[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]



 
FEDERAL GOVERNMENT AND SMALL BUSINESSES: PROMOTING GREATER INFORMATION 
                   SHARING FOR STRONGER CYBERSECURITY

=======================================================================

                                HEARING

                               before the

                      COMMITTEE ON SMALL BUSINESS
                             UNITED STATES
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED FIFTEENTH CONGRESS

                             FIRST SESSION

                               __________

                              HEARING HELD
                           NOVEMBER 15, 2017

                               __________

 [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]                             
                               

            Small Business Committee Document Number 115-048
              Available via the GPO Website: www.fdsys.gov
              
              
              
              
                            _________ 

                U.S. GOVERNMENT PUBLISHING OFFICE
                   
 27-719                   WASHINGTON : 2018       
____________________________________________________________________
 For sale by the Superintendent of Documents, U.S. Government Publishing Office,
Internet:bookstore.gpo.gov. Phone:toll free (866)512-1800;DC area (202)512-1800
  Fax:(202) 512-2104 Mail:Stop IDCC,Washington,DC 20402-001                   
              
              
              
              
              
              
              
              
                   HOUSE COMMITTEE ON SMALL BUSINESS

                      STEVE CHABOT, Ohio, Chairman
                            STEVE KING, Iowa
                      BLAINE LUETKEMEYER, Missouri
                          DAVE BRAT, Virginia
             AUMUA AMATA COLEMAN RADEWAGEN, American Samoa
                        STEVE KNIGHT, California
                        TRENT KELLY, Mississippi
                             ROD BLUM, Iowa
                         JAMES COMER, Kentucky
                 JENNIFFER GONZALEZ-COLON, Puerto Rico
                          DON BACON, Nebraska
                    BRIAN FITZPATRICK, Pennsylvania
                         ROGER MARSHALL, Kansas
                      RALPH NORMAN, South Carolina
               NYDIA VELAZQUEZ, New York, Ranking Member
                       DWIGHT EVANS, Pennsylvania
                       STEPHANIE MURPHY, Florida
                        AL LAWSON, JR., Florida
                         YVETTE CLARK, New York
                          JUDY CHU, California
                       ALMA ADAMS, North Carolina
                      ADRIANO ESPAILLAT, New York
                        BRAD SCHNEIDER, Illinois
                                 VACANT

               Kevin Fitzpatrick, Majority Staff Director
      Jan Oliver, Majority Deputy Staff Director and Chief Counsel
                     Adam Minehardt, Staff Director
                     
                            C O N T E N T S

                           OPENING STATEMENTS

                                                                   Page
Hon. Steve Chabot................................................     1
Hon. Nydia Velazquez.............................................     2

                               WITNESSES

Mr. Rob Arnold, Founder & Chief Executive Officer, Threat Sketch, 
  LLC, Winston-Salem, NC.........................................     4
Ms. Ola Sage, Chief Executive Officer, e-Management, Silver 
  Spring, MD.....................................................     5
Mr. Morgan Reed, President, ACT/The App Association, Washington, 
  DC.............................................................     7
Mr. Thomas Gann, Chief Public Policy Officer, McAfee, LLC, 
  Reston, VA.....................................................     9

                                APPENDIX

Prepared Statements:
    Mr. Rob Arnold, Founder & Chief Executive Officer, Threat 
      Sketch, LLC, Winston-Salem, NC.............................    22
    Ms. Ola Sage, Chief Executive Officer, e-Management, Silver 
      Spring, MD.................................................    30
    Mr. Morgan Reed, President, ACT/The App Association, 
      Washington, DC.............................................    38
    Mr. Thomas Gann, Chief Public Policy Officer, McAfee, LLC, 
      Reston, VA.................................................    46
Questions for the Record:
    None.
Answers for the Record:
    None.
Additional Material for the Record:
    None.


                     FEDERAL GOVERNMENT AND SMALL 
                     BUSINESSES: PROMOTING GREATER 
             INFORMATION SHARING FOR STRONGER CYBERSECURITY

                              ----------                              


                      WEDNESDAY, NOVEMBER 15, 2017

                  House of Representatives,
               Committee on Small Business,
                                                    Washington, DC.
    The Committee met, pursuant to call, at 11:00 a.m., in Room 
2360, Rayburn House Office Building. Hon. Steve Chabot 
[chairman of the Committee] presiding.
    Present: Representatives Chabot, Brat, Radewagen, Kelly, 
Blum, Marshall, Velazquez, Evans, Murphy, Lawson, Adams, 
Espaillat, and Schneider.
    Chairman CHABOT. The Committee will come to order.
    I want to thank everyone for being here this morning.
    This Committee has made cybersecurity a top priority in 
recent years and with good reason. It has become one of the 
most serious challenges for small businesses and major 
corporations and the Federal Government itself. We have heard 
from cybersecurity experts, government officials and small 
business owners on numerous occasions and the message is clear, 
cyber threats remain a top concern for America's small business 
community.
    Advances in information technology, IT, have helped small 
businesses rapidly increase their productivity, enter new 
markets that were once out of reach, and offer consumers new 
and innovative services and products. However, IT has advanced 
so quickly that it has been difficult to keep pace with the 
ever-growing cyber threats. Cybercriminals and foreign bad 
actors have more opportunities than ever to steal intellectual 
property, consumer data, and hold small business IT systems 
hostage for financial gain.
    In 2016 alone, the United States Department of Justice 
recorded nearly 300,000 cybersecurity complaints. Our 
Committee's examinations of these increasing concerns have 
revealed that federal agencies are making a serious effort to 
better coordinate and distribute cybersecurity resources 
directly to small businesses. However, there are still 
challenges to ensuring that small businesses are as protected 
as possible from cyber attacks. One of the major hurdles 
continues to be the lack of information sharing between public 
and private sectors. Information sharing is a fundamental 
component for a strong and effective cybersecurity defense, not 
just for small businesses, but for America's network as a 
whole. The federal government must make every effort possible 
to ensure that small businesses have both the resources and the 
confidence they need to actively engage with the federal 
agencies tasked with protecting our critical infrastructure.
    Today, we will hear from several members of the small 
business community about what steps we can take to encourage 
greater information sharing. We will examine how Federal 
agencies can provide assistance and resources more quickly to 
small businesses suffering from a cyber attack.
    Earlier this year we learned that the federal government 
has become increasingly active in protecting our nation's 
critical infrastructure and IT systems, and has gone to great 
lengths to develop an overall framework for cybersecurity 
protocols to incentivize information-sharing practices with 
businesses. However, it has also become abundantly clear that 
the development of this framework is not enough. Last Congress, 
the President signed into law legislation aimed at increasing 
information-sharing practices through the Cybersecurity of 
Information Sharing Act, CISA. This legislation provided some 
important liability protections to small businesses to give 
them trust and confidence in their federal partners.
    Yet many businesses continue to be slow to adopt these 
practices. That is why this Committee has been working on 
legislation to provide small businesses with greater assistance 
in their cybersecurity needs. In July, my colleague 
Representative Dwight Evans and I introduced H.R. 3170, the 
Small Business Development Center Cyber Training Act of 2017, 
perhaps the longest name for a bill in congressional history. 
This bill will direct SBDCs to establish a program for 
certifying some of their employees to provide cybersecurity 
planning assistance to small businesses. It is my hope that 
through this program we will be able to encourage even more 
small businesses to start partaking in information-sharing 
activities and create a comprehensive cybersecurity defense for 
all Americans.
    I would now like to yield to the Ranking Member for the 
purpose of her making her opening statement.
    Ms. VELAZQUEZ. Thank you, Mr. Chairman.
    The frequent recurrence of cyber attacks reminds us just 
how fundamental it is for individuals, businesses, and 
governments to guard against unwanted foreign interception. 
From hackers orchestrating the Equifax breach to Russia's 
attack on our democratic institutions, cybersecurity merits our 
attention more than ever before. The truth is, online commerce 
has facilitated business opportunities and growth for mom-and-
pop shops across America, but few small businesses make 
investments in security solutions to protect the data they 
hold. Many entrepreneurs do not even view themselves as 
targets. Criminals, on the other hand, view them as 
particularly attractive. The combination of customer data and 
the lax implementation of cybersecurity make them much more 
appealing to cybercriminals.
    While it is widely known that cyber attacks often result in 
personal and business losses, small firms often do not 
recognize their exposure until it is too late. Given that small 
firms make up over 99 percent of businesses, the small business 
community plays a critical role in ensuring the nation's 
internet infrastructure is secure. And preventing the harsh 
financial consequences that cyber intrusions have is critical 
for their survival because criminals will continuously seek to 
profit by stealing data from both their government and the 
private sector.
    Cyber incidents are not diminishing in the near future. 
That is why we all must take the appropriate steps to 
strengthen cybersecurity.
    For nearly two decades, the federal government has actively 
created a policy framework that seeks to prevent cyber attacks 
by incentivizing data sharing and collaboration between federal 
and private actors. Doing so is just one step to enhance 
readiness against external threats. Encouraging businesses to 
share information regarding cyber intrusions could help federal 
agencies design solutions before problems occur. If the private 
sector and the government collaborate to identify 
vulnerabilities, both small businesses and the government will 
be better prepared.
    Mr. Chairman, over the last year we have seen 
cybercriminals prey on one of the largest credit rating 
agencies. We have witnessed hackers publicly releasing tools 
stolen from the National Security Agency, and most disturbing, 
as we all know, our democratic institutions were remarkably 
vulnerable to Russia's cyber meddling, potentially impacting 
the outcome of our elections. This event make clear 
cybersecurity issues will become more prominent every day in 
all aspects of our society.
    In that regard, I look forward to learning how we can 
better maximize the flow of information between small 
businesses and the federal government to help improve the 
resiliency of our cyber infrastructure.
    Thank you all for being here today and offering your 
insights.
    I yield back, Mr. Chairman.
    Chairman CHABOT. Thank you very much. The gentlelady yields 
back. And if Committee members have opening statements prepared 
we ask that they be submitted for the record.
    And I would now like to take just a moment to explain our 
lighting system and rules. You get 5 minutes basically. The 
green light will be on for 4 minutes. The yellow light will 
come on to let you know you have a minute to wrap up, and then 
the red light will let you come on and let you know you are 
supposed to stop. We will give you a little bit of leeway 
there, but do not take advantage of it.
    And I would now like to introduce our very distinguished 
panel here this morning. Our first witness is Rob Arnold. Mr. 
Arnold has worked in internet security of over 20 years and is 
the Founder and Chief Executive Officer of Threat Sketch, LLC. 
Threat Sketch provides risk management tools and education to 
small businesses to help them prevent cyber attacks. We 
appreciate you being here with us today.
    Our second witness is Ms. Ola Sage. Ms. Sage is the CEO of 
e-Management in Silver Spring, Maryland, where she oversees e-
Management's information technology and cybersecurity services. 
In addition to her role as CEO, Ms. Sage chairs the Executive 
Committee of the National IT Sector Coordinating Council and 
serves on the board of the George Mason University Women in 
Business Initiative. And we welcome you here as well this 
morning.
    Our third witness will be Mr. Morgan Reed. Mr. Reed serves 
as the President of ACT/The App Association. The App 
Association represents more than 5,000 app companies and 
information technology firms in the mobile economy. Mr. Reed 
has previously appeared before the Small Business Committee 
last year, and we welcome him back here today.
    And I would now like to yield to the Ranking Member for the 
introduction of our fourth witness.
    Ms. VELAZQUEZ. Thank you, Mr. Chairman.
    It is my pleasure to introduce Mr. Tom Gann, the chief 
public policy officer for McAfee, a computer security software 
company. Mr. Gann has over 20 years of experience in the 
technology industry, 12 of which have been focused on 
cybersecurity issues. Mr. Gann holds a bachelor's degree from 
Stanford University in political science and a master's degree 
from the London Business School. Welcome and thank you for 
being here today.
    Chairman CHABOT. Thank you very much.
    Mr. Arnold, you are recognized for 5 minutes.

