you can see, we are very concerned on this side
of the table with regards to the privacy of information and the
privacy of financial transactions that take place with our
consumers and our constituents and the people of this country.
And so, we want to work with you. If you can continue to
work with us to point out places where we can be of help, we
certainly want to look for that.
And again, I thank the chairwoman for the opportunity to
have this hearing.
The Chair notes that some Members may have additional
questions for this panel, which they may wish to submit in
writing. Without objection, the hearing record will remain open
for 5 legislative days for Members to submit written questions
to these witnesses and to place their responses in the record.
Also, without objection, Members will have 5 legislative days
to submit extraneous materials to the Chair for inclusion in
the record.
With that, hearing is adjourned.
[Whereupon, at 1:09 p.m., the hearing was adjourned.]
A P P E N D I X
March 5, 2014
[GRAPHIC] [TIFF OMITTED] T8530.001
[GRAPHIC] [TIFF OMITTED] T8530.002
[GRAPHIC] [TIFF OMITTED] T8530.003
[GRAPHIC] [TIFF OMITTED] T8530.004
[GRAPHIC] [TIFF OMITTED] T8530.005
[GRAPHIC] [TIFF OMITTED] T8530.006
[GRAPHIC] [TIFF OMITTED] T8530.007
[GRAPHIC] [TIFF OMITTED] T8530.008
[GRAPHIC] [TIFF OMITTED] T8530.009
[GRAPHIC] [TIFF OMITTED] T8530.010
[GRAPHIC] [TIFF OMITTED] T8530.011
[GRAPHIC] [TIFF OMITTED] T8530.012
[GRAPHIC] [TIFF OMITTED] T8530.013
[GRAPHIC] [TIFF OMITTED] T8530.014
[GRAPHIC] [TIFF OMITTED] T8530.015
[GRAPHIC] [TIFF OMITTED] T8530.016
[GRAPHIC] [TIFF OMITTED] T8530.017
[GRAPHIC] [TIFF OMITTED] T8530.018
[GRAPHIC] [TIFF OMITTED] T8530.019
[GRAPHIC] [TIFF OMITTED] T8530.020
[GRAPHIC] [TIFF OMITTED] T8530.021
[GRAPHIC] [TIFF OMITTED] T8530.022
[GRAPHIC] [TIFF OMITTED] T8530.023
[GRAPHIC] [TIFF OMITTED] T8530.024
[GRAPHIC] [TIFF OMITTED] T8530.025
[GRAPHIC] [TIFF OMITTED] T8530.026
[GRAPHIC] [TIFF OMITTED] T8530.027
[GRAPHIC] [TIFF OMITTED] T8530.028
[GRAPHIC] [TIFF OMITTED] T8530.029
[GRAPHIC] [TIFF OMITTED] T8530.030
[GRAPHIC] [TIFF OMITTED] T8530.031
[GRAPHIC] [TIFF OMITTED] T8530.032
[GRAPHIC] [TIFF OMITTED] T8530.033
[GRAPHIC] [TIFF OMITTED] T8530.034
[GRAPHIC] [TIFF OMITTED] T8530.035
[GRAPHIC] [TIFF OMITTED] T8530.036
[GRAPHIC] [TIFF OMITTED] T8530.037
[GRAPHIC] [TIFF OMITTED] T8530.038
[GRAPHIC] [TIFF OMITTED] T8530.039
[GRAPHIC] [TIFF OMITTED] T8530.040
[GRAPHIC] [TIFF OMITTED] T8530.041
[GRAPHIC] [TIFF OMITTED] T8530.042
[GRAPHIC] [TIFF OMITTED] T8530.043
[GRAPHIC] [TIFF OMITTED] T8530.044
[GRAPHIC] [TIFF OMITTED] T8530.045
[GRAPHIC] [TIFF OMITTED] T8530.046
[GRAPHIC] [TIFF OMITTED] T8530.047
[GRAPHIC] [TIFF OMITTED] T8530.048
[GRAPHIC] [TIFF OMITTED] T8530.049
[GRAPHIC] [TIFF OMITTED] T8530.050
[GRAPHIC] [TIFF OMITTED] T8530.051
[GRAPHIC] [TIFF OMITTED] T8530.052
[GRAPHIC] [TIFF OMITTED] T8530.053
[GRAPHIC] [TIFF OMITTED] T8530.054
[GRAPHIC] [TIFF OMITTED] T8530.055
[GRAPHIC] [TIFF OMITTED] T8530.056
[GRAPHIC] [TIFF OMITTED] T8530.057
[GRAPHIC] [TIFF OMITTED] T8530.058
[GRAPHIC] [TIFF OMITTED] T8530.059
[GRAPHIC] [TIFF OMITTED] T8530.060
[GRAPHIC] [TIFF OMITTED] T8530.061
[GRAPHIC] [TIFF OMITTED] T8530.062
[GRAPHIC] [TIFF OMITTED] T8530.063
[GRAPHIC] [TIFF OMITTED] T8530.064
[GRAPHIC] [TIFF OMITTED] T8530.065
[GRAPHIC] [TIFF OMITTED] T8530.066
[GRAPHIC] [TIFF OMITTED] T8530.067
[GRAPHIC] [TIFF OMITTED] T8530.068
[GRAPHIC] [TIFF OMITTED] T8530.069
[GRAPHIC] [TIFF OMITTED] T8530.070
[GRAPHIC] [TIFF OMITTED] T8530.071
[GRAPHIC] [TIFF OMITTED] T8530.072
[GRAPHIC] [TIFF OMITTED] T8530.073
[GRAPHIC] [TIFF OMITTED] T8530.074
[GRAPHIC] [TIFF OMITTED] T8530.075
[GRAPHIC] [TIFF OMITTED] T8530.076
[GRAPHIC] [TIFF OMITTED] T8530.077
[GRAPHIC] [TIFF OMITTED] T8530.078
[GRAPHIC] [TIFF OMITTED] T8530.079
[GRAPHIC] [TIFF OMITTED] T8530.080
[GRAPHIC] [TIFF OMITTED] T8530.081
[GRAPHIC] [TIFF OMITTED] T8530.082
[GRAPHIC] [TIFF OMITTED] T8530.083
[GRAPHIC] [TIFF OMITTED] T8530.084
[GRAPHIC] [TIFF OMITTED] T8530.085
[GRAPHIC] [TIFF OMITTED] T8530.086
[GRAPHIC] [TIFF OMITTED] T8530.087
[GRAPHIC] [TIFF OMITTED] T8530.088
[GRAPHIC] [TIFF OMITTED] T8530.089
[GRAPHIC] [TIFF OMITTED] T8530.090
[GRAPHIC] [TIFF OMITTED] T8530.091
[GRAPHIC] [TIFF OMITTED] T8530.092
[GRAPHIC] [TIFF OMITTED] T8530.093
