[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]


                  PROTECTING CRITICAL INFRASTRUCTURE:.
                        HOW THE FINANCIAL SECTOR.
                        ADDRESSES CYBER THREATS

=======================================================================

                                HEARING

                               BEFORE THE

                 SUBCOMMITTEE ON FINANCIAL INSTITUTIONS
                          AND CONSUMER CREDIT

                                 OF THE

                    COMMITTEE ON FINANCIAL SERVICES

                     U.S. HOUSE OF REPRESENTATIVES

                    ONE HUNDRED FOURTEENTH CONGRESS

                             FIRST SESSION

                               __________

                              MAY 19, 2015

                               __________

       Printed for the use of the Committee on Financial Services

                           Serial No. 114-26
                           
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]


                      U.S. GOVERNMENT PUBLISHING OFFICE
95-070 PDF                WASHINGTON : 2015                      
                 
________________________________________________________________________________________ 
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, 
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, gpo@custhelp.com.  
                
                 
                 
                 
                 
                 
                 HOUSE COMMITTEE ON FINANCIAL SERVICES

                    JEB HENSARLING, Texas, Chairman

PATRICK T. McHENRY, North Carolina,  MAXINE WATERS, California, Ranking 
    Vice Chairman                        Member
PETER T. KING, New York              CAROLYN B. MALONEY, New York
EDWARD R. ROYCE, California          NYDIA M. VELAZQUEZ, New York
FRANK D. LUCAS, Oklahoma             BRAD SHERMAN, California
SCOTT GARRETT, New Jersey            GREGORY W. MEEKS, New York
RANDY NEUGEBAUER, Texas              MICHAEL E. CAPUANO, Massachusetts
STEVAN PEARCE, New Mexico            RUBEN HINOJOSA, Texas
BILL POSEY, Florida                  WM. LACY CLAY, Missouri
MICHAEL G. FITZPATRICK,              STEPHEN F. LYNCH, Massachusetts
    Pennsylvania                     DAVID SCOTT, Georgia
LYNN A. WESTMORELAND, Georgia        AL GREEN, Texas
BLAINE LUETKEMEYER, Missouri         EMANUEL CLEAVER, Missouri
BILL HUIZENGA, Michigan              GWEN MOORE, Wisconsin
SEAN P. DUFFY, Wisconsin             KEITH ELLISON, Minnesota
ROBERT HURT, Virginia                ED PERLMUTTER, Colorado
STEVE STIVERS, Ohio                  JAMES A. HIMES, Connecticut
STEPHEN LEE FINCHER, Tennessee       JOHN C. CARNEY, Jr., Delaware
MARLIN A. STUTZMAN, Indiana          TERRI A. SEWELL, Alabama
MICK MULVANEY, South Carolina        BILL FOSTER, Illinois
RANDY HULTGREN, Illinois             DANIEL T. KILDEE, Michigan
DENNIS A. ROSS, Florida              PATRICK MURPHY, Florida
ROBERT PITTENGER, North Carolina     JOHN K. DELANEY, Maryland
ANN WAGNER, Missouri                 KYRSTEN SINEMA, Arizona
ANDY BARR, Kentucky                  JOYCE BEATTY, Ohio
KEITH J. ROTHFUS, Pennsylvania       DENNY HECK, Washington
LUKE MESSER, Indiana                 JUAN VARGAS, California
DAVID SCHWEIKERT, Arizona
FRANK GUINTA, New Hampshire
SCOTT TIPTON, Colorado
ROGER WILLIAMS, Texas
BRUCE POLIQUIN, Maine
MIA LOVE, Utah
FRENCH HILL, Arkansas

                     Shannon McGahn, Staff Director
                    James H. Clinger, Chief Counsel
       Subcommittee on Financial Institutions and Consumer Credit

                   RANDY NEUGEBAUER, Texas, Chairman

STEVAN PEARCE, New Mexico, Vice      WM. LACY CLAY, Missouri, Ranking 
    Chairman                             Member
FRANK D. LUCAS, Oklahoma             GREGORY W. MEEKS, New York
BILL POSEY, Florida                  RUBEN HINOJOSA, Texas
MICHAEL G. FITZPATRICK,              DAVID SCOTT, Georgia
    Pennsylvania                     CAROLYN B. MALONEY, New York
LYNN A. WESTMORELAND, Georgia        NYDIA M. VELAZQUEZ, New York
BLAINE LUETKEMEYER, Missouri         BRAD SHERMAN, California
MARLIN A. STUTZMAN, Indiana          STEPHEN F. LYNCH, Massachusetts
MICK MULVANEY, South Carolina        MICHAEL E. CAPUANO, Massachusetts
ROBERT PITTENGER, North Carolina     JOHN K. DELANEY, Maryland
ANDY BARR, Kentucky                  DENNY HECK, Washington
KEITH J. ROTHFUS, Pennsylvania       KYRSTEN SINEMA, Arizona
FRANK GUINTA, New Hampshire          JUAN VARGAS, California
SCOTT TIPTON, Colorado
ROGER WILLIAMS, Texas
MIA LOVE, Utah
                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on:
    May 19, 2015.................................................     1
Appendix:
    May 19, 2015.................................................    37

                               WITNESSES
                         Tuesday, May 19, 2015

Bentsen, Hon. Kenneth E., Jr., President and Chief Executive 
  Officer, the Securities Industry and Financial Markets 
  Association (SIFMA)............................................     4
Fitzgibbons, Russell, Executive Vice President and Chief Risk 
  Officer, The Clearing House Payments Company L.L.C.............     9
Garcia, Gregory T., Executive Director, the Financial Services 
  Sector Coordinating Council (FSSCC)............................     6
Healey, Jason, Senior Fellow, the Atlantic Council...............    11
Nichols, Robert S., President and Chief Executive Officer, the 
  Financial Services Forum.......................................     8

                                APPENDIX

Prepared statements:
    Hinojosa, Hon. Ruben.........................................    38
    Bentsen, Hon. Kenneth E., Jr.,...............................    40
    Fitzgibbons, Russell.........................................    47
    Garcia, Gregory T............................................    54
    Healey, Jason................................................    62
    Nichols, Robert S............................................    68

              Additional Material Submitted for the Record

Neugebauer, Hon. Randy:
    Written statement of the Independent Community Bankers of 
      America....................................................    72
    Written statement of the National Association of Federal 
      Credit Unions..............................................    75
    Written statement of the National Association of Insurance 
      Commissioners..............................................    78

 
                  PROTECTING CRITICAL INFRASTRUCTURE:
                        HOW THE FINANCIAL SECTOR
                        ADDRESSES CYBER THREATS

                              ----------                              


                         Tuesday, May 19, 2015

             U.S. House of Representatives,
             Subcommittee on Financial Institutions
                               and Consumer Credit,
                           Committee on Financial Services,
                                                   Washington, D.C.
    The subcommittee met, pursuant to notice, at 12:59 p.m., in 
room 2175, Rayburn House Office Building, Hon. Randy Neugebauer 
[chairman of the subcommittee] presiding.
    Members present: Representatives Neugebauer, Pearce, Lucas, 
Posey, Fitzpatrick, Westmoreland, Luetkemeyer, Stutzman, 
Mulvaney, Pittenger, Barr, Guinta, Tipton, Williams, Love; 
Clay, Hinojosa, Velazquez, Lynch, Heck, Sinema, and Vargas.
    Chairman Neugebauer. The Subcommittee on Financial 
Institutions and Consumer Credit will come to order. Without 
objection, the Chair is authorized to declare a recess of the 
subcommittee at any time.
    Today's hearing is entitled, ``Protecting Critical 
Infrastructure: How the Financial Sector Addresses Cyber 
Threats.''
    Before I begin, I would like to thank our witnesses for 
being here today and for traveling all the way over to 2175. We 
had a little preview of our new digs, but there is a thing in 
construction called a ``punch list,'' and I think we had to 
remove ourselves for a week or so, so they could work on a 
punch list over there. But we hope to be back in there soon.
    As a little bit of housekeeping, I am sure that the 
majority leader forgot I was having a hearing this afternoon 
and has scheduled votes sometime here in the next few minutes. 
And I am sure that was an oversight on his part. But 
nonetheless, we will have Members who have to go vote. We are 
going to take care of that little constitutional duty.
    I will just remind everyone that the Chair is authorized to 
call a recess at any time, and so the Members can vote. So I 
think what we are going to try to do here is we are going to 
have opening statements and we are going to keep going until 
they ring the bell. We will ask Members to quickly go over and 
vote, and we will come back and resume the hearing. After that, 
we should be good to go for the rest of the hearing.
    I am now going to recognize myself for 5 minutes to give an 
opening statement.
    The financial services sector is one of the most complex 
and critical sectors of the U.S. economy.
    Financial sector participants hold deposits for consumers; 
ensure the consistent flow of capital through our capital 
markets; provide loans for small businesses; support large, 
internationally active corporations; and operate some of the 
most sophisticated payment systems on the globe.
    Literally trillions of dollars flow through the financial 
sector each and every single day. Given its position of 
critical importance, the financial services sector has become a 
top target for cyber attacks.
    Today and every day this year, there will be 117,334 cyber 
incidents against the U.S. economy, according to a 
PricewaterhouseCoopers study.
    A recent Depository Trust & Clearing Corporation study 
highlighted cybersecurity as the number one issue of concern 
for financial institutions. This top position is held over 
risks such as overregulation and geopolitical risks.
    Last week, SEC Chair Mary Jo White noted that cyber attacks 
are the ``biggest systemic risk'' facing the United States of 
America. And Treasury Secretary Jack Lew noted that 
cybersecurity is one of those issues that keeps him up at 
night.
    Given the importance of this threat, the financial services 
sector has responded well. The sector has been a leader in 
setting up an information-sharing framework and has been an 
active and constructive participant in working with U.S. 
regulatory agencies and law enforcement. And further, the 
sector's investment in cybersecurity infrastructure and 
engagement by senior management has been crucial to preventing 
future attacks.
    However, we should all remember that there is no single 
institution or system that is 100 percent protected from cyber 
attacks. The sector faces threats posed by a growing array of 
cyber criminals, national and state actors, and terrorist 
organizations. Each has tremendous financial and political 
incentive to continue looking for weak spots, and to cause 
sector disruption.
    Today's hearing is important for Members to gain a better 
understanding of some of the top cyber issues facing the 
financial services sector.
    First, we must better understand the nature of cyber 
threats. Where are threats coming from? What do they look like? 
And how are we working with global partners?
    Second, information-sharing and liability protection are 
crucial elements to a cyber response framework. We should 
explore how public-private partnerships help facilitate 
comprehensive responses to cyber threats, and if there are 
areas where we should be and can be improving.
    Third, contingency preparation is critical to being able to 
provide continuity in the sector in the wake of a cyber attack. 
We should better understand the steps the financial services 
sector is taking to plan for attacks, train employees, and test 
its system.
    Cybersecurity is a shared responsibility. It is a shared 
responsibility among financial institutions. It is a shared 
responsibility between the public sector and the government. It 
is a shared responsibility between the United States and our 
global allies.
    And finally, being thoughtful leaders on this issue is a 
shared responsibility for members of this committee. I would 
like to thank my Democratic colleagues for taking this issue so 
seriously and contributing to a very constructive dialogue.
    I would now like to recognize the ranking member of the 
subcommittee, Mr. Clay, for 3 minutes.
    Mr. Clay. Thank you, Mr. Chairman, and thank you to each of 
today's witnesses for your testimony. I welcome today's 
testimony from our panel of practitioners and content area 
experts. And I view this afternoon's hearing as an important 
opportunity to shed some light on the financial services 
industry's ability to effectively monitor, detect, and respond 
to cyber attacks.
    Cyber criminals, state-sponsored and affiliated hackers, 
and politically-motivated ``hacktivists'' have all targeted the 
financial services industry. And their tactics have continued 
to evolve and expand in frequency, scale, sophistication, and 
severity.
    To that end, the financial services industry's response, 
monitoring, and information-sharing infrastructure, as well as 
the response capabilities of the relevant Federal regulators, 
must reflect the dynamic nature of cyber threats.
    Mr. Chairman, I firmly believe that cybersecurity is one of 
a few issues where our committee can truly work in a bipartisan 
fashion to ensure that our regulators and regulated entities 
have the necessary resources and support to defend against 
cyber attacks. I look forward to each witnesses' testimony, and 
I yield back the balance of my time.
    Chairman Neugebauer. The Chair now recognizes the 
gentlewoman from Arizona for 2 minutes.
    Ms. Sinema. Thank you, Mr. Chairman. When hackers stole the 
credit card information of Susan, one of my constituents from 
Chandler, Arizona, she initially didn't notice an unauthorized 
$10 donation to a small charity, but the next month she did 
notice the several hundred dollars in police uniforms that a 
man in London had purchased using her card, and that is when 
she called the FBI.
    Unfortunately, Susan's story is all too common. Last year 
alone, according to Verizon's 2015 Data Breach Investigations 
report, there were more than 79,000 security incidents reported 
and more than 2,000 confirmed data breaches. These breaches 
have exposed the personally identifiable information, as well 
as sensitive financial information, of millions of consumers.
    Securing the financial services sector requires us to 
continue to strengthen security practices and information-
sharing infrastructures.
    Educating consumers and financial sector participants is 
also crucial if these efforts are to be successful.
    The evolving nature of cyber threats calls for a vigorous 
and dynamic response. I look forward to hearing more from our 
witnesses today about how industry is developing safety 
protocols that keep pace with technological innovation, and how 
educating consumers and financial sector participants will help 
better protect consumers like my constituent, Susan.
    Thank you, Mr. Chairman. I yield back my time.
    Chairman Neugebauer. I thank the gentlewoman.
    We will now turn to our witnesses. Today we welcome the 
testimony of the Honorable Kenneth E. Bentsen Jr., president 
and CEO of SIFMA; Mr. Gregory T. Garcia, executive director of 
the Financial Services Sector Coordinating Council; Mr. Robert 
S. Nichols, president and CEO of the Financial Services Forum; 
Mr. Russell Fitzgibbons, executive vice president and chief 
risk officer for The Clearing House Payments Company; and Mr. 
Jason Healey, senior research scholar at the School of 
International and Public Affairs, Columbia University, and 
senior fellow at the Atlantic Council.
    You will each be recognized for 5 minutes to give a summary 
of your testimony, and without objection, your complete written 
statements will be made a part of the record. We would ask you 
to limit your remarks to 5 minutes.
    Mr. Bentsen, you are now recognized for 5 minutes.