 STATEMENTS OF ROB ARNOLD, FOUNDER & CHIEF EXECUTIVE OFFICER, 
   THREAT SKETCH, LLC; OLA SAGE, CHIEF EXECUTIVE OFFICER, E-
 MANAGEMENT; MORGAN REED, PRESIDENT, ACT/THE APP ASSOCIATION; 
     THOMAS GANN, CHIEF PUBLIC POLICY OFFICER, MCAFEE, LLC

                    STATEMENT OF ROB ARNOLD

    Mr. ARNOLD. I would like to thank the chair, ranking 
member, and the entire Committee for the opportunity to testify 
today. It is truly an honor.
    My company, Threat Sketch, makes extensive use of shared 
information to educate small businesses and guide their 
investments in cybersecurity. We are a small business 
ourselves, thus I truly understand the needs and challenges 
around sharing cybersecurity information.
    The most fundamental problem in accessing data right now is 
fragmentation. The DHS, FBI, NIST, and the NSA are just a few 
of the agencies collecting cyber information. Each has multiple 
repositories and programs. Some are well advertised, while some 
are part of work groups and not widely available. Others are 
hidden by classification. Simply having a list of all the data-
sharing initiatives available would help us tremendously.
    Another problem with sharing information is the overuse of 
classification. There is a myriad of rules governing the 
declassification of information, but declaring valuable 
information as secret is almost effortless. It takes no more 
than two words uttered with a grave tone to play keep away with 
vital information. ``That is classified,'' and just like that, 
our cyber equivalence of neighborhood crime statistics and sex 
offender registries are taken away in the name of national 
security. While secrets definitely have their place, we have a 
right to know what is going on around us, and every data point 
that gets classified degrades our ability to make good 
decisions.
    But there is a more pressing issue which I need to draw 
your attention to, and it is the byproduct of two distinct 
disadvantages that small businesses face.
    First, as these larger companies armor up, attackers are 
turning to less protected small businesses.
    Number two, small businesses cannot afford to compete with 
big companies for the cybersecurity talent and solutions they 
need to protect themselves. These are circular issues with one 
begetting the other. In their wake, the demand for affordable 
solutions will rise dramatically, creating yet another threat. 
Small businesses, desperate to meet the cybersecurity demands 
of larger clients, government regulations, insurance carriers, 
and lending institutions, are going to become victims once 
again. Adversaries will use this opportunity to sell cheap 
software and services that are subsidized by selling data and 
secrets out the backdoor, while giving them a toehold into the 
supply chain of larger organizations.
    My written testimony offers one possible solution, which is 
to deputize small businesses that commit to providing services 
that are all-American in origin. In addition to tapping our 
SBDCs, I believe the government has two resources that can help 
in the collection and dissemination of cybersecurity 
information. Our Bureau of Labor Statistics is very good at 
aggregating, summarizing, and making data available in easy to 
digest forms. Meanwhile, the IRS is the one agency to which 
every small business owner is happy to report some losses.
    In summary, small businesses need local solutions that can 
tap into a national network of trusted solution providers. The 
SBDCs have proven effective in helping small businesses 
navigate a myriad of State, Federal, and local resources, and 
with training, I think they can rise to this challenge as well.
    Thank you for allowing me to testify before you today. I 
look forward to answering your questions after we hear from my 
fellow witnesses.
    Chairman CHABOT. Thank you very much.
    And Ms. Sage, am I pronouncing it correctly?
    Ms. SAGE. You are, Chairman. Thank you.
    Chairman CHABOT. Okay. Very good. You are recognized for 5 
minutes. Thank you.

                     STATEMENT OF OLGA SAGE

    Ms. SAGE. Good morning, Chairman Chabot, Ranking Member 
Velazquez, and the distinguished members of the Committee. 
Thank you for the opportunity to testify today as a small 
business CEO.
    In the last 12 months, 61 percent of small businesses have 
reported that their companies have experienced a cyber attack, 
and a stunning 71 percent of small businesses are not prepared 
to address cybersecurity threats to their organizations. 
Solving this problem requires greater information-sharing 
between the Federal Government and the small business community 
to help our companies better identify threats, protect our 
infrastructure, detect anomalies, respond to and recover from 
significant cyber events.
    The Cybersecurity Information Sharing Act, which I will 
refer to as CISA, can help, but small businesses do not know 
about it. While significant progress has been made in 
implementing the law in general, several challenges still 
persist for small businesses.
    First, small business are still unaware of CISA or how it 
helps them. The government has the opportunity to increase the 
visibility of the law through its existing outreach and 
awareness programs to the small business community and to 
highlight the law's protections, particularly in the area of 
liability protections. Small businesses are still confused by 
the myriad of information-sharing initiatives. A small business 
guide for cybersecurity information sharing would be a useful 
tool to help companies better understand the value these 
various public and private information-sharing options provide.
    Third, cybersecurity information can be costly. While data 
provided by the government may be free, many small businesses 
do not have adequate resources to make the best use of this 
data. For some, signing up with a commercial information-
sharing organization may be the best option. However, many of 
the options available today cost thousands of dollars per year 
putting them out of reach for many.
    Let me now turn to some ideas for incentives that Congress 
might consider to encourage greater information sharing and 
cyber threat reporting between small businesses and the Federal 
Government.
    First, expand CISA to add additional protections for small 
businesses. CISA does not currently shield companies from 
potential liability in the event of a data breach or cyber 
attack. Congress might consider providing a positive incentive 
by extending liability protection up to a maximum threshold to 
small businesses that exhibit a measurable commitment to 
voluntary information sharing. This could be through 
demonstrated use of the NIST cybersecurity framework, voluntary 
participation in one or more public or private information-
sharing forums, and maintaining active cybersecurity insurance.
    Second, introduce tax incentives. Congress might consider 
introducing incentives that could include deductions and 
credits for cybersecurity and information-sharing related 
capital investments and personnel among others.
    Third, include participation in a public or private 
information-sharing program as a selection criteria for 
government procurements. The government has and continues to 
use preferential consideration in the procurement process to 
promote or influence desired behavior. These include 
considerations for minority groups, quality and process 
improvement standards, and research priorities. The GSA Alliant 
Small Business Governmentwide Acquisition Contract provides one 
example for quality standards.
    Four, recognize small businesses that commit to 
cybersecurity information sharing. Voluntary programs, such as 
Energy Star, which is a joint program of the Environmental 
Protection Agency and the Department of Energy, can serve as a 
blueprint to design a public recognition program for small 
businesses participating in voluntary information-sharing 
programs.
    Lastly, simplify the entry point for cyber threat reporting 
for small businesses. Most small businesses either do not know 
who to call or are overwhelmed by the choices and, therefore, 
will not bother reporting. Last year, the Critical 
Infrastructure Partnership Advisory Council, CIPAC, formed a 
working group with the DHS Office of Infrastructure Protection 
to investigate how to get a national tip line started that 
would serve as a single point of contact for reporting 
emergency cybersecurity information. Using this example, one 
could envision a scenario where a small business calls a 
national emergency response number, and based on information 
provided, is immediately connected to the appropriate resource 
or resources.
    In conclusion, CISA is still early in its life cycle, but I 
believe holds tremendous promise for the small business 
community as more companies become aware of the law and how it 
can help them. Thank you again for the opportunity to testify 
and I look forward to your questions.
    Chairman CHABOT. Thank you very much.
    Mr. Reed, you are recognized for 5 minutes.

