[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]


                   AFTER THE BREACH: THE MONETIZATION
                     AND ILLICIT USE OF STOLEN DATA

=======================================================================

                                HEARING

                               BEFORE THE

                       SUBCOMMITTEE ON TERRORISM

                          AND ILLICIT FINANCE

                                 OF THE

                    COMMITTEE ON FINANCIAL SERVICES

                     U.S. HOUSE OF REPRESENTATIVES

                     ONE HUNDRED FIFTEENTH CONGRESS

                             SECOND SESSION

                               __________

                             MARCH 15, 2018

                               __________

       Printed for the use of the Committee on Financial Services

                           Serial No. 115-81
                           
                           
 [GRAPHIC NOT AVAILABLE IN TIFF FORMAT]  
 
 
                               __________
                                
 
                     U.S. GOVERNMENT PUBLISHING OFFICE                    
 31-386 PDF                  WASHINGTON : 2018                     
           
 -----------------------------------------------------------------------------------
 For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
 http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, 
 U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, gpo@custhelp.com. 
 
                           

                 HOUSE COMMITTEE ON FINANCIAL SERVICES

                    JEB HENSARLING, Texas, Chairman

PATRICK T. McHENRY, North Carolina,  MAXINE WATERS, California, Ranking 
    Vice Chairman                        Member
PETER T. KING, New York              CAROLYN B. MALONEY, New York
EDWARD R. ROYCE, California          NYDIA M. VELAZQUEZ, New York
FRANK D. LUCAS, Oklahoma             BRAD SHERMAN, California
STEVAN PEARCE, New Mexico            GREGORY W. MEEKS, New York
BILL POSEY, Florida                  MICHAEL E. CAPUANO, Massachusetts
BLAINE LUETKEMEYER, Missouri         WM. LACY CLAY, Missouri
BILL HUIZENGA, Michigan              STEPHEN F. LYNCH, Massachusetts
SEAN P. DUFFY, Wisconsin             DAVID SCOTT, Georgia
STEVE STIVERS, Ohio                  AL GREEN, Texas
RANDY HULTGREN, Illinois             EMANUEL CLEAVER, Missouri
DENNIS A. ROSS, Florida              GWEN MOORE, Wisconsin
ROBERT PITTENGER, North Carolina     KEITH ELLISON, Minnesota
ANN WAGNER, Missouri                 ED PERLMUTTER, Colorado
ANDY BARR, Kentucky                  JAMES A. HIMES, Connecticut
KEITH J. ROTHFUS, Pennsylvania       BILL FOSTER, Illinois
LUKE MESSER, Indiana                 DANIEL T. KILDEE, Michigan
SCOTT TIPTON, Colorado               JOHN K. DELANEY, Maryland
ROGER WILLIAMS, Texas                KYRSTEN SINEMA, Arizona
BRUCE POLIQUIN, Maine                JOYCE BEATTY, Ohio
MIA LOVE, Utah                       DENNY HECK, Washington
FRENCH HILL, Arkansas                JUAN VARGAS, California
TOM EMMER, Minnesota                 JOSH GOTTHEIMER, New Jersey
LEE M. ZELDIN, New York              VICENTE GONZALEZ, Texas
DAVID A. TROTT, Michigan             CHARLIE CRIST, Florida
BARRY LOUDERMILK, Georgia            RUBEN KIHUEN, Nevada
ALEXANDER X. MOONEY, West Virginia
THOMAS MacARTHUR, New Jersey
WARREN DAVIDSON, Ohio
TED BUDD, North Carolina
DAVID KUSTOFF, Tennessee
CLAUDIA TENNEY, New York
TREY HOLLINGSWORTH, Indiana

                     Shannon McGahn, Staff Director
             Subcommittee on Terrorism and Illicit Finance

                   STEVAN PEARCE, New Mexico Chairman

ROBERT PITTENGER, North Carolina,    ED PERLMUTTER, Colorado, Ranking 
    Vice Chairman                        Member
KEITH J. ROTHFUS, Pennsylvania       CAROLYN B. MALONEY, New York
LUKE MESSER, Indiana                 JAMES A. HIMES, Connecticut
SCOTT TIPTON, Colorado               BILL FOSTER, Illinois
ROGER WILLIAMS, Texas                DANIEL T. KILDEE, Michigan
BRUCE POLIQUIN, Maine                JOHN K. DELANEY, Maryland
MIA LOVE, Utah                       KYRSTEN SINEMA, Arizona
FRENCH HILL, Arkansas                JUAN VARGAS, California
TOM EMMER, Minnesota                 JOSH GOTTHEIMER, New Jersey
LEE M. ZELDIN, New York              RUBEN KIHUEN, Nevada
WARREN DAVIDSON, Ohio                STEPHEN F. LYNCH, Massachusetts
TED BUDD, North Carolina
DAVID KUSTOFF, Tennessee
                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on:
    March 15, 2018...............................................     1
Appendix:
    March 15, 2018...............................................    31

                               WITNESSES
                        Thursday, March 15, 2018

Ablon, Lillian, Information Scientist, RAND Corporation..........     5
Bernik, Joe, Chief Strategist, McAfee............................     6
Christin, Nicolas, Associate Research Professor, Carnegie Mellon 
  University.....................................................     8
Lewis, James, Senior Vice President, Center for Strategic and 
  International Studies..........................................    10

                                APPENDIX

Prepared statements:
    Ablon, Lillian...............................................    32
    Bernik, Joe..................................................    50
    Christin, Nicolas............................................    57
    Lewis, James.................................................    66

              Additional Material Submitted for the Record

Maloney, Hon. Carolyn:
    Article entitles, ``Sex, Drugs, Bitcoin: How Much Illegal 
      Activity Is Financed Through Cryptocurrencies''............    73
Bernik, Joe:
    Written responses to questions for the record submitted by 
      Representative Budd........................................   115