 STATEMENT OF THE HONORABLE KENNETH E. BENTSEN, JR., PRESIDENT 
   AND CHIEF EXECUTIVE OFFICER, THE SECURITIES INDUSTRY AND 
             FINANCIAL MARKETS ASSOCIATION (SIFMA)

    Mr. Bentsen. Thank you, Chairman Neugebauer, Ranking Member 
Clay, and members of the subcommittee for allowing me the 
opportunity to testify on this critically important topic.
    A large-scale cyber attack resulting in the destruction of 
books and records and disruption of our capital markets is 
among the most significant and systemic threats facing our 
economy today, so it is appropriate that so much time and 
energy is being focused on developing public-private 
partnerships and identifying solutions to mitigate that risk.
    The financial services sector has invested huge sums of 
capital into their cyber attack deterrence programs over the 
years, enhancing their efforts to match the growing threat.
    As policymakers and the industry focus on addressing the 
causes of the last financial crisis, it is equally, if not more 
important that we focus on the future risks, and cyber crime is 
the greatest.
    Some 18 months ago, SIFMA's members commenced the five-part 
multiyear effort to address cybersecurity threats and related 
risks to broker-dealers and asset managers. Emanating from our 
previous work as part of the industry's business continuity 
planning, and in response to the 2014 NIST framework, the goal 
of these five initiatives is to better identify the 
vulnerabilities to our sector and to prepare individual firms 
of all sizes and the broader sector to defend themselves and 
our clients, thereby enhancing protection for the millions of 
Americans who access these markets every day.
    My written testimony goes into much more detail on these 
five initiatives, but I would like to touch on just a few.
    SIFMA recently published its principles for effective 
cybersecurity regulatory guidance and called for regulations to 
be harmonized across agencies for greater effectiveness. These 
principles build upon the highly valuable NIST framework, an 
initiative which we contributed much time and energy to, and 
after its release have sought out opportunities to promote its 
use within the sector by mapping existing compliance 
requirements so firms can see where they could not only enhance 
risk management, but compliance as well.
    The industry also looks to the government to help identify 
uniform standards, promote accountability across the entire 
critical infrastructure, and provide access to the essential 
information. SIFMA urges policymakers to consider how best to 
incorporate the principles into the respective regulatory 
initiatives. Importantly, regulators should coordinate their 
efforts to ensure harmonization.
    SIFMA assembled a working group to develop a diagnostic on 
the U.S. equity and treasury markets to determine the sector's 
resiliency during the attack. After mapping process flows 
within these markets, a workshop was held during which a set of 
10 diverse cyber risk scenarios were applied to the markets, 
and a number of potential vulnerabilities were identified.
    These results are being addressed via a number of public 
and private internal working groups. As a result of this 
exercise, we have undertaken efforts with the accounting 
industry and the American Institute of CPAs (AICPA) to develop 
a third-party vendor risk audit standard, referred to as SOC 2, 
that should provide increased transparency and accountability 
with third party vendors.
    Building off of the lessons learned from the SIFMA-
sponsored cyber exercise ``Quantum Dawn 2'' in 2013, and from 
our experience in Superstorm Sandy, SIFMA continues to revise 
the industry's playbook for responding to a cyber attack which 
could result in market closures. On a continuing basis, we are 
working with stakeholders including exchanges, clearinghouses, 
and regulators to ensure the current state of readiness.
    Our dialogue with the FSSCC and with our partners in 
government has evolved into a joint exercise program of 
quarterly tabletop exercises and other large-scale simulations 
to test industry preparedness and response. Additionally, we 
have made substantial progress in developing an improved 
process to request technical assistance from the Federal 
Government in the midst of a cyber attack. This pre-positioning 
will help reduce the time it takes to engage the relevant 
civilian and law enforcement agencies to assist firms.
    SIFMA and its member firms have spent considerable time and 
energy to improve cyber threat information-sharing both within 
our sector and with our government partners. And at a high 
level, there has been increased collaboration and communication 
between the government and the financial services industry.
    Importantly, we are endeavoring to continue this 
collaboration on a regular basis, again to ensure a current 
state of readiness. There is room for further improvement. 
However, I would like to flag three recommendations for this 
committee's consideration.
    First, our industry needs clarity on which government 
authority is responsible for each specific aspect of 
cybersecurity.
    Second, the financial services sector would benefit from 
higher quality and more frequent classified briefings.
    And third, we need Congress to get a cybersecurity 
information-sharing bill to the President before the next 
crisis, not after.
    Neither the industry nor the government can prevent or 
prepare for cyber threats on their own. SIFMA has brought 
together experts from across the public and private sectors to 
better understand the risks involved in a cyber attack and to 
develop best practices to be prepared to thwart an attack, but 
to be effective, we must work closely with the Federal 
Government to strengthen our partnership, and protect our 
economy and the millions of Americans who place their 
confidence and trust in the financial markets each and every 
day.
    Thank you.
    [The prepared statement of Mr. Bentsen can be found on page 
40 of the appendix.]
    Chairman Neugebauer. I thank the gentleman.
    Now, Mr. Garcia, you are recognized for 5 minutes.

 STATEMENT OF GREGORY T. GARCIA, EXECUTIVE DIRECTOR, FINANCIAL 
          SERVICES SECTOR COORDINATING COUNCIL (FSSCC)

    Mr. Garcia. Thank you, Chairman Neugebauer, Ranking Member 
Clay, and members of the subcommittee for the opportunity to 
testify today.
    I am the executive director of the Financial Services 
Sector Coordinating Council, or FSSCC, which was established in 
2002. FSSCC involves 66 of the largest financial firms and 
their industry associations. I am also pleased to be able to 
share the witness table today with the FSSCC chairman, Mr. 
Russell Fitzgibbons.
    Today I will discuss how we are organized under regulatory 
and partnership frameworks to manage the cyber risks and 
threats that are faced by the financial sector.
    The financial sector operates over a network of information 
and communications technology platforms, making cybersecurity 
of paramount importance to the sector. A successful 
cybersecurity or physical attack on these systems could have 
significant impacts on the global economy and the Nation.
    For example, malicious cyber actors vary considerably in 
terms of motivation and capability, from nation-states 
conducting corporate espionage to sophisticated cyber criminal 
groups stealing money, to ``hacktivists'' intent on making 
political statements. Many cybersecurity incidents, regardless 
of their original motive, have the potential to disrupt 
critical systems, even inadvertently.
    Thus, the FSSCC's mission is to strengthen the financial 
sector's resilience against attacks and other threats. We work 
with the Treasury Department, law enforcement, the Department 
of Homeland Security, the intelligence community, and 
regulators toward four main objectives.
    First, identify threats through robust information-sharing.
    Second, promote protection and preparedness through best 
practices.
    Third, coordinate incident response through joint 
exercises.
    And fourth, consider how the policy environment can promote 
the above activities.
    In practice, these objectives have yielded numerous 
accomplishments for the benefit of the sector and the economy 
over the past 10 years.
    For example, just to list a few recent examples, we are 
improving information-sharing content and procedures between 
government and the sector. We have developed and we maintain an 
all-hazards crisis response playbook and a cyber response 
coordination guide that lead our incident responders and our 
executive decision-makers through decision and action 
procedures during an incident.
    Also, we are conducting joint exercises affecting different 
segments of the financial system. As Mr. Bentsen alluded to, we 
maintain a physical presence in the Department of Homeland 
Security's National Cybersecurity and Communications 
Integration Center, or NCCIC. This serves as a hub for sharing 
information related to cybersecurity and communications 
incidents across sectors.
    Our representative there is cleared at the Top Secret/SCI 
level. Relatedly, we have worked closely with government 
partners to obtain security clearances for key financial 
services sector personnel. These clearances have been used to 
brief the sector on new information security threats and have 
permitted the exchange of timely and actionable information. We 
develop best practices involving third-party risks, supply 
chain, and cyber insurance strategies, among many others.
    To go on, we have developed research and development 
priorities to improve the tools for protection resilience. We 
are engaging with other critical sectors and international 
partners to understand and leverage our interdependencies such 
as communications and electricity.
    We have created a financial sector-owned, operated, and 
governed .bank and .insurance top-level Internet domains. When 
the Internet-governing authority expanded the number of the so-
called top-level domains beyond .com, .gov, .org, .edu, et 
cetera, they expanded them to hundreds of different names, but 
we established the .bank and .insurance domains on our own to 
ensure that we have security standards to protect our system 
from fraud and cyber attack. This includes imposing eligibility 
requirements, verification, name selection standards, and other 
security-focused technical requirements.
    Our operational arm, the Financial Services Information 
Sharing and Analysis Center, or FS-ISAC, has developed a 
technical tool called Soltra Edge that automates threat sharing 
and analysis and speeds the time to decision and mitigation 
from days to hours and minutes.
    Finally, a word about regulation. Mr. Chairman, the 
financial sector is often credited for having developed a 
mature cybersecurity risk management posture. This is due in 
part to the fact that financial services is a heavily regulated 
industry, but it is also because our business models, consumer 
confidence, and the stability of the financial system are 
dependent upon a secure and resilient infrastructure. We really 
can't afford to be complacent.
    The financial sector supports the need for regulatory 
guidance on effective standards of practice for cyber risk 
management, but as the regulatory agencies are independent, 
there is not sufficient coordination among them in our 
experience. One institution may face multiple and differing 
sets of examination questions about the same security controls 
depending on which regulator is doing the assessment.
    We would urge more uniformity among the regulatory agencies 
in their examination procedures. This process could be more 
efficient so that financial firms can focus more on securing 
our infrastructure and less on answering multiple 
questionnaires in different ways. We need to ensure we are all 
aligned with unity of effort toward a common objective: 
financial services security and resiliency.
    Mr. Chairman, that concludes my testimony. I will be happy 
to answer any questions.
    [The prepared statement of Mr. Garcia can be found on page 
54 of the appendix.]
    Chairman Neugebauer. I thank the gentleman.
    Mr. Nichols, you are now recognized for 5 minutes.