                    STATEMENT OF MORGAN REED

    Mr. REED. Chairman Chabot, Ranking Member Velazquez, and 
distinguished members of the Committee, my name is Morgan Reed, 
and I am the president of ACT/The App Association. I thank you 
for holding this important hearing.
    I represent more than 5,000 companies who make the apps you 
love in the devices you depend on. We are the driving force 
behind a nearly $150 billion industry and we continue to grow 
and create American jobs in every congressional district. And 
our members are building the tools that underpin this jump from 
the desktop world to our new world of mobile plus cloud. But 
for small businesses trying to create new products and sales 
opportunities, cybersecurity threats seem incomprehensibly vast 
and inevitable. In 2014, 71 percent of companies admitted they 
fell victim to a cyber attack. Moreover, the amount of data 
online is expected to increase fiftyfold by 2020, adding new 
attack vectors and, frankly, sweetening the pot for potential 
cybercriminals. And we have not even mentioned the new world of 
IOT and self-driving everything that is right around the 
corner.
    At The App Association, we sit at the crossroads of this 
topic. We have dozens of members who are key players in 
cybersecurity, like PhishLabs, Alchemy Studios, and Citara, and 
on the frontlines of anti-phishing, anti-botnet, and DDOS 
attacks. But we also have members who build all the amazing 
apps you use every day, that you rely on to do your banking, to 
monitor your child's homework, buy a house, and communicate 
with your doctor. With a foot firmly in both sides of the 
industry, we know policymakers must remain mindful of the fact 
that large companies have budgets and staff available. For our 
members, chief security officer may be just one of five hats 
that they wear.
    Small- and medium-size tech companies, like our members, 
exist to solve problems. Take Canned Spinach, for example. It 
is a company in your district, Mr. Chabot. Canned Spinach, led 
by Andrew Savitz, built a product called Speak Easy. It allows 
for people inside of a company to distribute coupons and secret 
deals that their family members might want. The problem he ran 
into is based on phishing attacks and other cybersecurity 
attacks. Users were unsure where they were getting this from, 
who provided it, and so he had to essentially design the 
product from the ground up to deal with the cybersecurity 
threats so that people could get good deals from their friends 
inside of companies. And our clicks-and-mortar businesses have 
this problem as well. For Chairman Velazquez, she knows Etsy 
quite well, headquartered in her district. They have 
requirements for strong data security methods to handle the 
consumer data on their platform.
    And I should point out that Mr. Brat and Mr. Schneider, you 
both have health companies in your district that deal with 
thousands of patient records. For you, Mr. Kelly, there is a 
company in your district that does home restorations. They go 
into a house, take pictures of the damage. But think about what 
they now know about that person. They know their address. They 
have photos of their valuables, and it is all stored on their 
cloud service. It is a great product, but what do they do about 
cybersecurity?
    And so when you think of it from their perspective, of 
problem-solving, and then thinking about it on how do they 
enter the space, you can see how government information sharing 
is really not meeting the challenge that we have today.
    The first thing that we do in private sector is we rely on 
our private sector platform partners. We use products like 
Microsoft cloud services and Azure for cloud, Apple Health Kit 
for health, the latest Intel Sawtooth chip for making block 
chain more practical and efficient. But that symbiotic 
relationship only takes us so far. We need Congress to do some 
major changes to how we do info sharing.
    First, we need to improve the sharing activities. The 
Federal Government should make the cybersecurity threat 
information it shares timely, more accessible, and, frankly, 
more useful to SMEs. When a business is hit with a cyber 
attack, with whom do they share it? Do they call the attack 
while the attack is occurring as opposed to after the fact? Do 
they call somebody at Endkick? Do they even know what Endkick 
is? Somebody at their local fusion center or their ISAC? And 
where are these entities located and how do companies share the 
information with them?
    Second, the Federal Government should take steps to make 
cybersecurity frameworks and best practices more workable for 
SMEs. Helping SMEs to improve their understanding, whether it 
is through Lunch and Learns at SBDCs or other activities, we 
need to see developed, widely published, targeted, and user-
friendly best practices and guidance built on the NIST 
framework.
    And third, the Federal Government needs to ensure a legal 
and policy environment that enhances SME's ability to manage 
the dynamic cybersecurity risks, and this part falls squarely 
on Congress. Congress must take steps to provide legal and 
policy certainty that SMEs can rely on. Specifically, Congress 
should pass the International Communications Privacy Act, known 
as ICPA--for this year's Congress it is H.R. 3718--to clarify 
SME's legal liability and data requests especially with data 
abroad, and they need to maintain this legal environment to 
help support our investment in cybersecurity.
    And I would like to take a moment to thank Chairman Chabot 
and Ranking Member Velazquez for cosponsorship of this 
legislation in the last Congress, and I ask all of you to join 
with them in support for it in the 115th.
    Thank you very much, and I look forward to an engaging 
conversation on this topic.
    Chairman CHABOT. Thank you very much. That was very 
interesting.
    Mr. Gann, you are recognized for 5 minutes.