 
                   AFTER THE BREACH: THE MONETIZATION
                     AND ILLICIT USE OF STOLEN DATA

                              ----------                              


                        Thursday, March 15, 2018

                     U.S. House of Representatives,
                                  Subcommittee on Terrorism
                                        and Illicit Finance
                           Committee on Financial Services,
                                                   Washington, D.C.
    The subcommittee met, pursuant to notice, at 2:03 p.m., in 
room 2128, Rayburn House Office Building, Hon. Stevan Pearce 
[chairman of the subcommittee] presiding.
    Present: Representatives Pearce, Pittenger, Rothfus, 
Williams, Poliquin, Hill, Emmer, Zeldin, Davidson, Budd, 
Kustoff, Perlmutter, Maloney, Himes, Foster, Kildee, Sinema, 
Vargas, Gottheimer, Kihuen, and Lynch.
    Chairman Pearce. The subcommittee will come to order.
    Without objection, the Chair is authorized to declare a 
recess of the subcommittee at any time.
    Members of the full committee, who are not members of the 
Subcommittee on Terrorism and Illicit Finance, may participate 
in today's hearings.
    All members will have 5 legislative days within which to 
submit extraneous materials to the Chair for inclusion in the 
record.
    This hearing is entitled, ``After the Breach: The 
Monetization and Illicit Use of Stolen Data.''
    I now recognize myself for 5 minutes to give an opening 
statement--for 2 minutes to give an opening statement.
    I want to thank everyone for joining us today.
    In today's hearing, we will examine the economics of cyber 
crime, the monetization of stolen data from cyber attacks, the 
role the dark Web marketplaces play in helping criminals profit 
from their theft, and how illicit proceeds are laundered into 
our financial system.
    Last month, the Council of Economic Advisors released a 
report estimating that malicious cyber activity cost the U.S. 
economy between $57 and $109 billion in 2016. And this cost is 
expected to climb as more devices become Internet connected.
    Most commonly, these cyber attacks against private and 
public entities include ransomware attacks, requesting payments 
in cryptocurrencies, denial of service attacks, and a business 
e-mail of compromise scenarios. These attacks lead to property 
destruction; business disruption; and the theft of proprietary 
data, intellectual property, and sensitive financial 
information.
    Unfortunately, this activity is only becoming more 
widespread as criminal organizations realize the low cost of 
entry, the ease of using hacking tools, and the difficulty law 
enforcement faces trying to apprehend the hackers.
    It is estimated that in 2017, there were 610 public 
breaches in the United States, triggering the exposure of 1.9 
billion records.
    This sensitive information, including stolen credit card 
numbers and personally identifiable information, is monetized 
and sold on the dark Web, often for a few dollars or less, 
making cyber theft a lucrative endeavor and providing anonymity 
for the criminals.
    Cyber theft is particularly damaging because of the 
sensitive information being stolen, including Social Security 
numbers, and is difficult or sometimes impossible to change.
    The victim of a breach can become a victim repeatedly as 
their identity can be used to apply for credit cards, 
mortgages, and other financial products over and over again.
    In today's hearing, I hope to discuss how we are currently 
combating cyber attacks that lead to electronic identify theft, 
credit card and other types of fraud, including what tools and 
partnerships are working well in the effort to detect and 
disrupt criminal actors.
    I would also appreciate any comments about deficiencies in 
our system that may impede our ability to predict or stop 
future breaches.
    I would like to thank our witnesses for being here today. I 
look forward to their expert testimony on these very important 
issues.
    Now, the Chair recognizes the gentleman from Colorado for 2 
minutes for an opening statement.
    Mr. Perlmutter. Thank you, Mr. Chair. And thanks to the 
witnesses for joining us today, and we look forward to your 
testimony.
    I doubt there is a person in this room who hasn't been 
effected, whether they know it or not, by a data breach. In the 
Equifax breach alone, 147 million Americans were effected and 
impacted.
    Every day, hackers steal an additional 780,000 records. And 
according to the Identity Theft Resource Center, there were a 
total of 1,579 U.S. data breach incidents in 2017.
    Criminals have grown more sophisticated, more organized, 
and so have the markets for purchasing the stolen data. In many 
cases, the cyber criminals are encouraged and supported by 
governments.
    In terms of state-sponsored cyber criminals, the most 
pervasive actors are Russia and North Korea, both of which 
heavily target financial institutions.
    And, as we all know, as a fact, Russia used its cyber 
capabilities to interfere in the 2016 election. I was glad to 
hear today's news from the Department of Treasury announcing 
sanctions on 19 Russian operatives and 5 organizations. Many of 
whom were identified by Special Counsel Robert Mueller.
    I am glad to see the Department of Treasury is beginning to 
take this Russian cyber threat seriously. I hope President 
Trump will understand the importance of this issue soon as 
well.
    With that, I thank you, Mr. Chairman, for holding this 
hearing, and I look forward to today's discussion.
    And I yield back.
    Chairman Pearce. The gentleman yields back.
    The Chair now recognizes the gentleman from North Carolina, 
Mr. Pittenger, for 2 minutes.
    Mr. Pittenger. Thank you, Mr. Chairman and Ranking Member 
Perlmutter, for holding this hearing today. Thank you to each 
of our distinguished panelists for giving their expertise to 
our subcommittee this afternoon.
    Cyber crimes, whether they are sponsored by states or not, 
are one of our Nation's biggest and most pressing national 
security threats.
    In recent years, we have seen the frequency and size of 
cyber crimes increase exponentially. The dark net, for online 
activities and transactions, are largely untraceable. And 
proliferation of cryptocurrencies has made it easier for 
criminals to monetize illicit activities.
    Of particular concern are easily accessible dark net 
marketplaces where criminals can, with startling ease, sell or 
buy stolen data and wide--and a wide variety of other illicit 
cyber services.
    Cyber crimes have wreaked havoc on our businesses and 
upended the lives of countless Americans. Yet, we must 
recognize the complex and multi-layered landscape of this 
threat. We know loan actors and criminal syndicates are behind 
many of these crimes but so are hostile states.
    Notably, for years now, China has used strategic foreign 
investment through joint ventures to acquire American companies 
and access their data, intellectual property, proprietary 
technologies.
    Many of China's targeted transactions evaded the purview of 
the outdated Committee on Foreign Investment in the United 
States, commonly known as CFIUS. This is the chief body tasked 
with screening foreign investments for national security risk.
    To remedy this problem and safeguard our intellectual 
property, data and proprietary technology, I have introduced, 
with Senator Cornyn, legislation to modernize CFIUS and 
strengthen its ability to identify and stop malicious foreign 
investments.
    The scope and landscape of illicit cyber activities is 
rapidly evolving. Cyber crimes are becoming more damaging, more 
frequent, more creative, and are impacting more Americans.
    In many ways, we find ourselves alarmingly vulnerable in 
large uncharted waters. It is imperative we address these 
threats with the utmost seriousness and remain vigilant and 
proactive in our efforts to combat all forms of the furious 
cyber activities.
    Thank you, Mr. Chairman.
    I yield back the balance of my time.
    Chairman Pearce. The gentleman yields back.
    Today, we welcome the testimony of our panelists.
    First, we have Ms. Lillian Ablon. Ms. Lillian Ablon is an 
Information Scientist at the RAND Corporation. She conducts 
technical and policy research on topics spanning cyber 
security, emerging technologies, privacy and security in the 
digital age, computer network operations, among many others.
    Ms. Ablon's recent research topics include the intersection 
of commercial technology companies and public policy; black-
markets for cyber crime tools and stolen data; as well as the 
white-,
gray-, and black-markets for zero-day exploits, social 
engineering and open source intelligence, tools, and technology 
for greater cyber situational awareness and many others.
    Prior to joining RAND, Ms. Ablon worked for some of the 
most cutting-edge technologies and encryptos--cryptography 
network exploitation and vulnerability analysis and 
mathematics. She has won an Uber Black Badge at the DEF CON 21 
Computer Industry Conference. And holds a bachelor's degree in 
mathematics from the University of California, Berkley and a 
master's degree in mathematics from John Hopkins University.
    Mr. Joe Bernik has over 2 decades of experience creating 
and implementing cybersecurity management programs at global 
financial institutions, while serving as Chief Information 
Security Officer and Head of Information Risk and Security at 
ABN AMRO Bank, Fifth Third Bank, and BNY Mellon.
    Mr. Bernik led global teams dedicated to protecting 
customer data and complying with data-related laws, 
regulations, and managing incident response programs.
    Mr. Bernik started his career with the U.S. Department of 
Defense. He is an avid speaker and writer and has held posts on 
several industry groups, including the Federal Reserve Council 
on Fraud and the Financial Services Information Sharing and 
Analysis Center, and the open Web Application Security Project.
    Mr. Bernik holds a bachelor's degree in information systems 
from the University of Mary Washington and has completed 
graduate studies in business administration at the City 
University of New York.
    Dr. Nicolas Christin is an Associate Research Professor at 
Carnegie Mellon University, jointly appointed in the School of 
Computer Science and in Engineering and Public Policy. He is 
affiliated with the Institute for Software Research and a core 
faculty member of CyLab of the university-wide information 
security institute.
    He also has courtesy appointments in the Information 
Networking Institute and the Department of Electrical and 
Computer Engineering. He was a researcher in the School of 
Information at the University of California, Berkeley, prior to 
joining Carnegie Mellon in 2005.
    His research interests are in computer and information 
systems security. Most of his work is at the boundary of 
systems, networks, and policy research. He has most recently 
focused on security analytics, online crime modeling, economic 
and human aspects of computer security.
    He holds a degree in engineering from a prestigious French 
University and both a Master's Degree and PhD in computer 
science from the University of Virginia.
    Dr. James Lewis is a Senior Vice President at the Center 
for Strategic and International Studies (CSIS). Before joining 
CSIS, he worked at the Departments of State and Commerce as a 
Foreign Service Officer and as a member of the Senior Executive 
Service.
    He served on several Federal Advisory Committees, including 
a Chair of the Committee on Commercial Remote Sensing, as well 
as a member of the Committees on Spectrum Management and 
International Communications Policy, and as an adviser on the 
Security Implications of Foreign Investment in the United 
States.
    Dr. Lewis has authored numerous publications since coming 
to CSIS on a broad array of topics, including innovation space, 
information technology, globalization deterrence and 
surveillance. He was director for CSIS as commissioned on cyber 
security and is an internationally recognized expert on 
cybersecurity.
    Dr. Lewis received his PhD from the University of Chicago.
    Each of you will be recognized now for 5 minutes to give an 
oral presentation of your testimony. Without objection, each of 
your written statements will be made part of the record.
    Now, Ms. Ablon, you are recognized for 5 minutes.

                   STATEMENT OF LILLIAN ABLON

    Ms. Ablon. Good afternoon, Chairman Pearce, Ranking Member 
Perlmutter, and distinguished members of the subcommittee. 
Thank you for inviting me to testify.
    As you mentioned, in 2017, there were more than a thousand 
data breaches, exposing over a billion records of sensitive 
data. To gain an understanding of what the attackers are doing 
with the stolen data and how they are monetizing it, we first 
need to understand who they are and what motivates them.
    First, attackers, or cyber threat actors, can be grouped by 
their sets of goals, motivations, and capabilities. Four groups 
of note are: Cyber criminals, state-sponsored actors, cyber 
terrorists, and hacktivists.
    I discuss each actor in my written testimony, but the two I 
would most note for this hearing are cyber criminals and state-
sponsored actors. I emphasize the distinction between these 
groups as they tend to seek different types of data and use or 
monetize that data in different ways.
    Cyber criminals are motivated by financial gain. They care 
about making money as quickly and efficiently as possible. 
Often, the data that they steal ends up for sale on underground 
black-markets.
    State-sponsored actors advance the interests of their 
particular nation's state. They tend to keep the data that they 
steal for their own purposes, rather than trying to monetize it 
on underground black-markets.
    State-sponsored actors are believed to be responsible for 
the cyber attack on Sony, the theft of millions of dollars to 
the Swiss Banking software, and the data breach of millions of 
records from the Office of Personnel Management (OPM).
    Turning to the cyber crime black-markets. They are quite 
advanced. Full of increasingly sophisticated people, products, 
and places to conduct business transactions. They are resilient 
in the face of takedowns and are constantly adapting to the new 
tactics and techniques of law enforcement and computer security 
vendors.
    They are easy to enter and very easy to get involved in, at 
least at the most basic level. Essentially, all you need is an 
Internet connection and a device to become part of the cyber 
crime ecosystem.
    Participants in these markets range across all skill 
levels. There are often hierarchies and specialized roles. 
Administrators at the top; followed by brokers, venders, and 
middlemen; and, finally, mules, the moneychangers who use 
multiple methods to turn the stolen data into money.
    Cyber crime markets offer a diverse slate of products for 
all phases of the full cyber crime lifecycle. From initial hack 
all the way through to monetizing the stolen data.
    In recent years, as a service offerings, ransomware, 
malware, and point-of-sale credit card schemes have become 
popular.
    Prices in these markets can range widely depending on 
hardness of attack, sophistication of the malware, whether 
something is do-it-yourself or as a service, and the freshness 
of the data.
    For example, credit cards stolen from Target in 2013 
appeared on the black-markets within days. Those cards 
initially fetched anywhere from $20 to $135, depending on the 
type of card, expiration and limit.
    But, eventually, they went on clearance for just a few 
dollars a card. Although prices, in general, range widely, 
similar products tend to go for similar amounts.
    And anonymous cryptocurrencies like Bitcoin, among others, 
are preferred for making transactions.
    So, how did stolen data get monetized on these markets? 
Cyber criminals use financial information, things like credit 
card data and bank account numbers, to withdraw cash, purchase 
gift cards for resale, or harness a money mule to make 
fraudulent orders to purchase goods, like expensive 
electronics, which can, then, be shipped overseas to be sold on 
other black-markets.
    They might use stolen credentials, things like usernames, 
passwords and e-mail addresses, to get access to a victim's 
contact list for further spam or phishing campaigns.
    Both cyber criminals and state-sponsored actors might use 
credit report information. Things like addresses, States of 
birth, and other personally identifiable information, like that 
taken in the 2017 data breach of Equifax, to create a 
comprehensive profile of a victim.
    Cyber criminals could use that kind of data to create a 
custom dictionary of possible passwords that can be used to 
attempt to crack a victim's bank or financial account or for 
identify theft purposes.
    State-sponsored actors, on the other hand, might use this 
information to build profiles of who to target for exploitation 
or espionage campaigns or as leverage to gain other types of 
information.
    Unfortunately, there is no easy policy prescription to 
completely stop data breaches or monetization of stolen data. 
But a combination of information sharing between the public and 
private sectors strengthened international cooperation between 
law enforcement and increased efforts to tarnish the reputation 
of these black-markets can all help.
    Thank you for the opportunity to testify. I look forward to 
the discussion.
    [The prepared statement of Ms. Ablon can be found on page 
32 of the Appendix.]
    Chairman Pearce. Thank you.
    Mr. Bernik, you are now recognized for 5 minutes.