 STATEMENT OF ROBERT S. NICHOLS, PRESIDENT AND CHIEF EXECUTIVE 
               OFFICER, FINANCIAL SERVICES FORUM

    Mr. Nichols. Thank you, Mr. Chairman, Ranking Member Clay, 
and members of the subcommittee for the opportunity to 
participate in today's hearing on the threat posed by cyber 
attacks to our financial system.
    As you mentioned, I am here as the CEO of the Financial 
Services Forum, which is a financial and economic policy 
organization comprised of the CEOs of 18 of the largest and 
most diversified financial institutions doing business here in 
the United States.
    Your hearing is both enormously important and remarkably 
timely. In recent years, cyber attacks have grown rapidly, both 
in number and level of sophistication. According to Symantec 
Corporation, a leading information and Internet security firm, 
cyber attacks around the world have soared 91 percent in 2013 
alone.
    Just last week, the Depository Trust & Clearing 
Corporation, a New York-based securities settlement and 
clearing firm, released its Systemic Risk Barometer for the 
first quarter of 2015, based on a survey of financial market 
participants. Asked to identify the top risks to the financial 
system, respondents cited cyber attacks. Indeed, nearly half of 
the respondents, 46 percent, cited cybersecurity as their top 
concern, with respondents specifically noting the growth in the 
frequency and sophistication of cyber attacks.
    Effectively defending against the mounting threat of cyber 
attacks requires resources, technical sophistication, and 
cooperation among financial institutions and between the 
financial industry, other critical infrastructure sectors, and 
the relevant government agencies. Large financial institutions 
are working hard to deliver every day on each of those critical 
fronts.
    With regard to resources and technical expertise, large 
financial institutions remain at the cutting edge of cyber 
protection and are regarded by most experts--both in the public 
sector and the private sector--as having developed and deployed 
some of the most sophisticated and effective defenses against 
cyber attacks in the corporate world.
    With regard to industry cooperation and coordination, 
cybersecurity in the financial sector is a team effort--because 
it has to be. To be successful, the industry must invest in, 
and operate within, a single unified cybersecurity culture.
    In particular, large financial institutions are investing 
in ever-more robust and automated systems of threat analysis 
and sharing. Automated threat analysis enables the quick and 
reliable detection and diagnosis of threats. And automated 
sharing enables the swift dissemination of clear and precise 
threat information across the financial system. In a very real 
sense, large financial institutions serve, as one could say, as 
the forward guard of America's cyber defenses.
    Cooperation between industry and government is vital if the 
battle against mounting cyber threats is to be won. To 
encourage better cyber threat information-sharing within the 
financial sector and between industry and government, 
legislation providing sensible ``Good Samaritan'' protections 
is needed.
    Such legislation should facilitate real-time cyber threat 
information-sharing to enable financial institutions and 
government to act quickly; provide liability protection for 
good faith cyber threat information-sharing; provide targeted 
protections from public disclosures, such as exemptions from 
certain Freedom of Information Act requests; facilitate 
appropriate declassification of pertinent government-generated 
cyber threat information and expedite issuance of clearances to 
selected and approved industry executives; and lastly, include 
appropriate levels of privacy protections.
    With these needs in mind, the bill passed by the House on 
April 22nd, which, of course, you supported, Mr. Chairman, is a 
major and important step forward, and will greatly facilitate 
industry's cooperation with government. We hope the Senate will 
soon take up its information-sharing proposal to continue 
progress on this important issue. We would urge swift movement 
and passage on that important legislation.
    On behalf of the Forum and its members, I commend you for 
drawing attention to this issue and this effort. We look 
forward to working with you in the days ahead.
    Thank you, Mr. Chairman.
    [The prepared statement of Mr. Nichols can be found on page 
68 of the appendix.]
    Chairman Neugebauer. I thank the gentleman.
    Mr. Fitzgibbons, you are now recognized for 5 minutes.

STATEMENT OF RUSSELL FITZGIBBONS, EXECUTIVE VICE PRESIDENT AND 
 CHIEF RISK OFFICER, THE CLEARING HOUSE PAYMENTS COMPANY L.L.C.

    Mr. Fitzgibbons. Thank you, Chairman Neugebauer, Ranking 
Member Clay, and members of the subcommittee. My name is Russ 
Fitzgibbons, and I am the executive vice president and chief 
risk officer of The Clearing House Payments Company.
    As the chief risk officer, I am responsible for enterprise 
risk management, information security, and business continuity. 
I also serve, as referenced by Mr. Garcia, as the current Chair 
of the Financial Services Sector Coordinating Council. I 
appreciate the opportunity to appear before you today to 
discuss issues that are critical to all Americans--the 
protection of our payment systems against cyber threats.
    The Clearing House is the Nation's oldest banking 
association and payments company, founded in 1853, and 
currently owned by 26 banks. We provide payment, clearing, and 
settlement services to our owner banks and other financial 
institutions, clearing and settling nearly $2 trillion daily. 
The Clearing House also engages in payments technology and 
payments systems security advocacy.
    The Clearing House operates the Clearing House Interbank 
Payments System, commonly referred to as CHIPS, and we are a 
leading participant in the Automated Clearing House, referred 
to as ACH, network. We are the only private-sector ACH operator 
in the country, processing approximately 50 percent of all 
commercial ACH volume in the United States through our 
networks.
    CHIPS is the largest private-sector US-dollar funds 
transfer system in the world, clearing and settling an average 
of $1.5 trillion in payments--both domestic and cross-border--
daily.
    Because of the volume and importance of the financial 
transactions enabled by The Clearing House's systems, robust 
protection of these systems from cyber threats is essential. 
Those threats have become more frequent and more sophisticated 
in recent years. The criminal organizations and other groups 
launching these threats are constantly innovating, and we need 
to be at least as agile as they are in defending ourselves.
    I would like to discuss some of the ways in which The 
Clearing House works both on its own and frequently in 
collaboration with other financial services firms to defend 
itself and its institutional customers against cyber threats.
    First, like others in our sector, The Clearing House is 
subject to special legal and regulatory requirements such as 
those promulgated by the Federal financial regulatory agencies 
of the Federal Financial Institutions Examination Council, the 
FFIEC. The Clearing House's data security practices are subject 
to regular examination and supervision through the FFIEC's 
Multi-Regional Data Processing Servicers Program, referenced as 
MDPS.
    Second, we are constantly innovating. One example of 
innovation for improved cyber defense is a new platform of The 
Clearing House which replaces account numbers with randomly 
generated temporary numbers during processing. With Secure 
Token Exchange, the customer's actual account information 
remains behind bank firewalls while preserving the current 
customer experience.
    Third, we engage in training and exercises through 
simulations that put our cyber defense processes to the test 
and identify areas for improvement.
    Finally, we engage in extensive information-sharing by 
actively engaging with the FS-ISAC, its member organizations, 
and our government partners. Truly effective cybersecurity will 
also require increased efforts by the Federal Government to 
defend the financial sector against threats often originating 
overseas, and above all, more effective collaboration between 
the private sector and the government.
    My written statement details some of the additional 
components of our information-sharing efforts. However, I would 
like to mention a couple of them.
    Through FS-ISAC and the Depository Trust & Clearing 
Corporation, the sector recently deployed a more effective 
platform for real-time automated sharing of cyber threat 
information called Soltra Edge. Utilization and integration of 
Soltra Edge across the sector's infrastructure is expected to 
scale significantly over the next few years.
    We also coordinate closely with the National Infrastructure 
Coordinating Center, the Department of Homeland Security's 
Operation Center that maintains awareness of critical 
infrastructure for the Federal Government. We participate 
actively in the Financial Services Sector Coordinating Council, 
and we also work closely with the Treasury Department's office 
for critical infrastructure, protection and compliance, and its 
cyber intelligence group.
    While the financial services sector has made considerable 
strides in its sharing with the sector and with our government 
partners, there are still areas for improvement. Companies in 
the financial sector share information quite extensively with 
the government. We have lots of opportunity to improve our 
ability to support our cyber first responders, defend critical 
infrastructure, and protect our stakeholders.
    To that end, the Administration has issued two Executive 
Orders designed to improve sharing from the government to the 
private sector, and there have been resulting improvements. But 
we think more work could be done with the analysis of threat 
information, and government agencies need to continue to 
increase prioritization and allocation of resources for 
declassification of information that pertains to network 
defense.
    I would also add that we believe Congress has an important 
role to play in promoting greater and more effective 
cybersecurity information-sharing. We support two bills that 
have passed the House, and we support the information-sharing 
legislation that is moving through the Senate. And we would 
urge you to move as quickly as possible to get those bills to 
the President's desk.
    Thank you again for the opportunity to testify, and I look 
forward to your questions.
    [The prepared statement of Mr. Fitzgibbons can be found on 
page 47 of the appendix.]
    Chairman Neugebauer. I thank the gentleman. And Mr. Healey, 
you are recognized for 5 minutes.