                    STATEMENT OF THOMAS GANN

    Mr. GANN. Good morning. Thanks for the opportunity to 
testify today. I am Tom Gann, the chief public policy officer 
from McAfee. McAfee is one of the largest cybersecurity 
companies in the world. Indeed, we take great pride in 
protecting consumers and businesses and organizations of all 
sizes.
    As the Committee has ably pointed out in the past, small 
businesses face many of the same cybersecurity risks as large 
ones. Some cyber attack methods, such as malware and those that 
begin with spear phishing are particularly well suited for 
small businesses who might be an easy target because of their 
lack of cybersecurity resources. Small businesses store 
information, implement operational requirements, and own 
valuable intellectual property just as large enterprises do, so 
they need to have strong cybersecurity protections.
    Investing in more than just very basic cybersecurity tools 
requires time, money, and other resources, like an IT staff, 
that too often small businesses just do not have. We have to 
acknowledge the fact that for most small businesses, 
cybersecurity is an expense that they do not want to incur when 
they are simply trying to make payroll and be profitable.
    So what is the solution? Should small businesses 
participate in DHS's cyber threat information-sharing program 
that was mandated by CISA? This is a question worth exploring. 
In talking with our customers, it is clear that many small 
businesses are unaware of CISA. They often do not understand 
how the law can help them and they are confused by the many 
information-sharing initiatives that are out there. However, I 
do believe that we should consider how information-sharing 
efforts, such as those mandated by CISA, can benefit businesses 
of all sizes.
    The DHS initiative, known as the Automated Indicator 
Sharing Program is open to small businesses, but many small 
businesses do not have the resources or an educated IT staff to 
make use of it or benefit from it. Any information-sharing 
capabilities require time, money, and people that small 
businesses sometimes are stretched to staff.
    This does not mean that small businesses do not need or 
cannot benefit from cyber threat intelligence. They certainly 
can, but perhaps we would focus our discussion more on 
information sharing of a different kind, information that is 
informative and educational right off the bat.
    According to the Better Business Bureau, when asked to 
judge 10 cyber statements as to being true or false, the 
average small business owner's score was around 60 percent. 
This means that for many small business owners there is really 
a lack of understanding of the cyber challenge at all. The 
Federal Government should help develop and fund the standup of 
a nonprofit, information-sharing, and analysis organization for 
small businesses. Such an entity could provide education such 
as basic cyber hygiene and more advanced topics, like 
incorporating the NIST cybersecurity framework into members' 
programs. It could share best practices, lessons learned, 
templates, and processes for addressing threats and assist in 
understanding problems. Additionally, this organization could 
serve as a hub in the event of a breach and the first point of 
contact in determining whether or not to reach out to law 
enforcement. It could assist the business in addressing the 
incident and communicate the situation to other members.
    Further, we recommend outsourcing IT to a cloud provider 
that would be responsible for security. That is a real 
advantage for small businesses. The cloud provider would 
benefit from an ever-growing network effect of more and more 
threat data, improving the very cybersecurity capabilities and 
protections they deliver to their customers' small businesses.
    Both infrastructure as a service and security as a service 
can be economical ways to provide efficiencies and security so 
that small businesses really can benefit from an ecosystem of 
information sharing that is bidirectional with the government 
and the private sector.
    Small business owners, however, cannot contract all of 
their security obligations out, particularly in the area of 
strong blocking and tackling, making sure that passwords are 
updated and information is backed up on a regular basis. Small 
businesses would also benefit from more cyber insurance. The 
government could act as a reinsurer for the cybersecurity 
market that really in many cases is in early stages. Indeed, 
the idea of providing tax benefits and credits to small 
businesses so they can purchase cyber insurance is a very good 
idea and would help pump prime what is today still an emerging 
market.
    Finally, the government should devote additional resources 
to fighting cybercrime. Too often it is our small businesses 
that are impacted by ransomware attacks, and small businesses 
need all the help they can get. Investing in additional 
Federal, State, and local crime-fighting capabilities to help 
take down the bad guys to protect our small businesses, well, 
those are good investments that should be made.
    In conclusion, I would like to thank you for inviting us to 
testify. It is very kind. We take very seriously our small 
business customers, and I welcome the opportunity to answer any 
questions you may have.
    Chairman CHABOT. Thank you very much. I would like to thank 
all the witnesses for their really excellent testimony here.
    And Mr. Arnold, I will begin with you. I recognize myself 
for 5 minutes.
    You noted that the large number of data-sharing initiatives 
offered by the federal government in nongovernmental 
partnerships can be pretty overwhelming for a small business. 
Do you believe it would be beneficial if there was a single 
portal for small businesses to engage federal agencies to begin 
the information-sharing process? And if so, could you identify 
any particular agency or entity that would be best suited for 
that task, specifically for handling requests from small 
businesses?
    Mr. ARNOLD. Sure. So I do think at a base level we need 
just a simple directory. What information is out there and for 
each of these? What kind of information is being consumed by 
that sharing initiative? What kind are they making available 
and what are the membership requirements? And I think that the 
SBDCs actually are well positioned for that because they 
already do this with so many other government programs and 
initiatives. They seem like a logical fit.
    Chairman CHABOT. Okay. Thank you very much.
    Ms. Sage, I will turn to you next. In your testimony, you 
mentioned that one reason small businesses are reluctant to 
share cybersecurity information is the perception that shared 
information gets lost or goes into a black hole causing 
companies to worry about the security or uses of their data. 
Can you please elaborate on that concern, and do you have any 
suggestions for how information-sharing portals could be more 
transparent in their receipt and use of shared data?
    Ms. SAGE. Thank you, Chairman, for that question.
    I think that is the reality for a lot of small businesses. 
It is sometimes referred to as the Black Hole. You know, 
information is sent in and not exactly sure what happens to it. 
And it certainly has not helped with some of the recent 
compromises that have occurred where information has been 
breached and released. So I think that on the other hand, there 
have been efforts to really try and address that concern.
    I was presenting that comment in the context of cyber 
information sharing so that if there are general concerns about 
information sharing, regardless of whether it is cyber or not, 
my goal was to really highlight the fact that cyber just adds 
another element of concern because that is even more 
potentially damaging to an organization. And I think that some 
of these protections that I mention in my recommendations can 
help with that. If companies feel like there are protections 
for them if their information is breached, and they are the 
victim of this situation, they are not necessarily responsible 
for also addressing it.
    Chairman CHABOT. Thank you very much.
    Mr. Reed, can you provide any example of how small business 
data or shared information practices might invite unwanted 
regulations for small businesses, particularly in the tech 
industry? What steps can we, policymakers, take to ensure that 
small businesses' personal information and IT data is protected 
from regulatory action?
    Mr. REED. Well, I think one of the key elements to start 
with for this Committee and for Congress in general is our 
catchphrase at ACT, which is nobody wants technology at the 
speed of government. And so when you think about where we stand 
on the regulatory framework, I think you start off on the right 
foot and ask the question of if we increase the methodologies 
and reporting requirements and the pathways forward for 
companies and how they have to engage, then we know what will 
happen. Either we will not innovate new products at all or the 
products you see on the shelf will be incredibly limited, or 
worse, really expensive.
    And really quickly, to go to an example that Ms. Sage hit, 
we took a staff down to South Carolina and we met with a 
company, PhishLabs. And PhishLabs is one of the leading anti-
spear phishing companies out there. And I worry about this talk 
about regulatory bodies and new agencies. The CEO of PhishLabs, 
in this room full of staff, including DHS, said, by the way, 
guys, I want to show you something. Clicked over to US-CERT. So 
the Anti-Phishing Working Group has this email where you send 
data if you have a phishing attack. I am a leading phishing 
expert. I have no idea how to get that data. I have spent 
months in contact with DHS. They will not provide it. I do not 
know what is going on, and yet here is this government agency 
collecting data on phishing. And to Mr. Arnold's point, how is 
that not something that gets in?
    So to your question, Mr. Chabot, I think we see that there 
is often a gap between the regulatory intention of Congress and 
how it gets played out. And, therefore, I would look to caution 
additional regulations that could harm small business.
    Chairman CHABOT. Thank you very much. And unfortunately, 
Mr. Gann, I ran out of time before I got to you. I had a pretty 
good question, but my time is expired.
    And I will now recognize the gentleman from Illinois, the 
Ranking Member of Subcommittee on Agriculture, Energy, and 
Trade, Mr. Schneider.
    Mr. SCHNEIDER. Thank you, Chairman Chabot. And again, thank 
you to the witnesses for joining us today and sharing your 
insights.
    Cybersecurity for a small business, it is not a one-time 
transaction. It is not a decision you make at a point. It is 
not an action you take just once like rent or buy. It is not an 
investment you make one time. It is a business constant, no 
different than sales, marketing, or finance. And to be 
effective, I think it has to start with, as you guys have 
touched on, it starts with design. It includes implementation. 
It requires ongoing vigilance. And then if something happens 
you have event management and ultimately recovery and a 
response and recovery. For a small business, just the thought 
of that can be overwhelming. A small business, oftentimes the 
founder is going to be the chief marketing officer, the chief 
finance officer, and the chief bottle washer. That is the 
problem. Those small businesses are going to look to outside 
resources.
    So my question for the panel is, as many small businesses 
look at the need for cybersecurity understand it, but that the 
investment and ongoing maintenance of that is somewhat 
overwhelming, what resources are available for them? What role, 
Mr. Gann, does insurance play? I know it has changed since the 
last time we were here. And how do we make sure that we go from 
not just information sharing, which is important, to helping 
these businesses have solutions?
    Mr. GANN. Well, a couple big recommendations I think can 
make a difference. The first one is for most small businesses, 
their priority first and foremost is to make payroll, grow the 
business, and hopefully become an even larger, more successful 
business over time. Toward that end, we recommend outsourcing 
to IT data centers, cloud providers. By doing that it can be 
cheaper, better, faster. Those large institutions can help with 
security.
    That said, small business owners are still responsible for 
their endpoints. And so getting basic education in place, 
putting in place basic blocking and tackling of passwords, 
really important. Those things can add a lot of value rapidly.
    The last point I would make--I did not include it in my 
testimony, but it is vitally important for all IT organizations 
that are developing new products to bake security and privacy 
into their products in the first instance. By doing that first 
off it can reduce the burden on all businesses and really bring 
forward the benefits of a much easier look and feel to 
technology that is secure such that small businesses and all 
businesses can focus on what they really need to do, and that 
is growing their businesses and satisfying the needs of their 
customers.
    Mr. SCHNEIDER. Mr. Reed?
    Mr. REED. I think one of the key elements that we learned 
is that we have to divide it between small businesses that are 
involved in solving cybersecurity problems and small 
businesses, who, as Mr. Gann pointed out, are busy moving a 
different product. And I think that platforms play a critical 
role, but I also think given this Committee's jurisdiction, 
there is more that can be done out of SBA and SBDCs to provide 
a Lunch and Learn opportunity.
    The number one thing in having started some businesses 
myself that you run into is that feeling of alone. I do not 
know what to do. I am not sure who to turn to. And frankly, as 
you point out, when these things happen you are underwater, so 
you need to have a friendship circle, so to speak, a circle of 
trust that you can go to. And I think SBDCs can provide some of 
that because I think at a certain point the main thing a small 
business needs from an incident report, and as you say, baking 
it in early, is to know who to call, how to react, and how to 
clean up. And so I think there is more that can be done.
    Mr. SCHNEIDER. Ms. Sage?
    Ms. SAGE. Thank you, Mr. Schneider. I actually agree with 
Mr. Reed on the point of the different categories of small 
businesses because a lot of it depends on what kind of business 
you are.
    I would just say, I think incentives are great motivators 
for small businesses. Fundamentally, what we care about is can 
we get a new customer? Can we keep our existing customers? And 
can we stay in business? And so whether it is cybersecurity or, 
potential lawsuits or sales and marketing, anything that is not 
going to help us advance one of those three objectives is 
something that we are less likely to do.
    And so to the extent that Congress can provide incentives 
for us to want to do better in the area of cybersecurity, I 
think that would help.
    Mr. SCHNEIDER. Mr. Arnold?
    Mr. ARNOLD. I think one of the best things that the 
government can do is simply be as transparent as possible with 
information, allow it to come down to us, and give the small 
business community an opportunity to wrought solutions for 
themselves from that raw data. This a role that both myself and 
Olga Sage play in this, is taking that data and making it 
accessible.
    Mr. SCHNEIDER. Great. Thank you. My time is expired. I 
yield back.
    Chairman CHABOT. Thank you very much. The gentleman's time 
has expired.
    The gentlelady from American Samoa, Mrs. Radewagen, who is 
Chairwoman of the Subcommittee on Health and Technology, is 
recognized for 5 minutes.
    Mrs. RADEWAGEN. Talofa. Good morning. I want to thank you, 
Mr. Chairman, for holding this important hearing today, and I 
want to thank you all for testifying. All of you can answer my 
two brief questions.
    Do you believe the government's responsibilities and small 
business owners' responsibilities in protecting businesses are 
balanced?
    And as a follow up, what educational outreach efforts 
should the Federal Government be making to inform small 
business owners about cybersecurity information-sharing 
practices?
    Mr. Arnold?
    Mr. ARNOLD. Yes. So, I think the question of balance, it is 
very hard to balance the desire to keep information secret in 
the name of national security, yet also make it available to 
the people that need it. And I would encourage the government 
to err on the side of making it available. Unfortunately, 
security by obscurity does not work and I think the best policy 
the government can take is one of transparency.
    And then with regard to education, I think we need to 
broaden the topic of cybersecurity to include legal, insurance, 
and even marketing, because there is a need to reestablish a 
tarnished image after an attack.
    And I will yield to the other witnesses.
    Mrs. RADEWAGEN. Ms. Sage?
    Ms. SAGE. Thank you, Mrs. Radewagen.
    On the question of balance, I think that is something that 
we are constantly trying to, for lack of a better word, 
balance. I think to Mr. Arnold's point in the whole area of 
classification, one of the things we see is that information 
may be classified when it comes to sources and methods, but the 
actual issues or concerns are not necessarily classified. The 
challenges that perhaps with all of the information overload 
that we all have, sometimes it is not apparent which of these 
unclassified areas or topics or issues really need to be paid 
the most attention to. So I think that is an opportunity for 
our government partners as they are putting out this 
information, even in an unclassified format, to be able to 
provide some level, I do not know if it is a ranking or scoring 
or some level of identification to help companies understand 
while everything is bad, you know, but here are the things that 
we want you to pay particular attention to.
    When it comes to education awareness, I actually think that 
several agencies are really doing their best to really get the 
word out there. It is a big issue. It is a big topic. So 
whether it is SBA or DHS with their CQ program, NIST, Federal 
Trade Commission has some really good products, I think this is 
going to be a whole-of-government effort. I do not necessarily 
think that just one agency will be able to address all of the 
educational awareness needs.
    Mrs. RADEWAGEN. Mr. Reed?
    Mr. REED. I want to agree with Mr. Arnold and Ms. Sage 
about the issues about classification. And let me put a fine 
point on it. You ask about balance. If an agent decides to 
classify something, what happens to him if he is wrong? 
Nothing. If a small business does not have that information, 
they go out of business, and worse, their consumers and their 
customers, and frankly, your constituents, are harmed. And so 
when you ask the question about balance, I think that we do not 
have a good balance on it because ultimately, the small 
business goes away and people are harmed and the government's 