                     STATEMENT OF JOE BERNIK

    Mr. Bernik. Good afternoon, Chairman Pearce and Ranking 
Member Perlmutter. Thank you for the opportunity to testify. My 
name is Joe Bernik and I am the Chief Technical Strategist for 
McAfee, representing the financial services sector.
    We are happy that you have addressed this important issue. 
The financial services sector represents a very sensitive part 
of our Nation's infrastructure, and I am pleased to see the 
committee addressing these issues.
    According to the SCIS report, recently produced by McAfee, 
banks continue to be the favorite target of criminals, as we 
know, probably because the money is held in these institutions. 
The banks--the attacks, however, are not always directed 
directly at the banks.
    We are now seeing attacks directed at the seams within the 
institutions themselves. This can be seen in the instance of 
the swift attack in which alleged North Korea stole or 
attempted to steal over a billion dollars.
    And smaller, less sophisticated organizations are more 
vulnerable to this type of attack. The practice of not directly 
attacking institutions, such as was the case--excuse me, such 
as the case within the Equifax attack, represents a 
vulnerability within the banks. They all depend on Social 
Security numbers and, therefore, that type of attack has a 
lasting and devastating impact on the banks themselves.
    All the financial institutions rely heavily on Social 
Security numbers as a form of identifier. This reliance, as you 
stated, is a vulnerability as the numbers have all ultimately 
been lost, resulting in the numbers being somewhat useless as a 
means of identification.
    The methods used are exceedingly commoditized. Malware and 
phishing attacks are used across the sector. And although new 
attacks, such as artificial intelligence and machine learning, 
are available, we have not seen them used because, thus far, 
the commoditized nature of the attacks doesn't require their 
usage. So, therefore, the simple attacks continue to be the 
main methods being exploited and used.
    One method of attack that is of extreme importance and 
urgency right now is the use of social media attacks. Social 
media--the anonymous-nature of social media, allows for 
criminals and nation states to use it, to manipulate markets.
    I believe and we believe that this type of attack, using 
social media, will continue to be prevalent and will continue 
to be devastating against financial markets, given that you can 
set up an identification without any kind of verification or 
authentication requirements.
    As far as the stolen data goes, and the question that the 
community had raised, as the previous speaker said, the 
information is sold on the dark Web for profit by criminals. 
This information can be easily accessed. The information can be 
bought for varying prices.
    We have seen everything from credit card details sold for 
$50, Amazon accounts sold for $9.00, passports sold for $62. 
And the prices vary, depending on the markets and the--and the 
freshness of the data.
    However, the concern that we have, really more so than the 
data that is being sold today, is the data that we have not 
seen sold as of yet. Meaning the Equifax data, which I know 
everyone is interested in, has not been widely made available 
in any markets.
    It is, therefore, assumed that this data is being collected 
for other purposes. Potentially for nation state-level attacks. 
So, that, obviously, the unknown-unknown nature of that type of 
attack makes it all the more concerning. And we wait and--we 
are waiting to see what sort of attacks will come from that 
sort of data that was stolen.
    Large institutions have been preparing for cyber-war or 
cyber attacks for a long time. So, we have seen the sharing of 
information amongst the banks with the Department of Homeland 
Security, and scenarios being played out simulating cyber 
attack. This has been happening for a number of years.
    However, since we haven't had one of these events, these 
large events, occur yet, it is--we are not sure whether we are 
actually prepared for such an event when it does occur.
    As far as policy recommendations go, we offer the 
recommendations, obviously, to address the Social Security 
issue and replace a Social Security number with a better 
identifier, promote cyber security inoperability, pass national 
breach legislation, and enhance information sharing, such that 
all organizations can benefit from the intelligence and 
information that is made available to, currently, some of the 
largest organizations.
    Thank you.
    [The prepared statement of Mr. Bernik can be found on page 
50 of the Appendix.]
    Chairman Pearce. Mr. Christin, you are recognized for 5 
minutes.

                  STATEMENT OF NICOLAS CHRISTIN

    Dr. Christin. Thank you, Mr. Chairman.
    Chairman Pearce, Ranking Member Perlmutter, members of the 
subcommittee, thank you for hosting this important hearing 
today and for giving me the opportunity to testify.
    My name is Nicolas Christin. I am an Associate Research 
Professor at Carnegie Mellon University, jointly appointed in 
the School of Computer Science and in the Department of 
Engineering and Public Policy.
    My research focuses on computer security. For the past 
decade, I have been studying online crime. In particular, my 
research group and I have conducted a series of measurement 
studies on dark Web marketplaces.
    We attempt to better understand the potential economic 
impact of these markets, including the role as retail channels 
for stolen data. This is the topic at hand today.
    In the past 25 years, online retail channels for stolen 
data have evolved from dial up forums, to online chat rooms, to 
specialized Web forums, to online anonymous marketplaces, also 
known as dark Web marketplaces.
    Business models have also become increasingly complex to 
facilitate the sale and purchase of stolen data on a large 
scale by less sophisticated actors.
    Similar to industrial supply chains, the modern market for 
stolen data shows specialization. The number of technically 
savvy actors responsible for data breaches is rather small. 
After the stolen data is broken down in what is suitable for 
individual resale, retail-level vendors will offer the data to 
the general public.
    Although criminals provide services surrounding stolen 
data, such as mule services, or money laundering tutorials 
without directly interacting with stolen data.
    Using measurements we collected between 2011 and 2017, from 
most of the major online anonymous marketplaces are heightened 
during the timetable, we can make four observations.
    First, revenue generated by criminals engaged in monetizing 
data breaches continues to pale in comparison to the potential 
costs of the remedies.
    In the early- to mid-2000's, although researchers estimated 
that criminals made in the orders of tens of millions of 
dollars per year from the sale of the required data. Meanwhile, 
the societal costs of those breaches were thought to be in the 
billion-dollar range.
    Our measurements indicate that this asymmetry still exists 
today. The overall revenue from the entire trade of illicitly 
acquired data remains rather low, compared, for instance, to 
the online trade of narcotics.
    Stolen credit card numbers are often sold for a few dollars 
each. More expensive offerings, including Social Security 
numbers or date of birth, may reach in the order of a hundred 
dollars apiece.
    However, recovering from the damage incurred by each 
individual theft is far more expensive, due to second-order 
effects, such as impact on credit ratings.
    Second, the dark Web marketplace ecosystem, as a whole, has 
shown strong resiliency to law enforcement. Shutting down a 
marketplace has, so far, mostly seemed to result in criminals 
moving to a different one.
    Long-term impacts on the overall illicit trade are 
uncertain. Takedowns also may potentially lead some of the 
actors to move the activity to less pubicly observable forums.
    Third, 80 percent of the revenue is generated by 10 percent 
of the vendors. A few successful individuals attract relatively 
large numbers of amateurs that do not profit much, if at all, 
from their activities.
    These unsuccessful actors, nevertheless, contribute to the 
overall problem by making the market for stolen data larger and 
more complex.
    Fourth, these marketplaces are international in nature. And 
even when certain actors are identified, jurisdiction issues 
may complicate prosecution or arrest.
    These findings indicate that focusing on preventing 
breaches from happening in the first place is probably more 
economically efficient than attempting to disrupt retail and 
distribution channels.
    Prevention is also likely to be more effective than 
recovering from a data breach, once it has happened.
    Finally, measurements of dark Web marketplaces solely focus 
on the retail end of the stolen data ecosystem. They, thus, are 
an imperfect signal, particularly when it comes to tracing 
stolen data back to a specific breach.
    Nevertheless, these measurements give us important 
information on the health and evolution of the market for 
illicitly acquired data and on the monetization techniques in 
use.
    Thus, it is important to continue supporting these 
documentation efforts, to understand the criminals' business 
models, determine the most specific strategies to disrupt them 
and improve overall security.
    Thank you very much.
    [The prepared statement of Mr. Christin can be found on 
page 57 of the Appendix.]
    Chairman Pearce. Thank you, sir.
    Dr. Lewis, you are recognized for 5 minutes.