 STATEMENT OF JASON HEALEY, SENIOR FELLOW, THE ATLANTIC COUNCIL

    Mr. Healey. Chairman Neugebauer, Ranking Member Clay, and 
distinguished members of the subcommittee, thank you for the 
honor of testifying today.
    Over the past nearly 20 years, I have been involved in 
cyber operations and policy in the military and intelligence 
community, the White House, and the finance sector. Now, with 
Columbia University's SIPA and the Atlantic Council think tank, 
I may be less involved in the day-to-day cyber tumult than my 
colleagues, but with a bit more freedom to analyze what might 
be next. Therefore, in the interest of time, I will agree with 
the strength of the sector that my colleagues have already 
mentioned in order to look ahead.
    Last year we published the first history of cyber conflict 
of how states have really, over the past 25 years, fought in 
cyberspace. One of the key lessons is that it may be easy to 
disrupt a target using the Internet but it is far more 
difficult to keep it down over time in the face of determined 
defenses. And as we saw after the attacks of September 11th, 
the finance sector can be extremely determined.
    Therefore, looking forward, I believe the committee need 
not be overly concerned about a James Bond-style large-scale 
disruptive attack taking down the sector. This should not mean 
that we should rest on our successes to date.
    In fact, I am deeply worried that the finance sector will 
get caught up in what I believe is the Internet's most 
dangerous moment. If nuclear talks with Iran collapsed, there 
might be a rapid spike in truly disruptive attacks by a 
dangerous cyber adversary who has already struck at U.S. 
financial targets. Worse, President Putin of Russia may 
likewise feel that with his own economic back against the wall, 
it is time to retaliate with some just deniable enough little 
green bytes. Facing potentially existential regime threats, 
Iran and Russia may see little downside to digitally lashing 
out against a global financial system in which they have few 
remaining stakes.
    As an example of what we might expect, while a next 
generation Sony-style attack would not take down the sector as 
a whole, it might seriously disrupt a systemically important 
financial institution so that it could not clear or settle 
within--by the end of the day. These dangers require immediate 
contingency planning and can--including exercises such as those 
my colleagues have talked about within the sector and with the 
regulators and other Federal and international partners.
    On the government side, the Executive Branch could do a 
better job of leading from the front and sharing protection and 
restraint.
    The government berates companies to share information, but 
despite recent gains, it keeps too much information classified 
or stuck behind bureaucratic barriers. It may need some added 
push from committees like yours, which oversees the sectors 
which so desperately need that stuck information.
    Likewise, as someone who has proudly worked in both the 
public and private sectors, it is frustrating to hear 
bureaucrats or even directors of NSA complain that companies 
miss standards even in the face of their own Federal 
Information Security Management Act (FISMA) scores. And even 
though it should be in the long-term interest of the United 
States that financial infrastructures should be off-limits to 
cyber attacks, the Department of Defense has not yet made clear 
statements to create that norm.
    In conclusion, this subcommittee might also usefully push 
the Executive Branch to think of a broader set of possible 
responses to give the finance sector more staying power in the 
event of a sustained conflict such as against Russia or China.
    When I was working finance sector-wide events with the FS-
ISAC, our responses could have been far more successful not 
with DOD suppressing fire or cyber ninjas, but with solid 
officers and NCOs ready to roll up their sleeves to help corral 
the countless details of a major response. In the face of 
nation-state cyber threats, we would not want the sector to 
stumble simply for the lack of a few MOUs in place beforehand 
for more flexible partnerships.
    And if you remember, the FS-ISAC would likely never have 
been as strong as it is today, if it had not been recapitalized 
12 years ago by a grant from Treasury, with the proviso that it 
would provide service to all regulated American financial 
institutions, not just those who paid a membership fee. It may 
be the time for additional innovation using grants, perhaps not 
directly to the sector anymore, but to the countless other non-
stake groups who help defend this Nation's critical 
infrastructure.
    Thank you for your time.
    [The prepared statement of Mr. Healey can be found on page 
62 of the appendix.]
    Chairman Neugebauer. I thank the gentleman. The Chair now 
recognizes himself for 5 minutes for questions.
    Mr. Garcia and Mr. Fitzgibbons, in your testimony you 
talked about Soltra Edge, and I was kind of intrigued by that 
process. Evidently, that is an electronic detection and 
notification software, I assume. I am interested in how that 
database is updated, and then what is the distribution once a 
detection is made? Obviously, it is meant to be an information-
sharing tool, so what is the dissemination process on that?
    Mr. Fitzgibbons. Sure. So I will start, great. The benefit 
of Soltra Edge actually recognizes the fact that while it is 
widely accepted that information-sharing is the right thing to 
do, sharing that information when done effectively creates a 
ton of information--extraordinary amounts of information. And 
what was recognized is that the recipients, through the FS-
ISAC, for example, who would get this--these threat indicators, 
it was a lot of work to try and get it into their systems and 
so forth.
    We recognized that to really be effective, we needed to 
automate that stream, and we needed to create a machine-
readable language. We needed to create standards by which that 
information would actually transit from the FS-ISAC onto or 
through the Soltra system onto the various firms that 
participate.
    So what actually happens is that all the members who have 
come across threat indicators will put them into the system 
using the appropriate standards and so forth. And then by 
joining that system and participating in it, you will be the 
recipient of that information so you can protect yourselves 
using information that the whole community has actually 
uncovered about threats that are actually emanating. And then 
you can update your detection systems automatically, and that 
is really the benefit of it all, to take this opportunity to 
take something that is created by many and then share it out to 
everyone else quickly and effectively in a machine-readable 
form that can be updated to systems.
    Chairman Neugebauer. Mr. Garcia, do you want to elaborate 
on that?
    Mr. Garcia. Yes. Mr. Fitzgibbons is exactly right. It is a 
fact that machine-to-machine information-sharing enables faster 
response times and better, more uniform analysis of the 
threats, making sense of what we are seeing. And I think we 
credit that a lot to a standard developed by the Department of 
Homeland Security, they are called STIX and TAXII. I won't go 
into the acronym. But one of them describes a common 
nomenclature, a common language, a dictionary for how we refer 
to threats and all of the various characteristics of those 
threats. And the other one is a common communications platform 
so that everybody can use this. So this is taxpayer dollars 
well spent.
    It is a standard and open specification that is available 
to all sectors. And the financial sector has overlaid on top of 
those standards a software program that enables us to share 
among ourselves, and if we so choose, with other sectors as 
well.
    Chairman Neugebauer. Thank you.
    Mr. Bentsen, I think you mentioned in your testimony that 
over the last several years, you have held cyber attack 
simulations to kind of, I guess, prepare for what if, and how 
to respond. Can you tell us some of the benefits that have come 
out of hosting those simulations?
    Mr. Bentsen. Yes, Mr. Chairman, a couple of things. Over 
the years, we have run a couple of simulations, Quantum Dawn 1, 
and Quantum Dawn 2, which was most recently in 2013. We will be 
doing a Quantum Dawn 3 in the third quarter of this year.
    The Quantum Dawn 2 exercise, and then some subsequent 
tabletop exercises that we have done with our government 
partners as well as our partners at this table, allow us to 
iteratively grow our capabilities to respond to identify gaps 
in whether it is information-sharing, coordination, whether we 
have the right parties involved. In the case of Quantum Dawn 2, 
which was a simulated attack on the U.S. equity markets and 
multi-pronged simulated attack on the U.S. equity markets, the 
outtakes from that were that we needed more engagement from our 
exchange partners and that we needed a better coordination 
mechanism going into a situation recovery that was talked about 
here as well.
    So our view is that these exercises are good not just on a 
one-off basis but on an ongoing basis. And one of the things 
that we have talked with our government partners about is to 
continue both these large simulations and tabletop exercises on 
a regular basis so we maintain a state of readiness and we 
don't atrophy in the process.
    Chairman Neugebauer. And do you generate a deliverable then 
that is shared across the industry and with all the 
participants--
    Mr. Bentsen. What we did in the case of Quantum Dawn 2, is 
we used that as well as our experience coming out of Superstorm 
Sandy, which did result in a closing of the equity and fixed 
income markets to improve our playbook with the exchanges with 
the regulators, with the industry partners, and those involved 
in it.
    Likewise in the tabletops, we are trying to come out with 
deliverables both for the industry and for the government.
    Chairman Neugebauer. I thank you.
    And now the gentleman from Missouri, the ranking member of 
the subcommittee, Mr. Clay, is recognized--
    Mr. Clay. Thank you so much, Mr. Chairman.
    Chairman Neugebauer. --for 5 minutes.
    Mr. Clay. Let me start with Mr. Healey. Given the level of 
sophistication of cyber attacks from China, in particular, is 
it reasonable to expect that financial institutions will be 
successful in stopping them?
    Mr. Healey. We have been learning over time that a 
determined offense will almost always get through. This is not 
a recent trend; we have seen quotes that go back to the 1970's 
that essentially say the bad guys are going to get through if 
they want to. So the best, I think, any company, any 
organization can do is to not just try to keep them out, but to 
do what the financial--I think it has been pretty good at, at 
least at the main institutions, is presumption of breach.
    Assume that there is already a heist going on, that you 
have a sophisticated set of diamond thieves who are already 
inside the bank, and then how do you find those sophisticated 
diamond thieves when they are inside? I suspect JPMorgan Chase 
would not have discovered an intrusion of they hadn't been 
using this presumption of breach.
    But this is still difficult. It is tough even for the big 
institutions to do, so I am worried about how the small and 
medium-sized financial institutions are going to try to catch 
up.
    Mr. Clay. Anyone else? Mr. Fitzgibbons?
    Mr. Fitzgibbons. One of the things I would mention--I agree 
very much with Mr. Healey, but one of the things that is really 
a benefit of--gets to the small and medium institutions of an 
institution such as FS-ISAC that it does take advantage of the 
resources, the experiences, and so forth of a firm such as, I 
heard reference to JPMorgan.
    When you go into the ISAC, that is where those threat 
indicators are shared. And then when you go into some of the 
other forms where tactics and techniques are discussed, as well 
so using a form such as the ISAC, actually allows us to take 
those lessons learned and those resources available at some of 
the larger firms and get it out to the smaller and the medium 
banks and so forth.
    And that is why the partnership with a membership in the 
ISAC is so important and why we have seen it growing as well; 
everybody is trying to avail themselves of that.
    Mr. Clay. Mr. Bentsen?
    Mr. Bentsen. Mr. Clay, I would add two things to that. 
First, following up on Russ' comments, expanding the membership 
of the ISAC is critically important. And what we and others 
have tried to do is one, to get all of our members to 
participate in it, to encourage our regulators--FINRA, SEC, and 
others--to encourage to the extent they can that all of their 
regulated entities are participating in the ISAC.
    Two, to develop standards across the sector that aren't 
just for the larger institutions who may have more 
capabilities, but for all members because they are all linked 
together. They are all trading together.
    The other thing--the point I would make is, I don't think 
we can stand up here and say that we can create an impregnable 
defense that will keep all attacks out. And I don't think you 
have been saying that. We certainly need to try and have the 
most established firewalls, but the key is also to be prepared 
to recover when there is an attack, and that takes a tremendous 
amount of work as well.
    Mr. Clay. Can any other panelist give me a sense of the 
scope and nature of the types of cyber attacks that we are 
seeing from China, Russia, North Korea, and Iran?
    Mr. Healey, any sense of--
    Mr. Healey. Yes.
    Mr. Clay. --the scope of the attacks?
    Mr. Healey. Yes, sir. Certainly, what we have seen--the 
Verizon data breach investigations report, which was already 
brought up, does a good job of seeing the kinds of attacks that 
have been hitting the finance sector as a whole. The larger set 
of attacks hitting the finance sector has been point-of-sale 
and other kind of similar attacks are those that go like 
phishing emails after Web sites.
    What is surprisingly small for the finance sector has been 
inside abuse, which has been only about 7 percent of the total, 
and also espionage, which again we tend to associate with 
China, has only been about 1 percent. So really, cyber 
espionage hasn't been the scourge for finance as it has for 
some of the other sectors.
    Russia, Eastern European hackers, because they dominated a 
lot of that criminal market has been I think a lot more 
significant than North Korea or China. Again, we saw Iran very 
significantly 2, 3 years ago and we may see them again.
    Mr. Clay. Mr. Fitzgibbons?
    Mr. Fitzgibbons. One thing I would add is there is an 
important point here, and that is really regardless of the 
threat, and those threats that you have referenced are 
certainly recognized, the defenses against it often are very, 
very similar. And they come down to some very, very basic 
fundamentals.
    Mr. Healey referenced phishing attacks and so forth. That 
still is probably the single-most prevalent form of attack 
against institutions. So regardless of where that attack is 
emanating from--the training, the education, and the discipline 
around infrastructure and security, et cetera is really the 
best way to ensure that regardless of the threats that we are 
protecting ourselves to the greatest extent.
    Mr. Clay. Thank you so much. Mr. Chairman, I yield back.
    Chairman Neugebauer. I thank the gentleman. We will now 
recess. We have four two-vote series. I encourage all Members 
to return as quickly as you can, and we will get started as 
soon as we get back.
    With that, this hearing is recessed, subject to the call of 