impact of making the more cautionary decision is nothing. So I 
think we have to remember what the impact of not sharing 
equals.
    On the education side, I would say that it is important to 
not undervalue the platforms. Most of us are looking to build 
some cool, interesting product on top of other technologies. 
And whether it is a cloud provider or another security company 
or anyone else in the space, look at ways that you can do 
public-private partnership with platforms to push that 
education to their customers. And if it is meaningful for them 
in an economic sense, it will be meaningful for us as small 
businesses.
    Mrs. RADEWAGEN. Mr. Gann?
    Mr. GANN. So on the question of balance in the area of 
information sharing, the big thing that one needs to remember 
is that small businesses are part of a much larger information-
sharing ecosystem, whether they are interacting with a cloud 
provider, whether they are interacting with an endpoint 
security provider, making sure the government is doing a very 
good job of managing equities in terms of what data to release, 
what data not to release in the cyber domain is absolutely 
critical to the health of that entire ecosystem. We always 
encourage the government to be prudent in what it classifies. 
If you are at the NSA or one of those organizations, you may be 
seeing 3 or 5 percent of the threats that are truly----
    Mrs. RADEWAGEN. I am out of time, Mr. Gann.
    Mr. GANN. Oh, sorry. That are truly driven from sources and 
methods. Those need to be held back. The other types of data 
that are more mundane should be shared.
    Chairman CHABOT. Thank you very much.
    Mrs. RADEWAGEN. Thank you, Mr. Chairman.
    Chairman CHABOT. Thank you. The gentlelady's time has 
expired.
    The gentleman from Florida, Mr. Lawson, the Ranking Member 
of the Subcommittee on Health and Technology, is recognized for 
5 minutes.
    Mr. LAWSON. Thank you, Mr. Chairman. And welcome to the 
Committee.
    This discussion underscores the dilemma that small firms 
have in protecting their companies' and their clients' data, 
while also sharing information not only with each other, but 
with the Federal Government. And I want you to know I am from 
the government and I am here to help you.
    Can the panel please explain what a good balance looks like 
for companies to have adequate protection while also working 
cooperatively with various agencies and authorities to share 
data?
    Mr. ARNOLD. Thank you for the question.
    So how do you achieve this balance? I think that, again, 
erring on the side of transparency first, one of the things I 
suggested in my written testimony is that maybe we let the 
frontline responders classify everything initially, but then 
have some central clearinghouse like DHS that can go through 
with the specific objective of declassifying everything to the 
point where it gets good information out without undermining 
the needs of the Nation state security.
    Mr. LAWSON. Anyone else care to respond?
    Ms. SAGE. Thank you, Mr. Lawson.
    Actually, in my testimony I really kind of focused on the 
area of liability protection and explicitly asked for your 
consideration of expanding that liability protection to small 
businesses in the event of a data breach or attack, because I 
think part of the concern, and it kind of speaks to part of my 
earlier written testimony, where I talked about some of the 
concerns small businesses have with providing information, 
particularly negative information to the government, that in 
some way it can either be lost or misused, et cetera.
    And so I think that that combination of the worry of 
providing information that may someday come back to haunt you, 
and God forbid you actually have an event, I think that would 
help small businesses to feel more comfortable sharing.
    Now, in my written testimony I do not say, well, just give 
us liability protection. I do say that there has to be some 
measurable commitment by these small businesses to cyber 
hygiene and cyber readiness. And so I think it is a formula of 
both requiring or asking or incentivizing small businesses to 
share information, but also providing protections in the event 
that there is a breach.
    Mr. REED. I think most of everything has been covered, but 
in thinking about it, I think part of it is also how do people 
assemble what they view as valuable information? In your 
district there is a company that is called Tech for Vets that 
works with a lot of veterans' information. As you can imagine, 
they do great work for the veterans community, but that also 
means they have access to an enormous amount of very sensitive 
data. And so when considering what that balance looks like and 
how do we engage, we agree with Ms. Sage that I think liability 
protection is absolutely essential, but it also, it reflects 
the fact that when you have that data and it is breached, your 
reaction is going to be, oh, my goodness, how do I staunch the 
bleeding? How do I stop the pain? And oftentimes your first 
reaction is not to tell everybody how you are in pain.
    And so finding a way that removes that liability or creates 
other frameworks where you can say I tried my best, I did not 
make it, help me next time. And so whether it is through 
incentives or liability protection, I think you have to 
understand the emotional state of somebody when they are going 
through an incident because I think it helps inform how you do 
a better job the next time.
    Mr. GANN. So the single best thing that policymakers can do 
in the area of cybersecurity is continue to keep the issue very 
bipartisan. If you go back 10 to 15 years and move forward from 
where we have started to where we are today, an awful lot of 
progress has, in fact, been made. CISA was passed. We have 
stood up authorities in the civil government domain, putting 
DHS in the first chair on cyber. We have increased information 
sharing. We have broadly educated the population, large 
business, small business to some degree on the cyber threats. 
Keep that work up and continue to update laws. Continue to 
update CISA. Allow more robust sharing of information beyond 
simple indicators of compromise. Look at creative ways to put 
in place the right incentives to increase security. Keep the 
work up and I think we will make a lot more additional 
progress.
    Mr. LAWSON. My time is about to run out, but one other 
thing after hearing the testimony from Mr. Reed, I was trying 
to equate how small--and you do not have to answer because my 
time has run out--how small of businesses are concerned with 
cybersecurity? And that is the ones that are 45 and stuff 
before we get into the level that you are talking about. Maybe 
at some point in time, Mr. Chairman, he might be able to 
answer.
    Mr. REED. Can I give a really short answer? Companies of 
one person can have records of hundreds of thousands of people.
    Mr. LAWSON. Wow. I yield back, Mr. Chairman.
    Chairman CHABOT. Thank you very much. The gentleman yields 
back.
    The gentleman from Kansas, Dr. Marshall, is recognized for 
5 minutes.
    Mr. MARSHALL. Good morning, everybody.
    Mr. Reed spoke of fusion centers. Are the other witnesses 
familiar with fusion centers as well? Okay. When I visited our 
fusion center in Kansas, terrific facility, it is more of a 
regional facility I would describe it, the private sector 
interaction were several big utilities as I can recall, maybe a 
big bank. How are small businesses accessed? Ms. Sage, are you 
familiar with the small business access to the fusion centers?
    Ms. SAGE. It is a challenge because, first of all, a lot of 
these fusion centers are used for briefings at the classified 
level, et cetera. And so if you do not have those credentials 
to get in, you are not even in----
    Mr. MARSHALL. Right. Getting the top secret clearance.
    Ms. SAGE. Exactly.
    Mr. MARSHALL. And you cannot participate with them unless 
you have--you cannot say here is our problem without them 
divulging stuff to you in any way.
    Mr. Reed, you mentioned----
    Mr. REED. Right. I think that gets to the education. And 
having recently been in your wonderful district and talked to 
some of your small businesses there, I think there is a huge 
education gap on how those fusion centers can play a role. And 
so I think that the questions we have to ask is, is there 
something that can be done to give them the credentialing and 
the entry point? Because as you point out right now it is 
primarily critical infrastructure that understands how they fit 
into this equation, but as we have talked about here, literally 
hundreds of thousands of small companies have the information 
that could compromise critical infrastructure if we are not 
careful. So yes, we need to do a better job with getting access 
to those fusion centers.
    Mr. MARSHALL. My next question centers around it seems like 
we are always on defense when it comes to this rather than 
going on offense. It is almost like someone is trying to rob 
the bank 10 times a day, 20 times a day, and it seems like we 
have accepted that is okay and we do not go after those people 
hard enough and we are not going on the offense with them. We 
are not releasing these hunt viruses back at them and trying to 
be more aggressive. Maybe I am wrong. But who is out there 
doing a great job saying we are not going to take this anymore? 
We are not going to sit there and just get attacked. I will sit 
there and watch 20 or 30 attacks on some of my companies back 
home in the matter of an hour when I am there.
    Anybody have a comment about who is doing a good job on 
offense? Mr. Arnold does.
    Mr. ARNOLD. Well, actually, I was going to say that I do 
not think the small businesses are actually equipped to do 
offense at that level because they are going to invite a 
counterattack by going on the offensive.
    Mr. MARSHALL. So we need to empower them. Who is trying to 
say here is the software to go on the offensive?
    Mr. Gann?
    Mr. GANN. So let me take that one on. It depends on how you 
define offensive activity. We actually have to be careful with 
overbroad rules that allow unqualified people to hack back 
because you never quite know who the attacker is and you can 
get subsidiary effects.
    That said, there is a lot of innovative work being done in 
the cybersecurity sector on machine learning, on analytics, on 
doing a much better job of understanding threats as they are 
starting to occur and starting to react early on to zero day 
attacks that have not been seen before. The science is really 
moving much beyond the traditional blacklisting anti-virus 
model.
    So that innovation is occurring in large companies and you 
are seeing a lot of small players doing a lot of innovating, 
and you have seen a massive increase in the amount of venture 
capital money flowing through the cybersecurity sector. 
Billions of dollars, in fact. And so I think the trend lines 
overall are pretty good, but we still have some rough spots.
    Mr. MARSHALL. I need to move on to my next question.
    My opinion is most companies are afraid to report. They are 
afraid if they report it shows a weakness. Their customers 
might find out how vulnerable they are. How do we overcome 
that?
    Mr. ARNOLD. We need to help them plan ahead for the 
eventuality of that happening. Small businesses do not even do 
the normal tabletop exercises that larger organizations do that 
generally put larger organizations in a better spot to respond 
to an adverse event, even just from a marketing and PR 
standpoint. So helping educate small businesses on how to do 
that would be very helpful.
    Mr. MARSHALL. Any other?
    Mr. REED. And I think it ties back to your previous 
question, which is where do you find the consultants and others 
in the space that can help you build ahead? I think you work 
through platforms that exist, larger platforms, but also you 
look at some of the consultancies that exist out there and find 
ways to do, as you said, table-topping, but remembering always 
the primary goal of the business. So I think it is about 
informing the IT professionals that set up that web presence or 
that customer store or your database and saying to them, how 
are we prepared? And I think that goes to Ms. Sage's point, 
which is we have got to change the incentive structure.
    Ms. SAGE. I agree with both gentlemen. And I would just 
like to add, Dr. Marshall, that the cybersecurity framework 
that was developed by NIST in industry I think really provides 
a good model to help both large and small because it addresses 
that specific area of how do we respond to and recover from 
some of these cyber events?
    Mr. MARSHALL. Thank you. I yield back.
    Chairman CHABOT. Thank you. The gentleman yields back. 
Those are some excellent questions, really, and the answers 
were good, too. Thank you.
    The gentlelady from North Carolina, Ms. Adams, who is the 
Ranking Member of the Subcommittee on Investigations, 
Oversight, and Regulations, is recognized for 5 minutes.
    Ms. ADAMS. Thank you, Mr. Chairman. Thank you all very much 
for your testimony. I have learned a lot just listening.
    Let me ask Mr. Gann this question. Why should it be a 
priority for the Federal Government to pay attention to the 
vulnerabilities that small businesses face against cybercrimes?
    Mr. GANN. Well, it is a great question. Indeed, we have 
gotten so many great questions. It has been really a very fine 
hearing.
    Small businesses, it is worth remembering, oftentimes can 
be part of the most innovative pieces of the economy. Small 
businesses, whether in tech, biotech, machining, any number of 
areas, are oftentimes there because their founders left big 
companies because they wanted to do something new that maybe a 
large organization did not allow them to innovate on. So 
protecting those assets, those pieces of intellectual property 
that are really the seed corn of the future of our economy, 
that is absolutely essential. That is, I think, number one. 
Beyond that the issue of PII that so many small businesses own 
today, that is number two. But small business is absolutely a 
piece of the challenge that needs to be addressed.
    Ms. ADAMS. Thank you.
    Mr. Arnold, how can small business development centers help 
with the collection and the dissemination of cybersecurity 
information?
    Mr. ARNOLD. Well, let's talk about first the collection 
thereof. When events happen, some of them have grave economic 
impact. Some of them maybe do not have horrible economic 
impact, but they have some technical issues and indicators that 
all need to get reported. And so the SBDC has kind of become a 
triaging place so the small business can say, hey, I have had 
this kind of attack. Who do I need to report this to? And they 
can give a list of the agencies that are best suited to gather 
that data.
    And then likewise, on the back side of disseminating the 
information back out, as Ms. Sage has pointed out a couple of 
different times, each small business is very unique in its 
needs and there are a lot of different programs out there and 
there is a need for that diversity, but we also need to have a 
phonebook, if you will, a directory of, okay, well, these are 
the information programs that are out there. These are the 
educational pieces that are out there, and the SBDCs could 
connect the small businesses to those.
    Ms. ADAMS. Thank you. And anybody who wants to answer this 
question.
    Based on your experience as a small business working with 
other small businesses, why is it that most small firms do not 
understand the full scope of their risk to cyber threats? And 
do you believe we need more outreach, more education? Anybody 
can respond to that. I would appreciate it.
    Mr. REED. So having been a founder of a couple of small 
businesses, what makes you motivated to build a small business 
is to solve a problem, whether it is to sell food on the street 
corner or to build the next great social media application. 
Your focus is on delivering a product and solving a problem as 
you see it. And that is what burns inside of you. That is what 
takes the risk. That is what gets you to borrow money from your 
mom's house to put it out there. And so the problem starts with 
if cybersecurity is not something that you are in the business 
of, and it is not the problem you are trying to solve, you are 
pouring every amount of your heart and soul into solving that 
specific problem.
    So I think that what we have to do is early on the 
education effort has to be if you want to see your dream 
realized, then you need to make sure that you are taking care 
of business at the very beginning before you see your dream 
dashed because you lost that information. So I think it is 
about structuring the question that you asked. And I think it 
is a vital question. And you need to turn it back on that small 
business and ask them, I am here to help you get your dream, 
but what are you doing to make sure it can live for the long 
term, not just for the short?
    Ms. ADAMS. Okay. Does anybody want to respond quickly to 
that?
    Mr. ARNOLD. I would like to add, too, that small 
businesses, well, will frame cybersecurity as an IT program. It 
needs to be reframed as a business problem, one that the 
business owners have to address, and I think that is critical.
    Ms. ADAMS. Ms. Sage?
    Ms. SAGE. I just want to say amen.
    Ms. ADAMS. Okay.
    Ms. SAGE. I also think that to the points that have been 
made earlier, if cybersecurity is not going to help us 
ultimately accomplish our business goal, it will go the way of 
every other issue or concern that small businesses have to deal 
with, which is we do not deal with them until we have to. So to 
the extent that we can help, as you rightly pointed out, 
educate business owners, and to Mr. Arnold's point, that this 
is not just a technology problem, educate business owners that 
it is the same like if you do not have an EIN number for doing 
business, you cannot do business. It does not matter what kind 
of service you want to provide. There are certain things you 
just have to have in place. And I think if we can get our small 
business community to understand that this is one of those 
kinds of things, I think we will be in a much better place.
    Ms. ADAMS. Thank you very much. I am out of time.
    Chairman CHABOT. Thank you very much. The gentlelady's time 
is expired.
    We want to thank the panel here for your very insightful 
information that you have given us here today. I think you have 
answered the questions very well and cybersecurity is clearly 
one of the principal, one of the greatest issues a lot of small 
businesses face today. They know it is important, but they are 
not quite sure exactly what to do about it. And this Committee 
wants to work to help them to the extent that we can. So thank 
you for helping us to help them. We appreciate it greatly.
    I would ask unanimous consent that all members have 5 
legislative days to submit statements and supporting materials 
for the record.
    Without objection, so ordered.
    And if there is no further business to come before the 
Committee, we are adjourned. Thank you very much.
    [Whereupon, at 12:08, p.m., the Committee was adjourned.]
    