                    STATEMENT OF JAMES LEWIS

    Dr. Lewis. Thank you, Mr. Chairman and Ranking Member 
Perlmutter. I appreciate the opportunity to testify.
    Cyber crime is big business. I think you have heard that 
from all my colleagues. We have conducted three studies with 
the support of McAfee to estimate the cost.
    In interviews for our studies, one senior official called 
this the greatest transfer of wealth in human history, while 
another said it was a rounding error in a $14 trillion economy. 
So, we hope to bring a little more precision to this range.
    Estimating the cost of cyber crime is difficult because 
data collection is willfully inadequate. Most countries don't 
collect statistics on cyber crime. And many victims prefer not 
to report their losses.
    Our reports looked at a broad range of costs, including 
recovery costs, I.P. theft and damage to brand.
    Our most recent study estimated that cyber crime cost the 
world between $450 and $600 billion a year, a 20 percent 
increase in 2 years.
    This increase can be explained by the growing 
sophistication of cyber criminals, by the increase in the 
number of Internet users and by improvements in the ability of 
cyber criminals to monetize stolen data.
    This has always been a problem for cyber crime. You can 
take personally identifiable information or intellectual 
property, but then turning it into actual cash can be a 
challenge.
    One of the reasons cyber crime continues to grow is that 
criminals have become better at monetization, in part because 
of the availability of cryptocurrencies. Cryptocurrencies make 
cyber crime easier by increasing anonymity and by simplifying 
money transfers.
    Cyber crime activity on what is called the dark Web, the 
hidden Web, also contributes to the growth in cyber crime. This 
hidden Internet is a safe space for cyber crime.
    And I was--in preparation for the testimony, I was looking 
at some of these sites this morning, and I found one that 
offered a money-back guarantee if you bought data from them, 
stolen data. And it didn't work. They would--they would refund 
your--so, it is a very sophisticated market.
    Another reason for the growth as you--of the cyber crime, 
as you heard, is state-sponsored cyber crime. Russia is a haven 
for the most cyber--advanced cyber-criminal groups in the 
world. The Kremlin sees Russian cyber criminals as a strategic 
asset.
    The other state that extensively supports cyber crime is 
North Korea. It uses hacking by its principle intelligence 
agency, the Recognizance Genera Bureau, to generate hard 
currency for their regime.
    So, this is a daunting set of problems. You have protected 
spaces on the dark Web, innovative and dynamic cyber criminals, 
cryptocurrencies in countries that provide safe havens and 
support for cyber crime.
    But there are actions we can take to reduce risk. As you 
heard earlier, we won't be able to eliminate cyber crime, but 
we can make better efforts to manage it.
    This would include the U.S. and its allies, developing an 
effective strategy for punishing states that support cyber 
crime, greater regulation of cryptocurrencies, and expanded 
efforts to disrupt criminal networks, in partnership with our 
allies in other countries.
    Finally, all nations would benefit from a serious effort to 
collect data on cyber crimes' cost. I think that would be 
helpful.
    I thank the committee for the opportunity to testify and 
for its work on illicit finance and for our CFIUS modernization 
and look forward to any questions.
    Thank you.
    [The prepared statement of Mr. Lewis can be found on page 
66 of the Appendix.]
    Chairman Pearce. Thank you, sir.
    The Chair now recognizes himself for 5 minutes for 
questions.
    So, I think, Dr. Lewis, I would ask you, first, that 
estimating losses is hard, according to what you are saying. I 
think we understand that.
    Is there--what, sort of, effort is there, internationally, 
to, maybe, join together countries? First of all, which country 
is probably the best at intercepting and stopping the cyber 
crime? And then, are there international efforts where 
countries are joining together?
    Dr. Lewis. Thank you, Mr. Chairman.
    There is a good correlation between countries that have 
strong law enforcement systems and punishment for cyber crime.
    So, if you are a cyber-criminal and you live in the U.S. or 
the U.K. or France or Germany, your life expectancy is probably 
only about 3 years before you are caught and go to jail.
    In places that have weak cyber-security laws, like Brazil 
or countries--other developing countries, you see a growth in 
criminal activity.
    So, the effort here is to have strong cyber-security laws. 
The U.S. leads in that with the Budapest Convention and to 
develop new ways to cooperate on the exchange of evidence and 
on the efforts to take down networks.
    So, currently, there is no central place that does this. 
The U.N. has a committee on crime that is trying to develop a 
more common approach. But the differences among nations make it 
hard to get--nations make it hard to get cooperation.
    Thank you.
    Chairman Pearce. Thank you.
    Mr. Bernik, you had mentioned North Korea as being one of 
the state actors. And then, the testimony of others indicated 
Russia.
    Who are the other major players, as far as state-
sanctioned, state actors?
    Mr. Bernik. Another major player would be China. They have 
invested a lot of resources in building capabilities and also 
have been attributed to some of the most significant hacks at 
recent times.
    So, the Anthem hack, as you will recall, which was the big 
one that occurred a few years back, where a lot of medical and 
Social Security numbers were stolen. As well as the Yahoo hack 
has been attributed to them.
    This--these hacks and this information is being amassed for 
a purpose. We just--we just don't know what that purpose is.
    So, that threat and that capability that they are massing, 
raises a significant amount of risk to our--to us, as a--as a--
as a country.
    And, I think, that is the to-be-determined risk. What that 
will look like and whether those attacks, if they occur, will 
be targeted against infrastructure, banks, individuals. We 
don't have the answer right now and that is--that is one of the 
most concerning things, I think, for all--for all of us.
    Thank you.
    Chairman Pearce. Yes. And Ms. Ablon, the lack of 
consequences, obviously, plays a big role in encouraging.
    Are there any nations that appear to be dealing with the 
lack of consequences? I don't think that we are.
    So, what is your comment on that?
    Ms. Ablon. Specifically for the cyber crime markets, they 
are highly reliable. And so, products are what they say they 
are. People do what they say they do. Trying to tarnish the 
reputation is quite difficult.
    In terms of specific countries that are going after it, it 
is, really, on a country-by-country basis. Law enforcement, 
here in the U.S., is getting better in going after cyber 
criminals. Certainly, more resources would help.
    But more digital natives are entering into our law 
enforcement and that helps to understand the nature of cyber 
crime and the technical capabilities.
    And also, suspects, in the last few years, are going more 
after big companies, rather than specific individuals. And that 
allows cyber crime to bubble up and be more seen and giving 
more opportunities for U.S. law enforcement to go after them.
    Chairman Pearce. Dr. Christin, if you were contemplating 
the hack into the Office of Personnel Management, what 
advantage does that--how is that information viable to the 
nation states? What do they use it for?
    Dr. Christin. I tend to focus on economically motivated 
cyber crime. And, as such, I will not, really, be able to 
answer that question because it is not clear that there are 
actual economic incentives to use the OPM breach.
    Chairman Pearce. OK. My time is expired.
    The Chair now recognizing the gentleman from Colorado, Mr. 
Perlmutter, for 5 minutes.
    Mr. Perlmutter. Thanks, Mr. Chair. And this is all very 
interesting. And, for me, just some very basic questions.
    Ms. Ablon, if you were a bad guy out there, and Dr. Lewis 
talked about going to the Internet today and just skimming some 
stuff.
    So, how does somebody find out about the dark Web, and, if 
they want to go purchase some information? Just give us a 
little primer on that.
    Ms. Ablon. It is pretty incredible how easy it is to get 
involved in these markets.
    As I mentioned in my original testimony, all you need is an 
Internet connection and a device to get involved.
    I have seen--certainly much of the markets are in the dark 
Web. Things where you need special tools or special services to 
access things like Tor, the Onion Router.
    But there is plenty that can be found on the surface Web. 
Things that you can Google for.
    For example, I have seen Google guides on how to use a 
particular exploit kit. I have watched YouTube videos on where 
to find and buy stolen credit card data.
    So, this kind of stuff is easily accessible and within a 
few finger taps.
    Mr. Perlmutter. Could I--could I get on there and query, 
where does Steve Pearce live? Or give me credit card 
information about Steve Pearce. Just me. Ed Perlmutter, I go 
on. I want to know something. I want to pick up something on 
him.
    Ms. Ablon. So, in terms of just getting general fungible 
data, so things that are reusable, you can certainly find that 
in mass quantities. Random Social Security numbers. To find a 
particular targeted person, that would require a little more 
work.
    Now, as I mentioned, as service offerings are increasing, 
you can hire someone to try and find that particular data. Or 
with enough information, try to go after a particular e-mail 
account and guess the password of whoever you are trying to 
target for in order to get their information.
    Mr. Perlmutter. OK, thank you.
    Mr. Bernik, you ticked through some major hacks. I seem to 
be--so, yes, I have Anthem. You forgot J.P. Morgan, Equifax, 
Target, Department of Personnel and you forgot the DNC. OK?
    So, you didn't want to speculate as to--who wants this 
information? What do you think they can do with it? They could 
get credit card information and maybe steal something?
    Mr. Bernik. Right.
    Mr. Perlmutter. Let us go bigger. Let us go, one, who are 
the big purchasers? Is Russia? Is North Korea? And what are--
what are--what would they do with this stuff?
    Mr. Bernik. We have done a lot of studies with Dr. Lewis on 
this and trying to--trying to analyze that very question.
    The reality is that we are at a cyber--some say a cyber war 
with these nations now. It is a cold war, if you will. It is 
not--we are not full-fledged.
    We are gathering the constant--they are gathering the 