the Chair.
    [recess]
    Chairman Neugebauer. The committee will come back to order. 
And I now want to recognize the gentleman from New Mexico, the 
ranking member and past Chair of the subcommittee, Mr. Pearce, 
for 5 minutes.
    Mr. Pearce. Thank you, Mr. Chairman. I am trying to re-
register. Maybe I will stay where I am at.
    So, Mr. Fitzgibbons, Mr. Healey said that looking ahead, we 
need not be overly concerned with large-scale attacks that 
might seriously disrupt the economy. Is that something you 
would agree with?
    Mr. Fitzgibbons. I would agree to a point, okay. I think 
when you look at the nature of the attacks and what is possible 
and what is potential, we tend to look at things as what is 
going to be the extreme, what is the worst, worst possible 
scenario.
    So while I might agree, kind of conceptually or 
theoretically, that that is maybe not likely, you have to 
prepare regardless. So when we are actually doing our analysis 
and also with our regulatory authorities, they are actually 
asking us, how would you recover from that extreme event they 
referred to as extreme yet plausible. So while I agree with the 
concept, we prepare for the catastrophic attack.
    Mr. Pearce. Mr. Bentsen, you also said that transparency 
and regulations--the regulations should move towards 
transparency, is that more or less it? Is that something you 
would also agree with?
    Mr. Bentsen. I think transparency and harmonization--I 
think some of the other panelists mentioned this beforehand. I 
have members who are bank-affiliated broker-dealers and futures 
commission merchants, so they are regulated by three prudential 
regulators as well as the SEC, the CFTC, FINRA, and the 
National Futures Association. All of these agencies 
appropriately are looking at guidance and regulation with 
respect to--an inspection with respect to cyber defenses in the 
firms. And we believe there should be harmonization across 
those agencies.
    Mr. Pearce. Now, as I listen, as you can tell, I don't have 
a Ph.D. in cyber warfare, but it seems like we are mostly on 
defense and cyber warfare. In other words, we are like goalies 
on a dart team trying to catch the dart before it sticks in the 
board behind us. Do we ever have any offense like when they get 
into our systems? Do we have malware that is waiting for them 
to greet them and go into their systems and start?
    Mr. Garcia?
    Mr. Garcia. No, sir. That is illegal. Offense from the 
private sector side is not a legal thing to do. So that is the 
purview of the department.
    Mr. Pearce. Do we prosecute people? Do we--
    Mr. Garcia. Prosecute, yes. As they are--we work closely--
    Mr. Pearce. How many--
    Mr. Garcia. --with law enforcement.
    Mr. Pearce. In a given year, the prosecutions might be what 
percent of the people who are trying to get into our systems?
    Mr. Garcia. Good question. I don't have that figure.
    Mr. Pearce. Anybody? Mr. Healey?
    Mr. Healey. On the earlier question and shooting back, this 
is something that the Department of Defense has taken very 
seriously. And now they have a national mission for us at U.S. 
Cyber Command that is there looking into what they say, red 
space, looking at the United States' main adversaries. And if 
there were a large-scale attack on the United States of the 
kind I talked about, U.S. Cyber Command would be there to try 
and disrupt the incoming attacks on the finance sector.
    Mr. Pearce. Okay. And you feel like that has validity 
because in your closing statement you said that really you 
weren't looking for the military ninjas or something like that, 
cyber ninjas. And so you would feel like that offensive 
capability has some validity?
    Mr. Healey. Yes, I am very pleased. It is there. I think if 
we were able to get more response in place and think more 
broadly, we might be able to get to fix the sector before it 
reaches the point that the Department of Defense needs to shoot 
back and potentially escalate the crisis.
    Mr. Pearce. Okay. So if we look back to the question of 
prosecution, do any of you know what the penalties are? In 
other words, are they sufficient to keep people from trying? 
Does it sound like we are too active in prosecuting people who 
carry out cyber warfare. Is that correct?
    Mr. Garcia. I think there is a bit of feeling that law 
enforcement could always use more resources and higher 
penalties so that they can really go after the cyber criminals.
    I would also suggest though that there are other innovative 
ways of using existing law. In the past, the financial sector 
has partnered with companies like Microsoft. And as Microsoft 
sees everything that is happening on its platforms, the Hotmail 
and Windows, et cetera, they can see where some of these 
networks of cyber criminals are operating and how they are 
attacking financial institutions and together--
    Mr. Pearce. Okay. I need to get on another question. We are 
running out of time. They all are staring at me. The concept 
of--James Rickards in his book talks about how in 2009 the 
Pentagon sponsored a fairly significant cyber warfare on our 
financial institutions using stocks, derivatives, currencies. 
Is that--Mr. Healey, was that a process that was beneficial and 
is it still ongoing? Do you know?
    Mr. Healey. I'm sorry. The 2009--
    Mr. Pearce. Yes, it was just the Pentagon sponsored a 
really significant mock warfare in the cyber theater.
    Mr. Healey. Yes. Those kinds of exercises, I think, have 
been very interesting in getting some lessons that have fit in. 
But again, I think we often go to those extreme cases, which I 
think are less likely--are going to be--
    Mr. Pearce. --a small amount.
    Thanks. I yield back.
    Chairman Neugebauer. I thank the gentleman. And now the 
gentleman from Massachusetts, Mr. Lynch, is recognized for 5 
minutes.
    Mr. Lynch. Thank you, Mr. Chairman. And I want to thank the 
witnesses for your help today.
    I have my doubts about how well-prepared we are. Back in 
2010 we had the flash crash, of course, and the market 
plummeted 600 points in a couple of minutes and then it came 
right back up. And we did a full study, the CFTC and the SEC, 
and they told us it was a firm here in the United States, and 
it was a result of certain trading patterns from that firm.
    And then last month, so that was the story they had been 
giving the Financial Services Committee for the past 4 years. 
And then they did a further analysis in April of this year. 
They came out and said that was all wrong. It was actually a 
fellow named Sarao, a U.K. trader, who was spoofing and doing 
thousands and thousands of trades. So we had this whole 
narrative of 4 years about what they found was the problem with 
the system, and it was all hogwash. And finally 4 years later 
we find out--we think we find out what the real story is.
    So I am just very skeptical that we have a good and strong 
assessment about the weaknesses in our financial services 
electronic trading and commerce in general.
    Am I wrong in being suspect of the handle that at least the 
CFTC and the SEC have on all of this?
    Mr. Healey?
    Mr. Healey. To some degree, I certainly agree with you. The 
system has become so complex that it is difficult for anyone to 
try and understand it. At least when we had--just trying to 
understand financial risk prior to 2008, we had risk modelers, 
we had VAR, we had all sorts of tools and people whose 
responsibility it was to track this complexity and figure out 
who was holding the risk at the end of the day.
    I am worried that on cyber risk, not just in the finance 
sector, the system has gotten so complex that we can't model 
what we know who is ultimately holding the risk at the end of 
the day. And I think the sector has started to get their arms 
around this by looking at vendor management, active contact 
management to figure out not just how is the security at a 
single bank, but how is the security of their supply chain and 
those they depend on.
    So we are starting to get our arms around it as a sector--
    Mr. Lynch. Yes.
    Mr. Healey. --but I think it is very difficult.
    Mr. Lynch. Yes. I actually want to compliment the Chair of 
this subcommittee and the Chair of the full Financial Services 
Committee. We have been calling for these hearings just to look 
at cybersecurity for a little while, and they have been very 
responsive. This is the second hearing we have had in a couple 
of weeks.
    Is there--I do want to talk about the financial services 
part of this, though. That is the one that we are principally 
involved in. And is there a moral hazard in the way we are 
handling this? Have we incentivized companies, especially 
JPMorgan Chase and others who have the reputational risk if 
their system is compromised?
    Have we really--it seems like, with the Target hack and 
JPMorgan and others where you have had social security numbers 
compromised widely, there hasn't been a lot of downside for 
them other than the fact that some of their investors are 
probably worried about their personal information?
    Mr. Bentsen?
    Mr. Bentsen. I would say two things about that, Mr. Lynch. 
Number one, every time those firms have a situation with 
information being stolen or we don't represent the consumer 
side of the business, but credit card numbers being stolen, it 
is those firms that underwrite the cost of doing that. So I 
think that if you look at the cost to the firms that they were 
having to absorb, and that is--and it is the right thing to do 
for the benefit of maintaining the confidence of their 
customers.
    A second point I would make--and I take your point about 
the flash crash. And as you know, the regulators are in the 
process of putting in a consolidated audit trail, which the 
industry will pay for ultimately. It would be a mistake if the 
industry wasn't doing what it is doing right now and has been 
doing to map out what is going on to look and see where the 
vulnerabilities are, to look and see where the risks are with 
third party vendors across the spectrum.
    And so, we may not be there yet, but I think you have to 
take stock of what is being done right now.
    Mr. Lynch. Okay. Thank you.
    Mr. Nichols. I would add to--echo Mr. Bentsen's point about 
restoring trust with the consumer, it is a critically important 
thing and financial institution can operate without it, of 
course. But I would say to your point, it is extremely 
challenging.
    The institutions have to be right all the time.
    Mr. Lynch. Yes.
    Mr. Nichols. The bad actors can only be right once.
    Mr. Lynch. Yes.
    Mr. Nichols. But I will say that all the institutions have 
made cyber defense a number one public policy priority.
    Mr. Lynch. Okay. My time has expired. I yield back.
    Thank you, Mr. Chairman.
    Chairman Neugebauer. I thank the gentleman.
    And the gentleman from Oklahoma, Mr. Lucas, is recognized 
for 5 minutes.
    Mr. Lucas. Thank you, Mr. Chairman.
    Listening to you--to the panel, I suppose the one 
observation I would offer up is that in the nature of criminal 
activity, the desire of the criminal, of course, is to bleed 
the process, but not to kill the patient--to be able to return 
and bleed the patient again. Cyber activity that is 
nationalistic in nature, my phrase, clearly is out to inflict 
economic damage, to kill the patient.
    So in the spirit of that, take me back to the fundamental 
rudimentary issues here. Describe for me how these kinds of 
attacks unfold in the fashion we are seeing now. And I don't 
care which member of the panel discusses it--how these cyber 
attacks unfold on financial institutions from the perspective 
of criminal activity or the perspective of a nationalistic 
effort.
    Mr. Healey. If I can, I will take the national part, just 
to get us warmed up here.
    So we have seen a number of these national state attacks 
that have looked at the finance sector. The most recent one 
where denial of service attacks by Iran, probably about 2012 
that unfolded over the course of a year, almost 2 years of 
whether or not they were angry at sanctions and decided the 
finance sector was the right target to show their displeasure 
or out of--because they had been attacked by Stuxnet. So a 
group that was difficult to pin directly on Iran, but 
intelligence was able to help determine that it was.
    Every day, every couple of days would decide on a new set 
of American banks that they would target. They would direct 
Botnet zombies under their control of compromised computers 
onto those targets every couple of days. They would change 
those targets to flood the Web site.
    This wasn't a big deal if it was only interrupting getting 
to the main Web site of the bank. Again, it might hurt consumer 
confidence a little bit, but there is no real information that 
is important to the market.
    If it was keeping them from getting access to look at their 
account, their online information, then it starts getting a 
little bit worse. Still not systemically important, because 
they can still get their money from the ATM; they just can't 
look at it online and do some of the bill pays or other things 
that they might want to do. That has been, I think, one of the 
best examples.
    When the United States has wanted to do it against others, 
we have looked at, can we do covert actions, say against 
Slobodan Milosevic or Saddam Hussein. And we still--we love 
that idea, but it doesn't appear like we have done it just yet.
    Mr. Lucas. Gentlemen, on the criminal side?
    Mr. Garcia. I could--a common form of attack that can 
happen in any major organization is--as was alluded to before, 
a phishing attack. An employee receives an email that looks 
like it is from her boss or from a customer or from somebody 
they know and trust, and it looks authentic. They open the 
email and perhaps there is an attachment. Maybe they were even 
expecting that attachment.
    And once it is opened, that actually turns out to be an 
attachment that is owned by the cyber criminal that then 
deposits into the computer system of the recipient some form of 
malware, a Trojan or some kind of a virus that then propagates 
throughout the corporate system. And then once they are in, 
they can browse around the corporate network and see where 
there is data of value, and you steal it, corrupt it, destroy 
it, and that is very common, and it is getting more and more 
sophisticated.
    Mr. Lucas. So the volume of attacks, I think was alluded to 
earlier, are increasing. At what rate would you describe from 
the criminal perspective this increase and is it from a 
dramatically different set of sources?
    Mr. Garcia. The increase--the potentially good news about 
the increase is that we have increasingly sophisticated tools 
to detect malicious activity. So having greater situational 
awareness about what is happening to us is a good thing, and 
then we can start--we can continue to tailor tools to combat 
that.
    So, I think the vexing thing about technological innovation 
is not only does it give us great new tools for working and 
living, and playing, and entertaining, but it also gives 
enterprising criminals new sources of vulnerabilities to 
exploit.
    Mr. Fitzgibbons. Congressman, if I could just add one of 
the things that the increasing number of attacks certainly is 
important. But as we increase our defenses and can kind of 
recognize an attack and stop it, that is great. It is really 
the sophistication of the attacks and using the examples such 
as the phishing attack.
    One of the things that we have seen whether it be nation-
state or whether it be criminal is these attacks are very, very 
well structured. They obviously have information or they have 
information that suggests they understand your infrastructure. 