         A P P E N D I X

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

    Fragmentation

    The most fundamental problem in accessing this data right 
now is fragmentation. The DHS, FBI, NIST, and the NSA, are just 
a few of the agencies collecting cyber incident and 
intelligence information. Each has multiple repositories and 
programs. Some are well advertised, while some are part of 
workgroups and not widely available. Others are hidden by 
classification. Simply having a list of all the data sharing 
initiatives available would help tremendously.

    Such a list might start with the various information 
Sharing and Analysis Centers (ISAC's) and Information Sharing 
and Analysis Organization Standards Organizations (ISAO's), and 
expand to include to programs like DHS's Automated Indicator 
Sharing (AIS) program. The inventory would include what 
information sources they consume, how they make the data 
available, and the membership criteria for each. The 
intermediate organizations like ISAC's and ISAO's are, in many 
cases, doing a great job of making otherwise inaccessible data 
available to small businesses \2\.
---------------------------------------------------------------------------
    \2\ See Appendix: How the IT-ISAC makes AIS affordable

    Small businesses are extremely resourceful. Having quality 
incident reporting and cyber intelligence flowing to the small 
business community lets us build solutions for ourselves.\3\ 
Our biggest challenge, in that regard, is collecting and 
aggregating data from a wide array of sources. In truth, even 
the largest multi-national companies cannot collect data on the 
breadth and scale that US government agencies can provide. 
Access to quality data for companies of all sizes helps level 
the playing field between large and small businesses and will 
spur economic development alongside novel solutions.\4\
---------------------------------------------------------------------------
    \3\ See Appendix: Email Interview: Douglas M. DePeppe--Cyber 
Resilience Institute
    \4\ See Appendix: Economic Trends And How Shared Information Helps

---------------------------------------------------------------------------
    Overuse of Classification

    Another problem with sharing information is the overuse of 
classification. There are a myriad of rules governing the 
declassification of information, but declaring valuable 
information a secret is almost effortless. It takes no more 
than two words, uttered in a grave tone, to play keep away with 
vital information. ``That's classified.'' And just like that, 
our cyber equivalents of neighborhood crime statistics and sex 
offender registries are taken away in the name of national 
security. While secrets have their place, we have a right to 
know what is going on around us, and every data point that gets 
classified degrades our ability to make good decisions \4\, 
\5\.
---------------------------------------------------------------------------
    \5\ See Appendix: How Classification Impacted the Wannacry Outbreak 
and Response

    The other problem with classifying information is that it 
creates another digital divide between the have's and the have 
not's. Small companies are generally much better at raw 
innovation. When we cannot get access to the raw material for 
building novel solutions, our security posture will not improve 
and we lose economic opportunities to create jobs around our 
---------------------------------------------------------------------------
innovations.

    As you contemplate the role of classification, please keep 
this in mind: When this country was founded, we were colonists 
living under the boot of a government that exerted control by 
keeping secrets and forcing access to information it deemed 
might be incriminating. Our adversaries would like nothing more 
than to goad our government into keeping secrets, then unleash 
those secrets to draw the ire of the citizens and undermine 
trust. Remaining transparent is the only solution that works in 
the long run. It is better that we let our enemies know we see 
them coming and face them head on, then to have us bickering 
with one another while they steal all our trade secrets \5\.

    Pressure to Keep Up Poses Major New Threat

    There is a more pressing issue to which I need to draw your 
attention. It is a byproduct of two distinct disadvantages that 
small businesses face:

          1. As big companies armor up, attackers turn to less 
        protected small businesses.

          2. Small businesses cannot afford to compete with big 
        companies for the cybersecurity talent and solutions 
        they need to protect themselves.\6\
---------------------------------------------------------------------------
    \6\ The federal government is also snapping up scarce talent. For 
example, students can receive scholarships worth up to $60,000 for NSA 
accredited degree programs, but then they are obligated to work for the 
government. Small businesses cannot compete with that kind of 
recruitment.

    These are circular issues with one begetting the other. In 
their wake, the demand for affordable solutions will rise 
dramatically, creating yet another threat. Small businesses 
desperate to meet the cybersecurity demands of larger clients, 
government regulations, insurance carriers, and lending 
institutions are going to become victims once again. 
Adversaries will use this opportunity to sell cheap software 
and services that are subsidized by selling data and secrets 
out the back door and give them a toehold in the supply chain 
---------------------------------------------------------------------------
of larger organizations.

    The driver here is that cybersecurity is also economic 
warfare and a geopolitical game of chess that knows no borders. 
These higher-level battles manifest as foreign and domestic 
espionage, extortion, and economic disruption. They encompass 
aspects of both organized crime and the Cold War. A central 
issue that impacts small businesses is the ability to vet 
vendors who may have ties to either the criminal underground or 
nation-state adversaries.

    Deputizing Small Business Cyber Solution Providers

    I believe we can get ahead of this problem with your help. 
Fixing the problem with American-made products and services 
will not only protect the sector, but also stimulate job growth 
and economic development. I suggest that the SBDC's work with 
local, state, and federal law enforcement to certify local 
vendors as All-American solution providers, then connect those 
vendors with other SBDC's within their state and across the 
nation.

    Participants would be bound to:

            defend small businesses under a Hippocratic-like 
        oath,

            affirm allegiance to US interests,

            produce software/services domestically (no 
        offshoring data or talent), and

            report cyber intelligence using uniform methods.

    Participants would be subject to steep legal penalties for 
using offshore solutions, perhaps submitting to spot-check 
investigations to ensure compliance. However, so long as they 
rely on American solutions, they (and perhaps their clients) 
would be protected by good-Samaritan laws much like our first 
responders. These deputized small businesses would also form a 
sort of national guard embedded directly in our business 
communities.

    Improving the Collection and Dissemination of Information

    In addition to tapping our SBDCs, I believe the government 
has two resources that can help with collection and 
dissemination of cybersecurity information. Our Bureau of Labor 
Statistics (BLS) is very good at aggregating, summarizing, and 
making data available in easy to digest forms. Meanwhile, the 
IRS is one agency to which every small business owner is happy 
to report losses.

    Obviously there is potential for abuse in reporting losses 
that did not occur. To offset this, any loss report would 
trigger (or could trigger in the case of a lottery system) an 
investigation by law enforcement to validate claims. The 
investigation would allow for the gathering of valuable 
incident details and cyber intelligence information.

    The DHS was established to bring together intelligence and 
data from multiple agencies. Therefore it makes sense to have 
data bubble up to them for aggregation and, when absolutely 
necessary, apply judicious and time-limited classification. 
Gathering points for information would include the IRS, as 
mentioned above, but also local/state/federal law enforcement, 
with SBDC advisors connecting small businesses to them as 
appropriate. In fact, it may be best to classify all data 
initially at the gathering points and charge the DHS with 
declassifying everything, except that which is truly vital to 
national security or conflicts with privacy. Dong so alleviates 
the SBDC advisors, law enforcement, and any deputize4d 
businesses from making such decisions.