constant information. We are gathering this information to use 
it, potentially to understand how corporations operate 
individuals of interest.
    They may be able to use this as leverage, by having 
information about an individual, their medical conditions. 
There is a lot of power in having information as--
    Mr. Perlmutter. So, these states could be both the hackers 
and the buyers of information?
    Mr. Bernik. In some senses, they are the--right. They could 
be the buyers, the aggregators of the information. They are the 
perpetrators, in some--in some cases of the attacks, 
themselves.
    So, although we are not certain, in many cases, because 
attribution--the anonymous nature of the Internet makes 
attribution very difficult, as has been stated.
    So, we cannot, 100 percent, guarantee that these are the 
attackers. But all indicators point to them, to China, North 
Korea. and, in some cases, Russia.
    They are gathering this information for a--to launch 
attacks against our populists, potentially, to influence, to 
direct individuals to do things on their behalf, we know that.
    So, I think that is what we are going to see more of in the 
future. We haven't seen it yet.
    Mr. Perlmutter. Dr. Lewis, you mentioned the 
cryptocurrencies and the camouflage or the obscurity of these 
things. Can you--can you expand on that just a little bit?
    Dr. Lewis. Sure. The way that you can acquire these 
currencies can make it difficult to trace back who is actually 
buying them.
    And so, good trick would be to steal your credit card, buy 
the cryptocurrency, while using your credit card, and then, it 
is--it can be anonymous as to who is actually acquiring it 
after that.
    And you can--just as you have done with money laundering, 
you can go through a number of steps to help obscure the trail.
    One of the interesting things, as we all know about 
Bitcoin--and Bitcoin isn't anonymous enough for cyber 
criminals, so they are developing a range of new 
cryptocurrencies that are even harder to track. So, this is a 
gift to money laundering.
    Mr. Perlmutter. OK, thank you all for your testimony.
    Chairman Pearce. And if the gentleman is going to really 
search my data, you probably ought to do it quick because it 
is--it is about to be emptied anyway. So, move fast.
    The Chair will now recognize Mr. Pittenger for 5 minutes.
    Mr. Pittenger. Thank you.
    Dr. Lewis, I do appreciate you mentioning CSIS in your 
written testimony. As I have previously noted, Senator Cornyn 
and I have introduced legislation to reform and modernize the 
CSIS process.
    Could you please elaborate on how the Chinese are using 
joint ventures to steal our critical technologies and know how?
    Dr. Lewis. Yes, thank you, Mr. Chairman. And I should 
congratulate you. Didn't you have a journal op-ed?
    Mr. Pittenger. Yes, sir.
    Dr. Lewis. Good op-ed.
    Mr. Pittenger. Thank you.
    Dr. Lewis. Let me touch on two cases that are recent that 
we know about that illustrate this and answer some of the 
questions that came up earlier.
    Just last week, or just this week, we saw the President 
block Broadcom from acquiring Qualcomm. And a few months ago, 
we saw CFIUS block the Ant, Chinese, Financial company's 
efforts to acquire an American company.
    And we can think about Chinese behavior as, really, an 
intelligence activity. It is an effort to acquire data.
    If you look at what the Chinese are doing, they are 
investing in artificial intelligence and big data analytics in 
quantum computing and quantum communications. And they may, 
actually, be ahead of us there.
    And they are building a global communications network, 
using their telecom companies which have close links to the 
states.
    So, if China is building an intelligence capability, one of 
the things they need to do is populate that with data. And so, 
acquiring U.S. companies that would ease that acquisition of 
data.
    The thing that is interesting to me is we are all fairly 
familiar with what CFIUS used to do. So, the first bill blocks 
acquiring military technology. First of all, FINSA blocked 
terrorist and Homeland Security concerns.
    And now, I think it is time for modernization, as the bill 
you have put forward does to think about how China uses this, 
not just for military advantage but for intelligence advantage.
    Mr. Pittenger. Could you, Dr. Lewis, give us some greater 
detail of the types of critical technology and intellectual 
property that China and other countries are trying to steal?
    Dr. Lewis. Sure. And one easy way to track that is to just 
look at Chinese activity in Silicon Valley.
    So, a lot of attention to artificial intelligence, a lot of 
attention to big data. They are also looking at sensor 
technology which can be useful, both on the Internet and for 
your military application.
    They are looking at space technologies. So, they are 
looking at autonomous vehicle technology. And when I say 
looking, I should probably say looking to acquire.
    So, the Chinese have identified the crucial technologies 
for modern military and are seeking to use joint ventures, 
greenfield efforts in the valley, acquisitions of U.S. 
companies or other western companies.
    And you all probably remember KUKA, the German robotics 
firm, that the Chinese were able to acquire. They have a good 
strategy for acquiring the technologies for a 21st century 
military.
    Mr. Pittenger. Thank you.
    If you could just elaborate some more on how this threatens 
our U.S. businesses and international security.
    Dr. Lewis. Sure.
    So, one of the problems is that Chinese state-supported 
investment in high-tech companies crowds the market. So, if the 
market can support 10 companies and the Chinese subsidize 3 
more, everyone's revenue share falls down. Every company is 
made weaker. Every company invests less in R&D. And that will 
hurt us.
    Our dependence on some Chinese technologies creates 
intelligence vulnerabilities that we have seen China exploit in 
other countries.
    Chinese efforts to modernize its military have gone into 
high gear. And when you look at anti-satellite efforts, 
precision guide and admissions, economic strike, cyber attack, 
they have found that China, itself, has become very strong, as 
an innovator, but they still gain advantage from borrowing 
other people's technology.
    And I think those are the areas I would look at.
    Mr. Pittenger. Yes, sir. They sought to acquire semi-
conductor companies. I think they have acquired 20 over the 
last few years.
    What impact, do you believe, that this has already had and 
how critical and what kind of crisis are we in now to try to do 
something about reforming CFIUS?
    Dr. Lewis. So, China has--had creating a domestic semi-
conductor industry as a goal since it opened to the west in the 
early 1980's. And they have failed, each time, despite spending 
billions of dollars because it is hard to make semi-conductors.
    And so, their most recent strategy is, let us just buy the 
whole company. And I think CFIUS has done a good job at 
blocking that.
    But the Chinese are persistent. They are well resourced. 
And they have not given up on this goal in more than 30 years.
    The effect on the U.S. is that we could become dependent on 
sensitive technologies from China that the Chinese could take 
advantage of. That is a real concern. That is a supply chain 
concern.
    The second one is that U.S. companies could find themselves 
hard pressed to continue to invest, hard pressed to innovate. 
And the market could tilt away from the U.S. and toward China.
    Mr. Pittenger. Thank you.
    My time has expired.
    Chairman Pearce. The gentleman's time has expired.
    The Chair now recognizes the gentleman from Connecticut, 
Mr. Himes, for 5 minutes.
    Mr. Himes. Thank you, Mr. Chairman. And thank you, all, for 
your testimony.
    I have heard a theme reiterated today that I first heard 
from Gartner which happens to be in my district in Stamford, 
Connecticut.
    And the point made is that there aren't a lot of new 
attacks, new technology, new software, zero-day software. There 
is just not a lot out there.
    That most of the successful attacks are using techniques 
and malware that are readily identifiable. And that the problem 
is that people simply aren't using good cyber hygiene. That 
they don't update their security software. That sort of thing.
    Setting aside, for a moment, the question of policy, which 
we have discussed here a little bit. We, as Members of 
Congress, interact a lot with the--with the public and our 
constituents.
    I would love to just take my time to cycle through the 
witnesses. And apart from the obvious, and by the obvious, use 
of two-factor authentication, not using your birthdate as a 
password, changing your password periodically.
    Apart from the obvious, what would you suggest to us are 
other measures that our constituents, that the American public 
should take to try to increase the overall level of network 
security and the--and the safety of their data?
    Ms. Ablon. As you mentioned, there is no new attacks just 
new attack surfaces. So, as things, like the Internet, if 
things come up, and there are a lot more digital devices people 
are not necessarily thinking about securing their thermostat, 
like they are their computer.
    So, there is certainly the normal cyber hygienes that can 
be applied to those new attack surfaces.
    I would also say that it is not possible to be 100 percent 
secure. A determined attacker will get through no matter what. 
So, if we can make it more expensive, in terms of time, 
resources, and research for an attacker to get through, then 
that can--that can be helpful.
    Something--humans are the weak element. So, if we can 
educate people to be aware of the kind of attacks that might be 
facing them, that is something that is an obvious cyber hygiene 
thing. But the more that we can do it, the better.
    Mr. Himes. Mr. Bernik?
    Mr. Bernik. So, we, at McAfee, would suggest that you 
invest in software to protect your computer. I think it is 
pretty basic, at this point. There are a lot of different 
options. I had to say that, didn't I? It is the correct answer.
    But beyond that, I will--
    Mr. Himes. Let us take a commercial break.
    Mr. Bernik. Beyond that, I would say that--don't use the 
same password for everything. People just do that because it is 
easy.
    And, I think, people--it used to be said, don't write your 
password down. People would say that. But I think they are 
going to change it. Write it down. It doesn't matter.
    Just don't use the same password for everything. Because 
once you get attacked once, you are hacked on everything if you 
use the same password which most people do.
    Lock your Social Security report. If you--if you are not 
applying for credit, then lock your report. Everybody should do 