They understand your processes.
    So your employees, your staff will be getting an email that 
you actually expected. You have heard that there was an upgrade 
to your email system and you are hearing from the systems 
administrator that, oh, in order to actually successfully move 
you across, we need to do this. And that is really the 
challenging part, because we can stop something that we know 
about and send it 100 times while stopping 100 times.
    But when they find those backdoors and those side doors 
that take advantage of people's understanding of how their own 
company works, that is where it gets physically challenging.
    Mr. Lucas. Thank you.
    Chairman Neugebauer. The time of the gentleman has expired.
    The gentleman from Washington is recognized for 5 minutes.
    Mr. Heck. Thank you, Mr. Chairman. I want to add my voice 
to that of Mr. Lynch's expressing my appreciation for 
conducting this hearing on what I consider to be a very 
important subject. I appreciate it very much, sir.
    I don't know to whom I should address this question. I am 
going to try Mr. Garcia, just randomly here as a follow up to 
some of Mr. Lucas' line of inquiry. Do we have a rough sense 
about what the division is between nation-state attacks and 
domestic criminal attacks on cyber systems?
    Mr. Garcia. I don't have specific numbers, but I think 
cyber criminal attacks are much more numerous partly because 
there is a big business behind actually providing hacker tools 
to people who want to buy them.
    Mr. Heck. So a majority of the attacks come from criminals 
domestically?
    Mr. Garcia. Yes.
    Mr. Heck. So now I want to pursue--also as a follow up to 
Mr. Lucas kind of the accountability link here. I am not an IT 
professional, and I don't follow this as closely as those who 
are in the business do. But I have a simple if not simplistic 
view, namely cyber attacks cost money, destroy things of 
economic value. Just as certainly as if you were to know that I 
did--I was not within my home nor any of my family, but you 
burned it down. You would cost value, economic consequence.
    And yet the truth is--I think I have read one or maybe two 
instances of somebody going to jail over this stuff. Now, look 
I realize we are in the midst of a legitimate debate about 
whether we are putting too many people in jail, certainly for 
non-violent crimes, but these have enormous economic costs. Do 
we have the legal framework to provide accountability for 
people who are destroying things of value, our time, our 
effort, our resources, to hold them to a standard of 
accountability that might disincentivize what is otherwise 
clearly an exploding field of the malicious activity?
    Would anyone care to respond to that?
    Mr. Fitzgibbons. Congressman, that is a terrific question. 
And one of the challenges, one of the discussions we will often 
hear is these are crimes without consequence. It is a great 
business case, do a cyber attack and what is the chance of 
getting caught.
    I think that is a bit unfair because when we speak with law 
enforcement, they are working very hard to try and get at these 
folks. I think--
    Mr. Heck. Are the perpetrators being indicted and jailed?
    Mr. Fitzgibbons. There are indictments that are actually 
being passed against the people who are actually outside our 
borders. And when those opportunities present themselves, 
apprehension is actually taking place. I think one of the 
things that we enjoy is when we do have these opportunities to 
speak with law enforcement to hear more about what they are 
trying to do.
    Having said that, we want to see more from the private 
sector. We do want to see more consequence. We do want to see 
more prosecution. We do want to see more people being held 
accountable, but we recognize they are somewhat complex given 
the happening outside our borders and it is not easy to do, but 
the dialogue between ourselves and law enforcement is very good 
in terms of, we have a common objective.
    Mr. Heck. Do we have an adequate statutory framework?
    Mr. Healey. I believe in the United States we do, sir. I 
think the statutory framework here goes back something like 30 
years. It is very solid. The law enforcement agency has been 
catching up.
    What worries me and probably the whole panel is there are 
sanctuaries. If someone is hitting you from China, you are 
probably never going to get them. If someone is hitting you 
from Russia, you are probably never going to get your hands on 
them, and so they are able to operate from these sanctuaries 
with--
    Mr. Heck. What could we do?
    Mr. Healey. Russian Mafia with ties to the Russian 
government--
    Mr. Heck. No, no, no, what could we do to disincentivize 
this behavior?
    Mr. Healey. I think put pressure on the governments where 
we can, try and include this into our overall conversation.
    Mr. Heck. Diplomatic pressure.
    Mr. Healey. And also just--
    Mr. Heck. How is that working out for us?
    Mr. Healey. We are never going to get cuffs on them, sir, 
so I think the more that we can do to disrupt their operations, 
things like botnet takedowns, try and increase the cost on them 
so that way--if we can't put the cuffs on them by putting them 
in jail, we can increase the cost so it becomes more and more 
and more difficult.
    Mr. Heck. I have one last question quickly. I see my time 
is dwindling. I am interested in whether or not our emerging 
new payment methods, whether it is Apple Pay or Google Wallet, 
how has this increased our exposure? What is the trend line? 
Are we seeing an expansion of attacks associated with these new 
payment methods diminished within that segment of payment, 
holding--comparable to other means? Are we more exposed, less 
exposed? What is the trend line?
    Mr. Fitzgibbons. Maybe I will take a shot at that, 
Congressman. I think when we see innovation in the payment 
space such as Apple Pay and those other things, from a payment 
system perspective, we welcome innovation. A lot of this 
innovation is really being driven by just those threats 
themselves, taking account numbers and personal identifiable 
information out of the mix.
    But having said that, the adversaries are very, very quick 
to adopt to different things so they will look for weaknesses 
in that and we need to remain ever vigilant that we actually 
are going after them.
    One thing I would mention there is that in the payment 
systems there is a huge amount of regulation and understandably 
so. When we look at some of these other service providers and 
we are talking about something as important as cybersecurity, 
are they subject to the same regulations? So that is something 
that needs to keep pace for the reasons that you were just 
referencing.
    Mr. Pearce [presiding]. The gentleman's time has expired. 
The Chair now recognizes Mr. Pittenger from North Carolina.
    Mr. Pittenger. Thank you, Mr. Chairman. And I thank each of 
you for being here and for your valuable time.
    As we consider the stability and the viability of our 
financial markets and financial institutions, what concern do 
you have for our electric grid, the important factor that 
plays? Who would like to respond to that?
    Mr. Bentsen. I will start, Mr. Pittenger. I think every 
sector, every critical sector, critical infrastructure is 
working on this. I obviously can't speak for the others. But we 
are concerned from our standpoint of making sure that those 
sectors are equally protected or taking the necessary steps to 
provide defense.
    As one of my members had said before, if the Fed wire is 
down, we can probably work around it. But if we don't have 
power, we really can't do anything at all. And I think the same 
would be true with other critical infrastructure like the 
telecom sector.
    We can talk a lot about the financial services sector and 
the work that is being done, and I think there is a lot of work 
being done, but we have to take into consideration that we are 
connected to these other critical sectors.
    Mr. Pittenger. Sure. Would anyone else like to comment?
    Mr. Garcia. Yes, sir. The Financial Services Sector 
Coordinating Council has embarked on some cross-sector 
initiatives to engage particularly with the electric sector and 
the communication sector.
    First, to just understand what our interdependencies are, 
what our mutual vulnerabilities are, and then think about ways 
that we can collaborate in areas such as joint exercises in the 
event that the power goes out; how will that affect our 
respective sectors. So it is a positive cross-sectoral 
engagement going on.
    Mr. Fitzgibbons. One thing I would add to Mr. Garcia's 
statement is it was very interesting that when we were reaching 
out recognizing this cross-sector requirement, we can't just be 
an island into ourselves. We often enjoy this reputation of 
being kind of out in front and so forth. But again, to your 
point, the other sectors, we are all dependent upon each other. 
So when we were actually reaching out to the electric sector, 
they were literally picking up the phone to call us as well.
    And I think that really does speak to how very broadly 
these threats are actually being taken by all the critical 
infrastructure. So I think there is a good news for you in 
that.
    Mr. Pittenger. About a month or so ago I was in Israel and 
met with some of the individuals who have been playing an 
active role in securing their grid through a cyber war. And 
then subsequent meetings in Vienna and back here a week or so 
ago, they will be here. And I would just like to personally 
invite you to come. This will be a Members' meeting, but it 
will be one that you would be most welcome to come to, on June 
2nd at 4 o'clock.
    And the head of the National Cyber Bureau who works 
directly under the Prime Minister will be here to address this 
issue and show us what they have done to seek to secure their 
grid from cyber attack.
    On another matter, Mr. Healey, given that we have limited 
extradition treaties with certain countries, particularly in 
Eastern Europe, what other ways can we seek to justice against 
these individuals if we don't have extradition treaties and the 
limitations there?
    Mr. Healey. Justice is going to be very difficult and, in 
fact, might be unattainable. So we have to look for other 
positive public policy outcomes that we can achieve.
    The sector, I think, has done a good job in working with 
the telecommunications sector, ISPs and others, vendors like 
Microsoft in asking, how can we disrupt their attacks to begin 
with? That doesn't give us the satisfaction of seeing the 
punishment that they deserve, but it can stop the attacks from 
having the effect that they want on the sector.
    I am very hopeful that now that the White House has come 
out with their plan for information-sharing and analysis 
organizations, we can use these kinds of groups to be more 
purpose focused.
    I have not spoken much about information-sharing. I don't 
care much about information. I want to see results. And so if 
we build our groups around stopping DDoS attacks, stopping 
account takeovers and the rest, and build our information-
sharing to that, I think we can thwart them much better than we 
have been.
    Mr. Pittenger. Certainly. I yield back. Thank you.
    Chairman Neugebauer. I thank the gentleman. Now the 
gentlewoman from New York, Ms. Velazquez, is recognized for 5 
minutes.
    Ms. Velazquez. Thank you, Mr. Chairman. I, too, want to 
thank the chairman and the ranking member for holding this 
important hearing.
    Mr. Garcia, if I may, what is being done by the public and 
private sectors to advertise the importance of cybersecurity to 
the small business community? Also, what cost-effective steps 
can they take to protect themselves and their customers?
    Mr. Garcia. That is a very good question. Thank you for 
that. There actually is quite a network of private sector 
organizations that are thinking regularly about how to get 
those tools and awareness into the hands of small business 
owners and consumers.
    There is an organization called the National Cybersecurity 
Alliance; one of our member institutions is on the board. They 
host, along with the Department of Homeland Security, every 
October, National Cybersecurity Awareness Month and it is a 
major national campaign. All 50 governors declare--
    Ms. Velazquez. Are you aware of any coordination with the 
Small Business Administration?
    Mr. Garcia. Yes, and the Small Business Administration is a 
part of that. Many major--many of the Federal agencies are a 
part of it and our own Treasury Department and some of the 
Federal regulators for the financial institutions reach out to 
the small banking community institutions to raise awareness 
there.
    And the National Institute of Standards and Technology has 
developed a framework called the NIST Cybersecurity Framework, 
which we are helping to push out to the small institutions. And 
that is one of the cost-effective tools. It is simple. It is 
scalable, and it gives them a sense from the IT administrator 
up to the CEO what their responsibilities are for managing 
cyber risk.
    Ms. Velazquez. Thank you.
    Mr. Nichols, the nature of the U.S. card market presents 
unique challenges as we move forward with EMB implementation. 
As you know, many of the 28 million small businesses in the 
United States now accept card transactions, and switching over 
to card reader technology will be costly. Is there anything 
being done to help mitigate the costs and also to inform the 
small business community of the risk of not upgrading?
    Mr. Nichols. Upgrading to--did you say chip and PIN? Okay.
    Ms. Velazquez. The new technology.
    Mr. Nichols. Yes, sure. I guess, an observation on that, it 
is obviously--I will talk about the underlying technologies for 
a second. It is a good technology. I would say that there is 
probably no single technology that will prevent all breaches. 
We have talked at length today about the creative and inventive 
ways that the bad actors participate in this market.
    We are also mindful that the government doesn't 
inadvertently stifle future innovation by speaking to--overly 
praising one particular technology, in part, Congresswoman, 
because innovation is moving so quickly at such a rapid pace 
not just in payments but in other aspects of the financial 
sector and the general technology community.
    Who knows what tools we are going to need 5 years from now, 
10 years from now, 15 years from now or 20 years from now. The 
space is so rapidly changing, looking so dramatically 
different. So we need to keep--we obviously--we need to keep 
pace with whatever the latest technologies are.
    It also underscores a point I made very briefly earlier 
about the priority level that this is within the financial 
institutions in America. The leaders of these financial 
institutions are saying things like, no expense will be spared 
as it pertains to our cyber protections.
    Another leader said that in an area where they are doing 
lots of cost-cutting, this division of the company never needs 
to ask permission to spend more money. It is a huge priority 
getting this right. And it is something that these institutions 
think about each and every day.
    Ms. Velazquez. Thank you.
    Mr. Bentsen, we all know that Federal spending to combat 
cybersecurity continues to grow at an extremely rapid rate. How 
do we tap the unique talents of small technology firms in an 
effort to strengthen our national cybersecurity defenses, 
especially in the financial sector?
    Mr. Bentsen. That is a good question, Ms. Velazquez. I 
think that this is a problem that is not unique to the largest 
firms both in terms of the largest banks or the largest 