    While DHS has the ability to aggregate and (de)classify 
data, the Bureau of Labor Statistics (BLS) has the talent, 
infrastructure, and existing relationships to repackage and 
deliver it back to the community. Undoubtedly some will insist 
the data need not be made public. But security by obscurity 
only builds false hopes.\7\ In fact, I would argue that the 
value added from the statistical expertise to correctly 
interpret raw data would far outweigh the idea of keeping 
poorly interpreted data secure.
---------------------------------------------------------------------------
    \7\ See Appendix: How Classification Impacted the Wannacry Outbreak 
and Response

    An example of poorly interpreted data is the oft-quoted 
statistic that sixty percent of small businesses fail within 
six months of a cyber attack. It is so tantalizing, that even 
we used it at Threat Sketch early on in our marketing 
materials. However, we later learned this to be unverified 
information and have distanced ourselves from it because our 
clients trust us to deliver accurate data.\8\
---------------------------------------------------------------------------
    \8\ https://www.bankinfosecurity.com/blogs/60-hacked-small-
businesses-fail-how-reliable-that-stat-p-2464

---------------------------------------------------------------------------
    SBDC Advisor Training

    Small businesses need local solutions that can tap into a 
national network of trusted solution providers. The SBDCs have 
proven effective in helping small businesses navigate a myraid 
of state, federal, and local resources, and with training. I 
believe they can rise to this challenge as well.

    With regard to training, the NSA has been busy establishing 
a network of colleges and universities that are Centers of 
Academic Excellence (CAE) in Cybersecurity. And NIST, through 
its National Initiative for Cybersecurity Education (NICE), is 
helping standardize the language in our industry, which is much 
needed. I believe that the NSA-CAE community colleges and 
universities are well positioned to cross-train and up-train 
existing SBDC advisors on the business aspects of 
cybersecurity. Advisors need not become technical experts, but 
rather learn the standardized language developed by NICE and 
delivered through NSA-CAEs. Doing so will let them help small 
businesses locate and connect with appropriate resources.
                                Appendix


    How the IT-ISAC makes AIS affordable

    The DHS has an information sharing program called Automated 
Indicator Sharing (AIS) that gathers and distributes cyber 
intelligence using STIX and TAXII protocols. When I first 
encountered this program through Threat Sketch, the only 
commercially supported software systems had six-figure price 
tags. Although free, open-source versions exist, they require 
constant patching and maintenance as well as a secure facility 
to house them. These hidden implementation costs put ``free'' 
information well out of the price range of small businesses.

    We were referred by AIS to the IT-ISAC, which already has 
infrastructure in place to receive AIS information via STIX/
TAXII and was able to fractionalize the cost among its paid 
members. The IT-ISAC has since played a vital role in both 
supplying data and allowing us to share our own knowledge back 
to the community.

    Email Interview: Douglas M. DePeppe - Cyber Resilience 
Institute

          Cyber Market Development Project, as well as Sports-
        ISAO Project Office. Our nonprofit, Cyber Resilience 
        Institute, is the NIPP Challenge awardee (and our 
        project will transition to commercial use under `c-
        Market' branding and naming). Our model has a CTI and 
        Information Sharing core, based in a community and 
        adopting a PPP sharing and capacity building model.

          That as a quick background, we enter communities 
        through students and a workforce program: c-Watch. And, 
        what we're promoting is the linking together of a 
        network of cyber hunters and analysts--that is, 
        graduates of the workforce program--into the Cyber 
        Threat Intelligence Research Network. What CTIRN 
        represents is a national capability of students--a bit 
        like a CyberCorps or a cyber-ROTC equivalent--engaged 
        in populating a commercial Order of Battle (i.e., 
        adversary profiling), that would be available for the 
        private sector and all levels of government, and 
        without incurring IC classification constraints.

    How Classification Impacted the Wannacry Outbreak and 
Response

    I participated in the national response to the Wannacry 
outbreak lead by the National Cybersecurity and Communications 
Integration Center (NCICC; pronounced ``N-KICK''). During one 
of the daily NCICC calls, a large company claimed to have 
something they wanted to share, but did not want to make it 
public. A DHS representative came on the line and declared the 
briefing TLP-Yellow from that point forward. He then invited 
all companies on the line to share what they knew and there was 
nothing but awkward silence. Even under a veil of secrecy, the 
big company was unwilling to share what they knew. I wonder to 
this day what it was and if it could have saved even one 
victim.

    And let us not forget that the reason the Wannacry outbreak 
was able to travel so quickly. It did so by leveraging an 
exploit discovered by the NSA and kept secret until exposed in 
a WikiLeaks data dump. I understand why the flaw was kept 
secret, but that decision was not without consequences. The 
entire attack may never had occurred had the flaw been 
disclosed to the private sector when it was first discovered. 
Not only did that decision lay the groundwork for the 
ransomware attack, but it created a rift between the government 
and the private sector. I know of at least one large-scale flaw 
that was not reported to the government for the reason that 
cybersecurity researchers have lost faith in our government. It 
will take a long time and many taxpayer dollars to recover from 
the tarnished image that results from keeping secrets.

    Economic Trends And How Shared Information Helps

    To describe how shared cyber incident and intelligence 
information helps small businesses, I need to provide context. 
At a company level, cybersecurity is a business problem of risk 
management. At a national level, cybersecurity is economic 
warfare. At a global scale it is a geopolitical game of chess 
that ignores physical borders.

    At the business level, three trends drive cyber risk in 
small businesses. They are:

          1. An increase in incentives for hackers to make 
        money by exploiting stolen data.

          2. A dramatic rise in the liability that comes with 
        handling sensitive data.

          3. The use of automation to attack small businesses 
        on an industrial scale.\9\
---------------------------------------------------------------------------
    \9\ Arnold, Rob (2017). Cybersecurity: A Business Solution. ISBN 
978-0692944158.

    Let's use a familiar example to illustrate how these three 
forces have changed the risk landscape. Consider an employee's 
W-2 form. Ten years ago it was hardly worth the paper it was 
printed on because there was no mass market for selling 
personal information. Today, each W-2 is worth $20 or more on 
underground, black markets. The incentive has gone from nearly 
---------------------------------------------------------------------------
zero to $20 dollars per victim.

    While the hacker gets $20 for each W-2, the liability to 
the employer and the employee is substantially higher. In the 
extreme, lawsuits and drained bank accounts can cost the 
business and the employee hundreds of thousands of dollars. And 
more subtle losses come in the form of lost morale and the 
hassle of dealing with damaged credit, which add to the losses.

    While there is an incentive to steal W-2s en masse from 
large companies, the big companies are becoming harder to 
attack. As a result, hackers are using automation to go after 
unprotected, unprepared small businesses by the thousands. Due 
to the volume of attacks, they only need to compromise a small 
fraction of them to make a profit. It is a nefarious business 
model that works.

    In the context of trend number one, sharing cyber 
intelligence about black markets and espionage warns small 
businesses about emerging incentives for stealing data. To 
address the second trend, which is victim liability, incident 
reporting is used to understand trends in the risk landscape 
and to determine how different attacks relate to losses. 
Finally, combatting automated attacks means using both types of 
data to detect large scale operations and respond quickly to 
undermine the nefarious business model.

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


                  STATEMENT FOR THE RECORD OF

     THOMAS GANN, CHIEF PUBLIC POLICY OFFICER, MCAFEE, LLC.

  BEFORE THE U.S. HOUSE OF REPRESENTATIVES COMMITTEE ON SMALL 
                            BUSINESS

ON ``FEDERAL GOVERNMENT AND SMALL BUSINESSES: PROMOTING GREATER 
                          INFORMATION

              SHARING FOR STRONGER CYBERSECURITY''

  November 15, 2017, 11:00 AM / RAYBURN HOUSE OFFICE BUILDING 
                           ROOM 2360

    Good morning, Chairman Chabot, Ranking Member Velazquez, 
and distinguished members of the committee. Thank you for the 
opportunity to testify today, I am Tom Gann, Chief Public 
Policy Officer for McAfee, LLC. I have over 20 years of 
experience in the IT industry, having run government relations 
and public sector alliances functions for Digimarc, Siebel 
Systems and Sun Microsystems. During the last decade, I have 
focused on cybersecurity and identity management issues. I hold 
degrees in business and political science from the London 
Business School and Stanford University.

    I am pleased to address the committee on this important 
matter. My testimony will address the cybersecurity challenges 
small businesses face, why sharing technical information is 
particularly difficult for small businesses, the types of 
information sharing that could be most useful to them, and 
general recommendations that can enhance the cybersecurity 
capabilities of small businesses.

    MCAFEE'S COMMITMENT TO CYBERSECURITY

    McAfee is one of the world's leading independent 
cybersecurity companies. Inspired by the power of working 
together, McAfee creates business and consumer solutions that 
make the world a safer place. By building solutions that work 
with other industry products, McAfee helps businesses 
orchestrate cyber environments that are truly integrated, where 
protection, detection and correction of threats happen 
simultaneously and collaboratively. By protecting consumers 
across all their devices, we secure their digital lifestyle at 
home and while on the go. By working with other security 
players, we are leading the effort to unite against state-
sponsored actors, cybercriminals, hacktivists and other 
disruptors for the benefit of all. McAfee is focused on 
accelerating ubiquitous protection against security risks for 
people, businesses and governments worldwide.

    Before beginning my comments, I want to express how 
extremely pleased McAfee is in seeing the focus on improving 
the cyber threat landscape for small businesses. Through the 
past several years, a great deal of time and effort has been 
focused on larger organizations with resources to invest, but 
attention on risks to small business--the backbone of our 
nation's economy--is long overdue. For too long, small 
businesses have been a target of malicious actors with little 
or no way to protect themselves due to education and resource 
constraints. Thank you for investigating ways to better protect 
this vital segment of our digital economy.

    CYBERSECURITY RISKS FACED BY SMALL BUSINESS

    There's no doubt that small businesses face many of the 
same cybersecurity risks as large ones. Some cyber-attack 
methods, such as ransomware and those that begin with spear-
phishing, are particularly well-suited to small businesses, who 
might be an easy target because of their lack of cybersecurity 
resources. Small businesses store personal information, 
implement operational requirements and own valuable 
intellectual property just as large enterprises do, so they too 
need strong cybersecurity protections. In fact, more than 50 
percent of cyber-attacks are launched on firms having fewer 
than 50 employees, according to cyber expert Steve Morgan. A 
2016 report from Keeper and the Ponemon Institute found that 
only 14 percent of small and medium-sized businesses say they 
have the ability to effectively mitigate risks and 
vulnerabilities. Further, 50 percent say they had been breached 
in the past 12 months. This is not at all surprising, given 
that many small businesses might not even have IT staff, let 
alone cybersecurity staff.