that. Because if they have your Social Security number, they 
can probably--maybe hackers can probably do something against 
your--against your credit.
    So, by default, you should lock your report at all times, 
if you are not applying for credit. That is basic. And that is 
free.
    What else? Those--I think those two--those three things, 
using protection on your computer, keeping it patched and up to 
date, not using the same password, and locking your Social 
Security report would be--it is supposed to be your credit 
report. Pardon me. Your credit report would be, in my advice, 
for individuals.
    Thank you.
    Mr. Himes. Before we get to Mr. Christin, Mr. Bernik, since 
you brought it up, what, in 20 seconds or so, is your take on 
some of these password protection apps, like Dashlane and 
others? Are they secure?
    Mr. Bernik. Well, so, what they do is they control--use an 
app you install that controls all your credentials in one place 
and it is, basically, in the cloud, effectively. It is stored 
in a database on the Internet. It is one key that unlocks all 
keys.
    I, personally, think they are useful because they let you 
change and create random credentials which is more effective 
than what most people do which is use one series, and they just 
change the last couple of numbers. Or where they don't have to 
change it, use the same password for everything.
    So, I would say that they are useful tools if used 
correctly. If you use a weak password or weak credential, and 
you use that credential as the key, then you are, basically, 
creating a disaster for yourself.
    So, used the wrong way, that could be very disastrous.
    Mr. Himes. Great, thank you.
    And, very briefly, Dr. Christin, Dr. Lewis, anything to 
add?
    Dr. Christin. Yes, I would echo the previous witness, his 
comments on the password materials. They are very useful and 
they should be used to generate passwords, as opposed to simply 
recalling them. Because computers are really good at generating 
long, random unguessable strings.
    That would be my main recommendation.
    Mr. Himes. Thank you.
    Dr. Lewis. Think about where you go online. You probably 
saw in the indictments today--pardon me, in the sanctions today 
that one of the tactics that cyber criminals use is what they 
call waterhole attacks.
    Think about where you go. Think about what you put online. 
Think about what you click on. Be cautious with social media.
    Do the basic hygiene. People still don't do that.
    And, finally, back up your data. If you would use iCloud or 
one of the other cloud services, it makes you a little more 
difficult to suffer from a ransomware attack.
    Mr. Himes. Thank you.
    I yield back, Mr. Chairman. Thank you.
    Chairman Pearce. The gentleman's time has expired.
    The Chair now recognizing the gentleman from Pennsylvania, 
Mr. Rothfus, for 5 minutes.
    Mr. Rothfus. Thank you, Mr. Chairman.
    I want to go to Dr. Lewis.
    In your testimony, you said that Russia is a haven for the 
most advanced cyber-criminal groups. And that they use cyber 
criminals as a strategic asset.
    Is the Russian government directly profiting monetarily 
from cyber crime?
    Dr. Lewis. It would be safe to say that members of the 
Russian government profit directly from cyber crime.
    Mr. Rothfus. Do we have any estimate of the revenue that 
they would generate?
    Dr. Lewis. We could probably come up with one. I did not 
for this hearing, so it may be a question.
    I don't know what the other panelists think. But we know 
that this is a very profitable line of activities. So, at a 
minimum, it is probably in the hundreds of millions of dollars.
    Mr. Rothfus. How do state-sponsors of cyber crime recruit 
or obtain the services of cyber criminals that carry out 
illicit activity?
    Dr. Lewis. In countries like North Korea, it is very easy 
because they are members of either the military or the 
intelligence services.
    In places like Iran or China, and to some extent Russia, 
they are hackers who come to the attention of the security 
services. And it is suggested that they cooperate with the 
state.
    In Russia, there are both state programs to identify 
potential hackers and a linkage between the security services 
and cyber criminals.
    So, each one is a little bit different. But if you monitor 
the Internet, you can always see when somebody is doing 
something bad. And then, you go to their house and say, jail or 
play ball.
    Mr. Rothfus. Mr. Bernik, in your testimony, you discussed 
how ransomware is the fastest growing form of cyber crime. Can 
you discuss the various reasons why ransomware is becoming a 
more popular tool used by cyber criminals?
    Mr. Bernik. Certainly. It is a very commoditized tool. The 
ransomware can be purchased on the dark Web through exchanges. 
It is a commercial-grade software so it is very effective.
    As Dr. Lewis mentioned, there are situations where you can 
get a money-back guarantee on that ransomware. So, you can pay 
for it. You can pay with cryptocurrencies. So, it leverages all 
the best and worst parts of the technology available to the 
criminals and that is why it is effective.
    And the punishment for not paying is you don't get your 
data back. So, the damage is you may be out of business and you 
may have lost all your personal information, depending on 
whether you are a company or an individual.
    This is the reason why ransomware is so fast growing and so 
effective.
    Mr. Rothfus. Which type of cyber attack methods are 
companies and governments currently most and least equipped to 
prevent?
    Mr. Bernik. That is a good question.
    So, as was previously mentioned, malware and ransomware has 
become commoditized. The difference between them is just the 
update with the latest vulnerabilities.
    So, if you take a new vulnerability that just came out, say 
yesterday, and you add it to an existing kit, it will be very 
effective because that vulnerability will have no protection. 
It is often referred to as a zero-day because there is no 
protection for it, the first day.
    So, that is the most dangerous scenario for any 
organization where they have a missing configuration or patch 
issue, as was the case in Equifax.
    So, as we move the window from availability of a 
vulnerability to its inclusion in a kit, the danger is greater. 
Because no one--fewer companies will have the protection, if at 
all.
    And that is the biggest fear of these organizations. That a 
destructive type zero-day attack will occur. Where they are 
racing machines at fast clip--at a fast pace. And there is no, 
necessarily, protection that you can have for that type of 
attack.
    And that would be the worse-case scenario and the one we 
are least prepared for, as a country and as organizations.
    Mr. Rothfus. I was intrigued when Mr. Perlmutter was 
talking about looking for some data on Mr. Pearce.
    This is a question I am going to ask Ms. Ablon. What--how 
would--if you went out looking for the data and wanted to, 
then, buy the data, what payment methods are being used to buy 
this illicit data?
    Are they using Bitcoin? Are they using--do they send cash 
through Western Union? How do--how does one pay for data like 
that?
    Ms. Ablon. You can pay with it with any method. Cyber 
criminals will accept money in any way that they can get it.
    So, absolutely you can pay with PayPal. You can pay with 
digital currencies that aren't crypto, that aren't hidden. So, 
things like Web money, Western Union. You can also pay a crypto 
card.
    Mr. Rothfus. Are they do--you can but are they? Do we 
have--do we know what they are doing?
    Ms. Ablon. Yes. Yes. So, there are people that pay with 
that more and more. There is crypto card--
    Mr. Rothfus. With what?
    Ms. Ablon. With--pay with non-cryptocurrencies.
    But more and more, the trend is to go toward 
cryptocurrencies because of their anonymity--anonymous 
properties.
    The thing about cryptocurrencies is that they are anonymous 
until you get to the exchange. The crypto--the bitcoins' 
exchange--the cryptocurrency exchanges is when you actually 
turn the digital money into actual cash, Euros or dollars. And 
that is the point where you can tie a human being to the 
wallet, to the digital currencies.
    That is, really, the weak point to go after.
    Mr. Rothfus. My time is expired.
    Chairman Pearce. Anybody that would pay a hacker for--with 
a credit card is just asking for trouble, it looks like.
    The Chair would recognize Mrs. Maloney for 5 minutes. Oh, I 
am sorry. Ms. Sinema for 5 minutes.
    Ms. Sinema. Thank you, Mr. Chairman. And thank you to our 
witnesses for being here today.
    Mr. Chairman, more than most, Arizonans value their privacy 
and that is why we have been outraged by data breaches, like 
the one in Equifax. And we are frustrated there has been so 
little action by Congress, the CIPB and others to hold Equifax 
accountable and prevent future breaches.
    We all know this is a growing problem that requires action. 
Just in the last year, there were over 1,000 breaches that 
exposed over 1 billion records of sensitive data, according to 
the Identify Theft Resource Center.
    And that makes fraud significantly more likely which is why 
we are working across the aisle to protect Arizonans from its 
identity theft and financial fraud.
    Arizona's 1.1 million seniors are especially at risk, which 
is why I am working to pass the Senior Safe Act.
    Our bill with Congressman Poliquin, of Maine trains 
employees at banks, credit unions, and other financial 
institutions to spot financial fraud against seniors and report 
to law enforcement. Our bill was recently endorsed by AARP and 
it passed the House with the support of both parties.
    But seniors aren't the only ones with significantly greater 
risk of financial fraud. We are also working to protect 
Arizona's children from synthetic identify theft which occurs 
when a criminal takes a Social Security card--or Social 
Security number.
    And uses it to open bank accounts and lines of credit under 
a fraudulent name. This type of I.D. theft is often targeted at 
children because they have no prior credit history.
    In Arizona, a 17-year-old girl discovered, to her horror, 
that a scammer had accumulated over $725,000 of debt in her 
name. Her information was linked to 8 suspects who opened 42 
accounts, including mortgages, auto loans, and credit cards.
    So, targeting our kids and running up massive debts in 
their name is both shameful and cowardly. We have to fight back 
to ensure they have the change to build their futures.
    So, we have introduced the Protecting Children From 
Identify Theft Act which is a common-sense fix that modernizes 
Federal fraud detection to stop criminals and protect Arizona's 
kids.
    Every--Arizonan deserves financial peace of mind and we are 