technology providers, and there is a tremendous amount of work 
that is being done to look at it because this is such a 
priority.
    And so I think you are right that we--the industries--are 
going to have to look at who is going to be coming up with 
better mouse traps as we go along in this process. And it is 
important that we don't, to follow on to Mr. Nichols' comments, 
in a broader context, not in the chip and PIN, that is not 
really in our space that we don't stifle the ability of tech 
companies, startups and others to work on this. There are quite 
a few in this space today, and we hope that there are more down 
the road.
    Chairman Neugebauer. I thank the gentlewoman. The 
gentlewoman's time has expired.
    The gentleman from Colorado, Mr. Tipton, is recognized for 
5 minutes.
    Mr. Tipton. Thank you, Mr. Chairman. I would like to thank 
the panel for taking the time to be here. Ms. Velazquez and I 
have a common interest in small businesses.
    And, Mr. Garcia, you just mentioned that there was a big 
effort to be able to get information out to those small 
businesses. What is the participation level? Do you have any 
idea?
    Mr. Garcia. The FSSCC has a Small Institutions Outreach 
Working Group that is--that involves the Independent Community 
Bankers of America, and several other trade associations are 
involved, and several other companies. And we are thinking 
about, how do we get their attention when you have small bank 
CEOs who are really focused on running their business. And now 
we are asking them to think harder about cybersecurity and how 
to manage their third party service providers.
    We are working closely with our government counterparts in 
Treasury and the FFIEC to consider the best strategy for 
pushing out the best, simplest, scalable--
    Mr. Tipton. I am just kind of curious. Do you have any 
idea--you know, if we have 100 percent independent bankers? X 
percent participate in some of these rollouts. Is there any way 
to be able to identify that?
    Mr. Garcia. I wouldn't have that information. Perhaps maybe 
some of my colleagues--
    Mr. Bentsen. Yes, sir. I would just add to that on the 
broker-dealers and asset management side, to your point, SIFMA 
and our membership made a decision to underwrite membership for 
our smallest firms, 6 percent of our member firms have less 
than $200 million a year of revenues, but for the smallest 
firms, membership in FS-ISAC because we want 100 percent 
participation.
    And to be fair, it has been painstaking to get these firms 
in because in some cases you have--the CEO is also the chief 
technology officer in a very small firm. So this has been sort 
of almost a one-on-one communication.
    Likewise, we have been working with those firms on what 
their insurance policies are, how they can--whether they can 
come together to buy insurance policies together, what they 
have in their insurance policy. And we have encouraged the 
regulators, FINRA, for instance, who is the self-regulatory 
organization for broker-dealers, to work with the smaller 
members in this process.
    Mr. Tipton. Great. Mr. Nichols, do you have any comments on 
this?
    Mr. Nichols. No.
    Mr. Tipton. No, okay. Great. Just as a little bit of 
follow-up on this, with smaller institutions, can they be a 
gateway to the bigger institutions when we are looking at the 
cybersecurity? Does that stress the importance of getting this 
information?
    Mr. Bentsen. Absolutely. Everybody is a gateway. Everybody 
is linked together in the trading world or on the bank side. 
And that is why we did our diagnostic and worked to develop 
standards that would apply across the industry because they 
clear with others, they trade with others, and that is why we 
want to make sure everybody is in the information grid, that 
everybody's insurance is up-to-date. And so it is something 
that, and I know that the bankers are doing the same thing, we 
have to get universal adoption within the industry.
    Mr. Nichols. Congressman, I would add just very briefly to 
that. In my written testimony, I talked about this issue of the 
automated programs and all the investments that are being made 
there. Kind of two points apply here.
    One, what does that actually mean in layman's terms? I am 
not a cyber expert like these two guys are. But in layman's 
terms, is it that we are trying to get the financial system to 
operate like your body's immune system, so that it fights off 
the illness before it gets there? So one, these programs allow 
you to quickly differentiate a small attack or a low priority 
attack versus the really serious stuff, the really wicked and 
malicious stuff. So that is kind of half of what it does.
    And the second half of what this automation, these programs 
and systems does is quickly and swiftly disseminate the nature 
of the threat across the system to institutions of all sizes. 
And that is where a lot of the large financial institutions are 
making investments that help not only themselves and their 
clients and customers, but people all across the spectrum.
    Mr. Tipton. Right. Thanks.
    Mr. Garcia, something I just wrote down as you were 
speaking, giving your testimony was the need for more 
uniformity, and examinations regarding--is there duplication? 
Is there overlap? Are there additional costs that are being 
driven that could be better spent on cybersecurity?
    Mr. Garcia. Yes, I think that is our experience and it is 
anecdotal, but one company could have several different 
regulators, depending on their various businesses. And the 
examiners who come in have different sets of questions. And 
they are all getting to the same issue--security and 
resiliency--but we have to answer the questions in different 
ways.
    Our point was if we could harmonize, as Mr. Bentsen said, 
across all other regulatory agencies, we could have the same 
sets of questions. We could focus on actual security and 
resiliency and not answering questionnaires or answering fewer 
questionnaires.
    Mr. Tipton. And just one final question here, Mr. 
Fitzgibbons, you mentioned about the recovery process by small 
and medium-sized firms after an attack. How does that compare 
to a big firm? I think I know the answer, but what are some 
special challenges our smaller firms are facing on a recovery 
after an attack?
    Mr. Fitzgibbons. Congressman, thanks. It is an interesting 
question. Many of the regulations that the larger firms have to 
deal with actually require a significantly accelerated recovery 
time. So it is almost as if the bigger the bank, the faster you 
can actually recover. A lot of that is driven by regulatory 
requirements. A lot of that is driven by the sophistication and 
the investment they make in a lot of technology. So 
significantly, systematically important, financial institutions 
actually recover very, very quickly from outages.
    The small and the medium-sized institutions may not have 
that regulatory mandated requirement. Having said that, the way 
that technology is shared, the way the technology evolves and 
so forth, recovery out of various critical systems and so 
forth, be it the payment system or DDA system--
    Mr. Tipton. Yes. Thank you, sir. I yield back.
    Chairman Neugebauer. I thank the gentleman. And now the 
gentleman from Texas--
    Mr. Williams. Thank you, Mr. Chairman. I thank you all--
    Chairman Neugebauer. --is recognized for 5 minutes.
    Mr. Williams. --for being here today. I think for me, as 
someone who comes from a small business background, this issue 
is clear. I think I can give you a little unique perspective on 
this topic.
    As retailers, your ability to sell a product is everything, 
as you know. Once you lose that ability, you damage your 
reputation, and you limit your ability to be truly successful.
    In my instance, I just happen to be a small business owner; 
I am a car dealer. My customers trust that whatever information 
they share with me is protected. The Federal Government doesn't 
need to tell me that. But whether it is my industry or 
something else, gaining and keeping customers' trust is vital. 
Without that trust, you might as well not be in business.
    Now because the debate is really about making sure the 
customer is protected first and foremost and giving them the 
best service possible, I think is what we have talked about 
today.
    So let me bring this up. In 2014, the auto industry and the 
National Highway Traffic Safety Administration came together to 
create a sharing advisory center, known as Auto ISAC, to share 
cyber threats among 34 auto manufacturers. The idea is for 
automakers to share information about attempted security 
breaches so they can be neutralized quickly. Also, the Society 
of Automotive Engineers established the Electrical Systems 
Security Committee, which is created to review challenges, and 
capture solutions standards to prevent cyber attacks in current 
future vehicles.
    As a car dealer myself, the coordination of my industry and 
the Federal Government is encouraging because again reputation 
is everything. I believe they have seen what has happened in 
the retail and financial sectors and try to be proactive. With 
mobile devices like Wi-Fi and other technologies almost 
commonplace in vehicles, the bar needs to be high.
    So can any of you on the panel comment on what the auto 
industry has done and how this might be a helpful model for 
other financial industries when coordinating information-
sharing with the Federal Government? Any of you?
    Mr. Healey. Sir, a lot of the ISAC dates back to 1998 when 
President Clinton asked because, of course, he couldn't tell 
the private sector to come together and put these ISACs in 
place for their sectors.
    The finance sector started the year after--1999 was the 
Financial Services, ISAC. I had the honor to be vice chairman 
of that group several years after that. So a lot of the--the 
finance sector is one of the few that of those original set 
that is kind of going strong. Telecommunications has been good. 
Information technology has been good.
    Many other sectors, they have kind of been born and died in 
the time before auto came together. So I think auto is in a 
great position of having been able to look at what has worked 
best in these ISACs and what hasn't.
    For example, in the early days of the financial services 
ISAC, we wanted to jump right into automated sharing of the 
kind that we heard about today with Soltra Edge. But we weren't 
ready, we didn't have the trust between us yet. We had to sit 
down together, get to know one another, have a few drinks 
together, and then we built up that trust between ourselves and 
with government.
    Also, one of the big lessons is a higher level of 
governance for the sector. The ISAC was operational only. Then, 
when we had to deal with the government on larger issues, we 
were too operationally focused to have that. So, we came up 
with a group that Greg now represents, the FSSCC, to be there 
at that higher level and the regulators set up the FIEBC, their 
structure, so that we had this government regulators and 
finance sector policy level, at the managing director level to 
cooperate.
    So I think the Auto-ISAC is on great ground and I look 
forward to seeing what lessons that finance can draw from it.
    Mr. Williams. Thank you very much.
    Mr. Bentsen, you said in your testimony that Congress needs 
to remain proactive and vigilant on the topic of cybersecurity 
and that passing legislation is needed for the financial 
industry. Does the Federal Government need to mandate policies 
on sharing cyber threats again, as we can see the auto leaders 
and the Federal Government are already working together without 
Congress telling them to do so?
    Mr. Bentsen. I think in the case of information-sharing and 
giving, and liability protection, FOIA, which the House has 
done, is very important. The industry is certainly working 
within the law as it is today, but it would be that much better 
if the other body would move forward in passing the CISA bill 
and getting it to the President's desk.
    I think beyond that what we called for in our 
recommendations is for the Federal Government--the regulatory 
agencies to look at what the industry has done and create 
guidance out of that, and do it across the agencies in a 
harmonized way. So to the earlier points that we don't have--
our members don't have to have different guidance, different 
examination structures from regulators who are all seeking the 
same outcome.
    And if there--to me, in dealing a lot of regulatory policy, 
if there was ever an example where regulators could come 
together on a uniform approach, this is it.
    Mr. Williams. Mr. Chairman, I yield back.
    Chairman Neugebauer. I thank the gentleman. Now the 
gentleman from South Carolina, Mr. Mulvaney, is recognized for 
5 minutes.
    Mr. Mulvaney. Thank you, Mr. Chairman, and thank you, 
gentlemen, for doing this.
    I am going to ask some simple questions, and I hope I know 
the answers in advance. But I just want to clarify this 
because, Mr. Healey, you got my attention during your opening 
statement, about one of your concerns--probably a valid 
concern--about the risks that the financial system faces in the 
event of some rogue international actor.
    I think you specifically mentioned Iran or Russia being 
backed up against the wall, feeling they have no vested 
interest in the financial system, with very little to lose, 
especially since they could pull off some type of plausibly 
deniable type of effort.
    So I guess, for the sake of starting the discussion, let me 
ask you the question then that should be first and foremost in 
everybody's mind, which is how safe is our money? If I have 
money in a particular financial institution--pick one of the 
major institutions--how safe is it in your opinion, sir?
    Mr. Healey. I believe it is safe. The--
    Mr. Mulvaney. Tell me why.
    Mr. Healey. --I believe the American financial system is 
sound. I think it would be very difficult, as we also said in 
those opening comments, for any adversary to systemically 
disrupt the American financial system over a long period of 
time. It is just very difficult, I believe, in all of the 
strengths that we have talked about here.
    However, particular institutions, well, one we might see 
shorter-term disruptions, maybe not being able to close at the 
end of the day like we would normally expect to.
    Mr. Mulvaney. Mr. Healey, let me cut you off.
    Mr. Healey. Sure.
    Mr. Mulvaney. If you could take that to a retail level for 
me, because you understand what it means for banks not being 
able to clear at the end of the day. Sometimes I think I 
understand, sometimes I don't. What does that mean to an 
ordinary family?
    Mr. Healey. Right. If the--especially if this kind of 
attack were to happen, for example, on the 15th of the month or 
the last day of the month at a particular institution, then I 
believe that--no financial institution, I believe, can stand up 
to the kind of attack that we might be able to see from one of 
these organizations.
    That doesn't lead to anything systemic, but I think it is 
going to give a single bank a really bad day.
    Mr. Mulvaney. Would anybody else care to weigh in on that?
    Mr. Fitzgibbons. I think when you talk about attacks on the 
financial system or financial institutions and then the impact 
on the family, there is impact. So it could very well be. It 
is--they are trying to make a payment, a bill pay or whatever 
it may actually be, and that actually gets disrupted. So they 
can actually feel that particular impact.
    Coming back to the point about safe, having said that and 
recognizing there is the potential for attacks and potentially 
successful attacks, that doesn't mean that the system is 