    Not addressing these risks have real consequences for the 
businesses themselves, larger businesses and local economies. 
For example, an August 2017 analysis by Tech Republic found 
that a single cybersecurity attack could cost a small business 
$256,000. And we've seen at least one instance of a small 
business breach affecting a larger one in the Target hack.

    An October study by the Better Business Bureau, The State 
of Small Business Cybersecurity in North America, found that 
half of small businesses could remain profitable for only one 
month if they lost essential data. Further, while small 
businesses may be adopting solutions like antivirus software, 
one of the most cost-effective tools, employee education, is 
used by fewer than half the companies surveyed. The report also 
found that while awareness of cybersecurity risk among small 
business owners is growing, they are not at all certain what to 
do about it.

    According to an August 2017 survey from BizBuySell, the 
Internet's largest business-for-sale marketplace, 90 percent of 
small businesses believe it's at least important to protect 
themselves from a cyber-attack. Yet moving from cyber 
protection being important to it being essential, practical and 
affordable is a big step. Investing in more than just very 
basic cybersecurity tools requires time, money and other 
resources--like an IT staff--that small businesses often don't 
have. We have to acknowledge the fact that for most small 
businesses, cybersecurity is an expense they don't want to 
incur when they're trying to simply make payroll and remain 
profitable.

    ``Profitability is the ultimate test of risk,'' one of the 
Better Business Bureau report's authors said, adding that small 
business owners have to do a cost-benefit analysis of 
cybersecurity.'' It doesn't do any good for a small business to 
adopt a $10,000 solution if the potential risk reduction is 
worth $5,000,'' he added.

    THE INFORMATION SHARING CHALLENGE FOR SMALL BUSINESS

    So, what's the solution? Should small businesses 
participate in the Department of Homeland Security's (DHS) 
cyber threat information sharing program mandated by the 
Cybersecurity Information Sharing Act (CISA)? This is a 
question worth exploring. In talking with our customers, it is 
clear that many small businesses are unaware of CISA, often 
don't understand how the law can help them, and are confused by 
the many information sharing initiatives out there.

    However, I also believe we should consider how information 
sharing efforts, such as those mandated by CISA, can directly 
benefit small businesses.

    The DHS initiative known as Automated Indicator Sharing 
(AIS) is open to small businesses, but few have the resources 
or an educated IT staff to make direct use of or benefit from 
it. The kind of information shared via AIS is comprised of 
indicators of compromise (IOCs). While the overall program has 
been a strong step in the right direction, it still provides 
far too little real value. IOCs are just the breadcrumbs that 
network security staff look for to uncover clues as to what may 
be occurring inside their organizations. Typical IOCs include 
registry keys, MD5 hashes of potential malware, IP addresses, 
virus signatures, unusual DNS requests, and URLs. While these 
can be useful, they are not enough to provide the defensive 
information needed to protect an organization.

    The information shared must be both useful and actionable 
to the receiving parties and, in the case of AIS, it also must 
be automated. As many small businesses outsource functions like 
their point of sale systems, or even their entire IT needs, 
they may not have access to the information contained there, 
let alone be able to ensure it is useful and actionable. Even 
if they had their own IT support infrastructure, small 
businesses would have to acquire and set up systems and 
software to collect, share and use the information. The reality 
is any information sharing capabilities require time, money and 
resources that many small businesses just do not have.

    Additionally, it should be understood that we are not 
sharing information just for sharing's sake. There needs to be 
a valuable purpose for the sharing if a business is going to 
spend the money needed to set it up and maintain it going 
forward as a core business practice. If the information being 
shared is not useful, actionable and automated, then the entity 
sharing it doesn't bring much value to the table--nor would the 
small business get value from it. Today, the type of simple 
information via IOCs exchanged by AIS is hard for small 
businesses to get value out of.

    A DIFFERENT KIND OF INFORMATION SHARING

    This doesn't mean that small businesses don't need or can't 
benefit from cyber threat intelligence; they certainly can. But 
perhaps we should focus our discussion more on sharing a 
different kind of information--information that is more 
informative and educational right away.

    The Better Business Bureau study found that when asked to 
judge 10 statements on cybersecurity as either true or false, 
the average score was below 60 percent, meaning that there are 
still opportunities to better educate small businesses and 
dispel some myths. And regarding what to do first in a data 
breach, only about 20 percent of respondents answered 
correctly. Granted, the laws vary from state to state and can 
be complicated, but this just points out the need for more 
education on the benefits of having a plan before a breach 
occurs.

    Education and awareness efforts are essential. The Federal 
Trade Commission (FTC) just last month launched a new site for 
Protecting Small Business that offers advice on cybersecurity 
basics, protecting personal information and what to do in the 
event of a data breach. Likewise, the Small Business 
Administration (SBA) also provides resources on its website. We 
need even more initiatives like these that make it as easy as 
possible for small businesses to learn more about how to 
protect themselves.

    The federal government can also help raise awareness among 
vendors and solutions providers of the role small businesses 
play in protecting the nation's critical infrastructure. Many 
important government contractors are small businesses and, as 
we learned in the retail attacks of 2014, small businesses are 
attractive attack conduits for breaching larger business or 
government targets rich in high-value data or other assets.

    DEDICATED INFORMATION SHARING ORGANIZATION FOR SMALL 
BUSINESS

    The federal government should also help develop and fund 
the standup of a non-profit Information Sharing and Analysis 
Organization (ISAO) focused on U.S. small businesses. Small 
businesses do not have the resources to address the problem of 
gathering and analyzing cyber threat intelligence on an ongoing 
basis, but a highly targeted ISAO with initial support from the 
federal government could help. A small business-focused ISAO 
could use the economies of scale to be able to supply 
appropriate information to those business that lack the 
resources but still need current cyber threat intelligence. 
Such an ISAO could provide education services to its members as 
a part of their services, such as basic cyber hygiene and more 
advanced topics like incorporating the NIST Cybersecurity 
Framework into their security program. Cyber education is 
critical to the success of small business being able to 
understand the problems in order to begin addressing them.

    The ISAO could provide its members with best practices, 
lessons learned, templates and processes for addressing 
incidents, the ability to get help understanding the problems 
and act as a hub in case a breach occurs. In the event of an 
incident, small businesses need to know where to go and what to 
do. The ISAO could also act as the first point of contact in 
determining whether or not to reach out to law enforcement and 
to assist the business in addressing the incident. This would 
also allow the ISAO to communicate the situation to its other 
members so that they too could be informed.

    An information sharing organization such as this would be 
also able to spread costs among its members. We encourage the 
government to consider providing the initial startup funding 
for a national small business ISAO.

    ADDITIONAL RECOMMENDATIONS FOR PROTECTING SMALL BUSINESS

    Move to the Cloud

    Advances in technology can also serve to protect 
technology. For example, outsourcing infrastructure to a cloud 
provider is becoming more common. This practice could have real 
advantages for a small business, as the cloud provider would be 
responsible for security. Both infrastructure as a service and 
security as a service warrant attention from small business, as 
both can be economical ways to provide efficiencies and 
security without the business owner having to think about it. 
The growth of cloud applications has made these ``as-a-
service'' technologies real possibilities. Leveraging them 
could enable a small business to focus on becoming a medium-
sized business, for example, rather than having to be an IT and 
security expert.

    At the same time, cloud providers have the opportunity to 
gain the insight from the threats they see on the endpoints of 
their small business customers, benefiting from the ever-
growing network effects of more and more threat data, which in 
turn can enhance their ability to improve their customers' 
security. Cloud providers should also be able to leverage their 
economies of scale to share threat information with their 
partners in the private and public sectors.

    While the move to the cloud has real benefits, small 
business owners cannot contract out all of their cybersecurity 
obligations, particularly in the area of strong blocking and 
tackling--making sure that passwords are updated on a regular 
basis and backing up information on a regular basis.

    Improve DHS's Automated Indicator Sharing (AIS) Program

    While the AIS program is still in the startup phase and 
needs to broaden the type of information it receives and 
shares, we should not give up on its potential. Policymakers 
need to enable the administration to move beyond simple 
indicators supplied via AIS and provides a means to enrich the 
effectiveness of shared information. The administration should 
increase its efforts with the private sector to further evolve 
the way cyber threat information is represented, enriched and 
distributed in a timely fashion. Dong so will help create a 
high-functioning ecosystem of information sharing that will 
help all organizations, both large and small, to compete with 
global networks of sophisticated hackers.

    Encourage Cyber Insurance for Small Businesses

    Small businesses would also benefit from cyber insurance, 
which is specifically designed to protect an organization from 
risk. This is still a small but growing part of the insurance 
market. It deserves more attention, as does the idea of having 
the government act as a reinsurer for the cybersecurity 
insurance market during its early stages. Alternatively, the 
government could establish a program similar to the National 
Flood Insurance Program to help support the private market in 
the event of catastrophic, widespread attacks.

    Invest in Fighting Cyber Crime

    The government should also devote additional resources to 
fighting cybercrime. Too often, it is small businesses in 
sectors like health care and finance that are being hacked by 
cyber criminals. These criminals are perfecting the art of 
ransomeware, and small businesses are all too often being 
forced to pay to protect their data. Law enforcement at all 
levels--federal, state and local--need to have the resources to 
identify and take down hackers who have been terrorizing the 
small business community.

    CONCLUSION

    It's important to recognize that technical information 
sharing is only one piece of the puzzle. Small businesses need, 
first of all, to get the basics of cybersecurity right. 
Information sharing efforts designed to educate and raise 
awareness are more important--at least at this point--than 
those intended to share automated, actionable indicators of 
threats. Small businesses can benefit greatly from moving their 
infrastructure and security to the cloud and the economies of 
scale of ISAOs dedicated to their unique requirements. Cyber 
insurance also holds promise, as does doubling down on 
investments to fight cybercrime. We also need to support 
efforts to boost the effectiveness of the Automated Indicator 
Sharing program to ensure that everyone wins over time.

    Thank you for giving McAfee the opportunity to testify on 
this important topic. I'm be happy to answer any questions.