going to get these bills signed into law.
    Mr. Chairman, last month, I requested more hearings on 
Equifax and these data breaches, and I am glad we are now 
getting the opportunity to dig deeper into these important 
issues.
    So, with that, I have a question for Ms. Ablon from the 
RAND Corporation. So, thank you for being here today.
    The two bills that I mentioned today focus on enhancing 
cooperation between Government, law enforcement, and the 
private sector to catch cyber criminals and protect law-abiding 
Americans.
    Your testimony has noted the importance of these efforts, 
and there are highlighted steps that we could be taking to 
disrupt cyber crime markets, it was the clearing houses for 
criminals, sell our personal and stolen information.
    Identity theft operations vary in both scope and 
sophistication. So, I have two questions for you. What 
percentage of these illicit operations would you say directly 
rely on the use of reliable cyber crime markets to be 
profitable? And which Federal agency is best equipped to 
infiltrate and thwart these markets?
    The second question is, what additional authorities and 
resources should Congress provide to crack down on these cyber 
crime markets?
    Ms. Ablon. I can't give a specific number of the percentage 
of identity theft victims or identity theft directly related to 
the cyber crime markets. However, I would posit that it is 
quite high, given the accessibility, the availability, and the 
reliability of the markets.
    In terms of what authorities can do to crack down. I 
mentioned three things in my testimony: International 
cooperation, information sharing, and then tarnishing of the 
reputation of the markets.
    With international cooperation, this is an effective 
strategy, especially as I mentioned before, these bitcoin 
exchanges are the weak point in identifying who the attackers 
are, who the cyber criminals are.
    More and more, these bitcoin exchanges are hosted overseas, 
so having good international relations with other countries can 
help law enforcement in the U.S. work with law enforcement 
overseas and try to get to the actual people to attribute--to 
detect, attribute, and then interdict the cyber criminals.
    In terms of information sharing, information sharing is 
something that gets talked about a lot. As one of my RAND 
colleagues has mentioned, information sharing is not a cyber-
security panacea. It won't solve all problems, however it can 
be very helpful.
    Information sharing between law enforcement and banks can 
be useful as well as small businesses, to let them know what 
they should be doing. What they should be looking for. What bad 
or odd behavior looks like in order to, then, notify law 
enforcement.
    Also, sharing information with consumers about who are the 
victims of data breaches of what they should be looking for as 
well, can be useful for them to call their credit cards--credit 
card companies or call places like Equifax or other places that 
might have their identify information to shut those down so 
that the cyber criminals can't monetize those or can't take 
advantage of those.
    Ms. Sinema. Thank you, Mr. Chairman. My time has expired.
    Chairman Pearce. The gentlelady's time has expired.
    The Chair now recognizes the gentleman who has been 
selected as the preseason all-star from Texas, Mr. Williams.
    Mr. Williams. Thank you for that introduction, Mr. 
Chairman.
    In 2017, more than 1.9 billion records were exposed to 
public cyber breaches. As of this year, we only have--half way 
into March, cyber breaches have already exposed nearly 20 
million records across the Nation. Important cyber information, 
including intellectual property and personal information 
continues to be the target.
    What is alarming to me is that terrorist and state-
sponsored regimes, like North Korea or China, are often behind 
these attacks, as we talked about. They will continue to take 
advantage of America's cyber-security weakness. We cannot let 
that happen.
    And I hope the testimony today begins to let us come up 
with solutions on this pressing matter. And I want to thank 
the--all of you for being here.
    The first question real quick, Ms. Ablon, is what advice 
would you have for everyday citizens to do if they become 
victims of stolen data, ransomware, or other crimes?
    Ms. Ablon. The one piece of advice I would give consumers, 
who are more and more becoming victims, is to be alert. Be 
aware of what is going on. Be--as Dr. Lewis mentioned, look 
where you are going online.
    And then, also, be a little paranoid. I think it is safe 
for everyone to be a little paranoid about what--where their 
data is going and their activities online.
    Mr. Williams. OK, thank you.
    Mr. Bernik, what lessons, in dealing with the aftermath of 
mass hacking attacks, like we have seen in the last few years 
in the breaches, as we have spoken, again, Equifax, Home Depot, 
Target, and J.P. Morgan, has the industry learned as the result 
of those attacks?
    Mr. Bernik. The industry has learned to prepare more 
effectively through scenarios. So--and, obviously, the sharing 
of intelligence.
    So, when an organization becomes aware of a threat, they 
will run a scenario where they will, basically, self-assess 
themselves against that threat and understand what the 
implications might be should they become impacted.
    Another thing they have done is prepare for the outcomes. 
These are corporations now--to prepare for the outcomes of 
those attacks, meaning preparing for destructive-type malware 
that erases systems, creating backups, offline backups that are 
separated from their online backups.
    So, they are really gearing up for what they feel will be, 
essentially, inevitable scenarios that will play out for them. 
And that is something they learned.
    Mr. Williams. Good.
    Dr. Lewis, you mentioned in your testimony that 
monetization is easiest for criminals when they can transfer 
funds directly from the victim to the bank account.
    Are there particular jurisdictions that we--that are 
especially vulnerable to hosting criminal accounts like these?
    Dr. Lewis. Yes, thank you. The interesting part for me here 
too is, this will fall certainly within the interest of the 
committee, is that it very closely parallels money laundering.
    So, when you think about Malta, Cypress, some of the other 
countries where you would want to do money laundering, Eastern 
European banks have, in the past, been a good target.
    Usually, there are multiple hops. So, it goes from your 
bank account to another one and then to a third one and then, 
maybe, to one of these money laundering centers.
    Now, it may just disappear in the void because, at some 
point, as Ms. Ablon has said--oh, I am sorry. It looks like 
money laundering. It tracks very closely with how money 
laundering is carrying out.
    And its cryptocurrencies are changing that a little bit by 
making it easier to hide the tracks of where it goes.
    But if you know how money laundering works, and, of course, 
the members of this committee do, that is a very similar 
pattern.
    Mr. Williams. OK, thank you.
    Dr. Christin, you mentioned the sale of services 
surrounding data breaches, like data verification and money 
laundering. Could you discuss these services or steps we might 
be able to take to prevent those services?
    Dr. Christin. Yes, thank you.
    So, for instance, an example of services, what is called 
money mules, and at a high-level, very simply the way they work 
is that somebody is being recruited online for a work-from-home 
type of opportunity.
    And the way it works is that this person is instructed to 
transfer moneys from a stolen account. They don't know it is 
stolen, they are just being given a number into an overseas 
account or into their own account before transferring it to an 
overseas account.
    So, that is one of the avenues that is being used for money 
laundering. Very similar to what drug dealers are using for the 
transport of drugs.
    To address this kind of problem, I think that, what Dr. 
Lewis was mentioning earlier, in terms of putting some pressure 
on certain financial institutions, is probably the best--the 
best avenue.
    Thank you.
    Mr. Williams. Thank you. And I yield the remainder of my 
time back.
    Thank you, Mr. Chairman.
    Chairman Pearce. The gentleman's time has expired.
    The Chair would now recognize the gentlelady from New York, 
Mrs. Maloney, for 5 minutes.
    Mrs. Maloney. Thank you, Mr. Chairman and Mr. Ranking 
Member and all the panelists. It has really been very 
insightful and, actually, very disturbing.
    Unfortunately, we have seen that hacking has become more--
much more lucrative because of cyber criminals and the 
cryptocurrencies, like Bitcoin.
    And I have this report that I want to put in the record and 
share with my colleagues on ``Sex, Drugs, Bitcoin: How Much 
Illegal Activity Is Financed Through Cryptocurrencies.''
    And this report points out they believe 72 billion of 
illegal activity is taking place on Bitcoin. And--
    Chairman Pearce. Without objection.
    Mrs. Maloney. --my question for all the panelists is, would 
cracking down on these cryptocurrencies reduce the incentive 
for cyber criminals to steal data from companies and 
governments?
    And this report also says that roughly 25 percent of 
Bitcoin users were using and half their activity was illegal 
activity. It is disturbing to see ads to buy women on the 
Internet through Bitcoin and drugs and other illegal 
activities.
    So, I would like to--I would like to ask Mr. Nicolas 
Christin your response to that question.
    Dr. Christin. Thank you. I think that cryptocurrencies are 
just a means of payment. And let us assume that tomorrow, 
cryptocurrencies become completely illegal. I doubt that it 
would actually stop the criminals in their tracks.
    Because cryptocurrencies are a relatively recent 
phenomenon. Bitcoin, for instance, started appearing in 2008-
2009.
    And before that, we already had cyber crime. People were 
just using different tools. Liberty, Reserve, WebMoney, and so 
forth.
    So, I don't necessarily think that clamping down on the 
payment system itself, or even interdicting it, would 
necessarily improve the situation very much. People would just 
find other ways of getting paid.
    Mrs. Maloney. Well, I want to ask you and also Mr. Lewis. 
Mr. Lewis this question about nation states.
    And when a nation state is behind a hack, sometimes it is 
hard to figure out what it is, what they want the money for.
    We know, as you have testified earlier, the--North Korea 
was behind the hacks in Bangladesh for $81 million. That was 
clear, they needed money. They got money.
    But, in other cases, when a nation state steals data from a 
company like Equifax, and then they don't sell the data on the 