unsafe. I think we need to keep it safe. I believe it is safe. 
I believe we need to make it safer. I believe that when we see 
a threat or there is a threat or an attack against a particular 
thing, what is important is how quickly we react to that, how 
quickly we isolate it and move forward.
    Mr. Mulvaney. Thank you for that. That is a wonderful 
summary. Thank you both, gentlemen, for clarifying that because 
what I think we are saying is that while individual 
institutions may be subject to attack, that the system will 
remain strong, and that any impact on ordinary Americans would 
be temporary at worse. So it would be something that could be 
fixed in short order. I think it is important that we come out 
of this, Mr. Chairman, recognizing the fact that the 
institutions are sound and it is still safe to put your money 
in the bank.
    Now, let me ask a follow-up question. How safe is my 
personal information? I will come back to you, Mr. Healey, 
because I think you said you didn't care that much about it, 
but I may have--
    Mr. Healey. No.
    Mr. Mulvaney. I may have heard that out of context. So how 
safe is my personal information, especially in light of this 
world we are creating now? And I think we were inevitably there 
where you all have--different institutions have to share 
information. So how safe is my personal information?
    Mr. Healey. I do not believe it is safe. We have seen the 
hackers be able to hit for decades to be mostly unstopped. Year 
after year, they have continued to make gains over us, the 
defenders.
    Of the places where my personal information lives, I feel 
safest of where it lives in the finance sector. I am really 
happy that my bank has my social. I feel a little bit worse 
that the Social Security Administration has my social. I am 
pleased that student loans are with my bank. I am a little bit 
more nervous with the Department of Education.
    That said, it is a deep concern. No one's information is 
safe.
    Mr. Mulvaney. Anybody else? Mr. Bentsen? Mr. Nichols?
    Mr. Nichols. I would echo Mr. Healey's observation. We are 
all at risk, even though the financial sector is widely 
acknowledged to have the best protections right now. But I echo 
your sentiment about the concern.
    Mr. Bentsen. Look, the industry has the greatest interest 
in protecting the information of its clients because if they 
don't their clients are going to go somewhere else. But it is 
extremely difficult.
    I do want to say one--
    Mr. Mulvaney. It would be hard to go to a different Social 
Security Administration.
    Mr. Bentsen. Well, perhaps. But I do want to add one other 
thing. I think the system is safe today. I think there is risk 
to markets and that could have impact in pricing. It could 
impact the individual investor. But I think we have to 
recognize that the people who are seeking to do this, whether 
they are individual criminals, or nation-states, or terrorists, 
or whomever they may be, they are getting better every day as 
well.
    So it is the same person that somebody was trying--somebody 
is trying to pick a safe, they may not know how to do it now, 
but they are going to keep trying to get better and better, and 
so we have to keep preparing for the worst-case scenario.
    Mr. Mulvaney. Gentlemen, thank you very much.
    Chairman Neugebauer. I thank the gentleman. Now the 
gentleman from Missouri, the chairman of our Housing and 
Insurance Subcommittee, Mr. Luetkemeyer, is recognized for 5 
minutes.
    Mr. Luetkemeyer. Thank you, Mr. Chairman. It is kind of 
interesting that we have a TV show now, CSI Cyber. It is 
interesting that we have come that far.
    I want to follow up a little bit on Mr. Mulvaney's remarks 
with regard to the security of information. But I want to 
approach it a little bit differently, from a standpoint of 
sharing the information between the various entities. How much 
individual information is being shared between the different 
groups that are involved here whether it be law enforcement, 
whether it be the EFT transaction folks, the securities, banks, 
whatever? How much individual information is being shared 
there? None, a lot, everything?
    Mr. Fitzgibbons. So when--to talk information-sharing 
because often it is referenced as a way to share threat 
information, threat indicators and so forth to allow us to 
protect ourselves.
    In that forum, and I can tell you from our strengths, when 
we are sharing threat indicator, we do not share personally 
identifiable information. That is not really what we are 
talking about. We are talking about information-sharing.
    Mr. Luetkemeyer. That is the point I want to get to here is 
that when we--you talked about information-sharing, the people 
watching this hearing today, the radar goes up like, oh, my 
gosh, the NSA is watching and now we have all these cyber guys 
out here watching. So I think it is important that you clarify 
that from a standpoint this is not individual information that 
you are sharing. This is more transactional activity that is 
being monitored by some outside group, and you are sharing that 
kind of information. Is that--
    Mr. Fitzgibbons. That is a terrific point, Congressman. 
Actually, I appreciate the opportunity to provide that clarity. 
Oftentimes, when you are dealing with these issues, you are 
speaking in terms that are kind of understood. But it is 
important to understand that when we talk about information-
sharing as it relates to the threats, it is not PII, it is 
about IP addresses or different bits of code that you should be 
on the lookout for in your particular systems.
    When there is an attack, what actually happens is PII will 
be very, very deliberately stripped out so that there is no 
sharing of that information--that specific information. So we 
are talking about threat indicators, not personal information.
    Mr. Luetkemeyer. Okay. Along that line, how much sharing 
goes on between industries? In other words, between the 
financials--the banks, the credit unions, the insurance 
companies, financial or securities folks. Between the 
industries, is there this information going on or only just 
between bank to bank or credit union to credit union, or 
insurance companies to insurance company? Can anybody elaborate 
on that?
    Mr. Garcia. Certainly, within the Financial Services ISAC, 
there are I think north of 5,000 member organizations now 
spanning the financial services subsectors. At the same time, 
the vice president of the FS-ISAC is Chair of the National 
Council of ISACs, so you have the electric ISAC and the telecom 
ISAC, and the financial ISAC.
    Mr. Luetkemeyer. Okay.
    Mr. Garcia. And they are all working together sharing 
information at a higher level, not at the level of detail and 
specificity that the FS-ISAC is, but that sharing is happening.
    Mr. Healey. And the ISAC has taken on international 
members, so we are starting to work outside with our key 
financial partners.
    Mr. Luetkemeyer. Okay, very good. Thank you.
    Along those lines, one of the reasons that we are having a 
hearing today is not only to determine the kinds of threats 
that are out there and what else going on, but also what tools 
do you need in your toolbox to be able to fight this? Are there 
legal impediments--in other words, does Congress get some 
ability here to help you? Are there things that we need--that 
are in place right now that are hurting you? Are there things 
that we need to put on you to stop some of the stuff you are 
doing that may be beyond your scope or beyond what we really 
need to be involved in. It is kind of a long question.
    But I think if you can give me an idea if you think there 
are some things that we can do to tweak the law or I am sure we 
haven't found a whole lot to probably go after anybody on, but 
along those lines.
    Mr. Bentsen. Congressman, again I would go back to the need 
for information-sharing given the liability employer protection 
would be important. Again the industry is concerned about PII; 
it is a customer confidence issue. But to do everything we need 
to do to protect the customer, we don't want to have the 
situation being second-guessd after the fact when you are 
trying to deal with an ongoing cyber attack.
    I think beyond that, to the extent that the Congress can 
encourage the regulators to work collaboratively, and I think 
we are doing better at that, so we have harmonization, that 
will help the industry, as the industry itself moves to 
implement the standards and recovery protocols, and 
information-sharing as well as things like third party vendor 
verification or audit practices. And so I think that 
encouragement can help quite a bit, and then let the industry 
collaborate with the public sector, so we are talking to one 
another in dealing with how we respond to attacks, how we deal 
with recovery, how we deal with information-sharing.
    Mr. Luetkemeyer. Perfect. I see my time is about up. I will 
yield back, Mr. Chairman. Thank you very much.
    Chairman Neugebauer. I thank the gentleman. Now the 
gentleman from California, Mr. Royce, the chairman of the House 
Foreign Relations Committee, is recognized for 5 minutes.
    Mr. Royce. Thank you, Chairman Neugebauer. I appreciate 
that.
    Mr. Bentsen, it is good to see you, and the rest of the 
panel members there--Mr. Garcia.
    I guess, as we get down to the nitty-gritty of how we get 
to where we need to go, you mentioned earlier the concept of 
having these different sectors work together. You all work with 
a number of Federal agencies or--including with the financial 
regulators, you work and have some knowledge of their 
expertise, since I think we even have a representative on the 
NCCIC (N-kick) watch floor.
    So the question would be, for better coordination or 
harmonization, to get there somebody, in my opinion, has to be 
in charge. Somebody has to take the lead on it, and I don't 
think that has been asked yet. Maybe, Mr. Bentsen, you could 
start. Who should be in charge--Treasury, OCC, Homeland, DOD? 
How do you set this up? Because at the end of the day, unless 
somebody is in charge, bringing everybody together, it is 
awfully hard to make it work.
    Mr. Bentsen. That is an excellent point. My own view is--in 
our experience throughout this process is that--Treasury has a 
huge role to play in the financial sector. Obviously, DHS has a 
role to play, but does the national security apparatus, 
particularly as we are talking about nation-state attacks or 
terrorists. So I think where the coordination needs to occur, 
and I would argue that it is occurring now is at--in the 
Executive Branch and in the Executive Office of the President 
because that is where the ultimate national security apparatus 
is. So you have to bring together the different groups.
    It can't just be Treasury. It can't just be DHS. It has to 
be--somebody has to be coordinating at the top, and so that is 
where we are seeing in some of the exercises we are doing in 
working across the different agencies, not just the financial 
agencies.
    Mr. Royce. The second question I would ask--I understand 
your concept there and where the decision-making--where the 
focus should be in the Executive Branch, but I still think you 
probably have to give most of the key decision-making to the 
entity that has access to the most information and understands 
it the best.
    But in your testimony you also talked about the need to 
increase the pool of educated cybersecurity personnel. There 
are a lot of universities now involved in this sphere, 
including Cal Poly Pomona, which is in my district. But I am 
wondering what the industry is doing to address this particular 
workforce shortage in this area of expertise. Are you working 
with higher education institutions in order to churn out 
people?
    I can tell you, on the other side, Moscow clearly is 
working hard and educating teams on the other side of this 
equation. Now they have that special bureau from North Korea 
that is out there educating right now in terms of how to hack 
into the South Korean banking system. So if we are going to do 
some good defense work, it is good to work through the 
university system as well in order to offset what is probably 
coming.
    Mr. Garcia. Yes, sir, Congressman, that is a great 
question. Within the FSSCC we have two task groups that are 
focused on that question. One is a workforce task group--how do 
we build capacity for cyber talent that we can use in the 
financial services sector and how do we describe the range of 
job responsibilities that we need--number one.
    And number two, we have a research and development 
committee. And within R&D, you think about trying to drive 
funding--Federal funding--a lot of it through the university--
research colleges and universities to work on some of those 
grand challenges related to cybersecurity. And in the process, 
you are building a pipeline of graduates and post-graduate 
professionals who will be entering the workforce, providing 
their level of expertise.
    Mr. Royce. I am going to go back to Mr. Garcia and Mr. 
Healey's points. The concept of being allowed to hack back 
under strict controls, maybe being deputized by an accredited 
law enforcement agency, if that can be put together, is it a 
general consensus that it might be workable in terms of 
counter-battery work against those who are attacking these 
systems, any exception to that, or do you think it just might 
work?
    Mr. Garcia. An example that--perhaps stated in a different 
way was the financial sector's partnership with Microsoft where 
Microsoft was watching as was the financial sector all of the 
attacks on the Microsoft platform--
    Mr. Royce. Right.
    Mr. Garcia. --like Hotmail and Windows.
    Mr. Royce. You are not legally allowed--
    Mr. Garcia. They went to--
    Mr. Royce. --to go on offense and you are saying they would 
be allowed to go on offense.
    Mr. Garcia. They cut off the command and control. They went 
to the U.S. marshal and got a court order to go to the command 
and control center where the servers were hosting these botnets 
and they severed that link.
    Mr. Royce. Yes, yes. Okay.
    Mr. Chairman, thank you.
    Chairman Neugebauer. I thank the gentleman. I want to thank 
our witnesses for your testimony. This has been a very healthy 
discussion. I hope the takeaway for the Members and even for 
some people who may be watching this hearing is that there is a 
lot of good cooperation going on within the industry because 
everybody has a vested interest here.
    I think this is an ongoing dialogue. While we have only had 
two hearings here, I think this is an interest to our country 
from a national security standpoint, but also as far as 
protecting the financial network, which is so important to our 
economy.
    Without objection, I would like to submit the following 
statements for the record: the Independent Community Bankers of 
America; the National Association of Federal Credit Unions; the 
National Association of Insurance Commissioners; and the 
opening statement from Mr. Hinojosa of Texas.
    The Chair notes that some Members may have additional 
questions for this panel, which they may wish to submit in 
writing. Without objection, the hearing record will remain open 
for 5 legislative days for Members to submit written questions 
to these witnesses and to place their responses in the record. 
Also, without objection, Members will have 5 legislative days 
to submit extraneous materials to the Chair for inclusion in 
the record.
    And with that, this hearing is adjourned.
    [Whereupon, at 3:12 p.m., the hearing was adjourned.]

                            A P P E N D I X


                              May 19, 2015
                              
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]