black-market, and it doesn't seem to appear some other place, 
it really isn't clear what their motivations are.
    So, when a nation state hacks into U.S. companies and 
steals data but doesn't sell the data on the black-market, why 
do you think--what is the explanation of why they did it? Are 
they collecting data for espionage purposes?
    What is the--I would like to thank Mr.--ask Mr. Christin 
and Mr. Lewis and then all the panelists to answer. What is the 
motive? Are they phishing?
    Are they just--what are they doing when they steal? And 
they don't seem to use it, or we can't track what they are 
doing with it.
    Dr. Christin. So, I will start to answer that by saying 
that sometimes we don't even know who is the perpetrator of the 
breach, so we have no idea who is behind the actual breach.
    When it is not being sold, it can be for a variety of 
reasons. Maybe it doesn't have an economic value but has other 
types of value, leverage, espionage as you mentioned, and 
others.
    Very simply put, we just don't necessarily know who is 
behind every single breach, and what they are using the breach 
for.
    Dr. Lewis. Thank you. The nature of the intelligence 
business has changed dramatically in the last few years, and 
data is at the center of those changes.
    So, you can use digital technologies to identify persons of 
interest, either for recruitment or, more importantly, for 
counterintelligence purposes.
    So, we are seeing a world where it is going to be much 
harder to operate covertly, simply because of things like the 
Equifax breach. And when I see a big breach like that and the 
data doesn't appear on the market, I usually assume that it is 
an espionage-related case.
    Mrs. Maloney. It is a--pardon me, a what?
    Dr. Lewis. An espionage-related case.
    Mrs. Maloney. An espionage-related case.
    Any other comments?
    Ms. Ablon. I would add to that aggregating this data can be 
very valuable for state-sponsored actors. For example, some 
people believe that the state's same country carried out the 
attacks on OPM, Anthem, and United Airlines.
    And so, combining all that information would get some of 
the most sensitive personal and health information, as well as 
information about where people travel, to build a comprehensive 
profile of who to target, who to leverage, how to leverage for 
future information, or for exploitation of espionage purposes.
    Mrs. Maloney. Well, when you--when you see all these--this 
theft taking place, Mr. Lewis or Dr. Lewis and Mr. Christin and 
others, of all the cyber crime affecting the U.S., which 
percentage tends to be committed by state actors, versus 
criminal actors, versus terrorist organization or other 
activities? Who do you see doing this?
    Starting with you, I guess, Dr. Lewis and just going down 
the line.
    Dr. Lewis. There have been some classified studies on this 
question. In the past, China was the leader, by far, of 
espionage, largely in its dealing with intellectual property. 
Russia was number two, focused on financial crime.
    That has changed a bit in the last few years. The Russians 
are, for some reason, much--
    Chairman Pearce. If I could get the panelists to--tighten 
the answers up.
    Dr. Lewis. The Russians have changed and focused now as 
much--they still focus on financial crime but they also look at 
coercion, as we know. And the Chinese have become much quieter. 
Iran and North Korea are also actors. But--
    Mrs. Maloney. When you say the Russians want coercion, what 
does that mean?
    Chairman Pearce. The gentlelady's time has expired.
    Mrs. Maloney. What are they trying--who are they trying to 
coerce? I have been hacked twice by the Russians. That is why I 
am curious.
    Dr. Lewis. You have probably all been hacked by the 
Russians.
    But Russian military doctrine changed in 2010 to emphasize 
a psychological warfare and online political activities. And 
so, we have seen them implement that doctrine across all NATO 
countries.
    Chairman Pearce. The gentlelady's time has expired.
    The Chair would now recognize the gentleman from Ohio, Mr. 
Davidson, for 5 minutes.
    Mr. Davidson. Thank you, Chairman.
    I really appreciate these witnesses and I thank the 
committee for doing the work to have a hearing on this topic. I 
think it is vital that we get after this.
    It is critical, really, first, for the American people. The 
American people are sick of the vulnerability and the 
helplessness that comes with knowing something like, the 
Russians have probably already hacked all of you. What a 
shocking statement to go public with that.
    But it is not something that truly will be shocking because 
not only have the Russians probably hacked us, the Chinese have 
probably hacked us. And, frankly, many of the companies that we 
buy from or share our data with are actively hacking, in the 
sense that they know far more than the average consumer knows.
    Frankly, your car has probably hacked a lot of things about 
you, including your weight if you have a newer car. And it will 
tell where you have been, how long you have been there. And you 
aggregate the data and they might be able to speculate about 
what you bought when you went in the convenience store.
    So, all this is really changing the landscape in the 
economy. But because of that, there are some real national 
security concerns.
    And, frankly, when we talk about all the ways that the data 
can be used, I am curious about all the data that is collected.
    And I think it is vital that, in law, that this Congress 
establishes that in every case, it is your data. The individual 
has a property right in their own data. In every platform, in 
every way.
    And they should be choosing how their data is used. 
Certainly, they can give consent. Perhaps they can give consent 
for compensation. But they should always be given the opt-in, 
in my opinion.
    But in the case of the data that is collected and it is 
swept up. I am just curious, Mr. Lewis, your assessment of what 
is more valuable or easier to obtain or maybe bigger, is 
personally identifiable information or intellectual property?
    Dr. Lewis. They are--thank you. They are both easy to 
acquire but probably the bulk of the data we have seen taken, 
at least in numbers, if not in value, is personally 
identifiable information.
    Mr. Davidson. Thank you for that.
    And, Mr. Bernik, your company has built its reputation on 
protecting some of this data. Lots of folks use your service or 
one similar to it.
    And I am just curious what sort of risk controls are 
effective at protecting personally identifiable information?
    Mr. Bernik. The types of controls that organizations can 
implement to protect information are things like encryption, 
encrypting the data, both in transit and at rest. So, when it 
is being transmitted as well as when it is being stored.
    And making sure that high levels of authentication are used 
when information is accessed so that it is not so simple to get 
access to the information at rest. Meaning you should use more 
than just a user name and password.
    And, I think, historically, that is all the security we 
really had, in a lot of cases. Thus, we have a lot of 
compromised information.
    Mr. Davidson. Thank you.
    And I would add that if the data is not online, then it is 
harder to be accessed.
    Mr. Bernik. Absolutely.
    Mr. Davidson. So, it is not collected in the first place. 
It is not there to be hacked.
    And so, I guess, is there anything specific about that that 
differentiates the risk, whether the database is a government 
database or a commercial database?
    Mr. Bernik. In terms of the--so, my view that I would take 
on that is that organizations should only be permitted to save 
this information where they have implemented certain controls. 
And so, what they can't determine or demonstrate.
    And that is an interesting way of looking at it. That they 
have the controls, or they don't need the data, then they 
shouldn't collect it.
    When you go to any office of any chiropractor or anything, 
they will ask you for your personal information. And you will 
write it down. They will put it into a database.
    The question is, do they have the ability to protect it? Do 
they need it?
    Those are questions that should be answered and should be 
positioned by the consumer before they provide that data. But 
that information didn't exist, historically.
    Mr. Davidson. Thank you for that. And I would add that we 
have offered the Market Data Protection Act. It passed the 
House by a unanimous consent.
    We are still waiting on the Senate to take action. And this 
would simply require the Securities and Exchange Commission to 
provide an assurance to us that they do, in fact, have the 
controls in place to oversee that.
    And so, the same governance that a board would expect of, 
say, Equifax, I am confident the I.T. department has a little 
more interaction with the board than they used to.
    And I would think that would serve as good notice for 
governance practices around the country, whether they are in 
the Government or not. And since we don't have a chief 
technology officer for each secretary.
    My time has expired. Mr. Chairman, I yield.
    Chairman Pearce. The gentleman's time has expired.
    And the Chair will now recognize the gentleman from 
Memphis, Tennessee, Mr. Kustoff, for 5 minutes.
    Mr. Kustoff. Thank you, Mr. Chairman. And I do want to 
thank the witnesses for being here.
    Today's hearing has been both very interesting and very 
concerning. I think we would agree with that.
    Ms. Ablon, if I could. Today, we have certainly had several 
hearings where we have talked about the use of cyber--
cryptocurrency. We have talked about that being--becoming more 
predominantly preferred method of use on the--on the Web. I 
think you may have testified to that, at least becoming--
turning that way.
    We also know that the dark Web hosts a forum to sell and 
trade illicit goods and services, fire arms, drugs, et cetera. 
And we have talked about the personal information being bought 
and sold in bulk.
    I know a few years ago, 3 or 4 years ago, maybe 5 years 
ago, there was a dark Website called Silk Road. It was shut 
down. Law enforcement worked very hard to shut that down but we 
have other dark Websites that have emerged in its place.
    Given your work in studying how cyber criminals operate, 
can you talk a little bit more--you have talked and there has 
been discussion about the dark Web and online black-market 
sellers. But the shutdown of Silk Road, of AlphaBay, and how 
some of those other Websites actually interact with people and 
how they interact with those dark Websites.
    Ms. Ablon. Sure. You mentioned some great examples of law 
enforcement taking down black-market Websites.
    These markets, you can think of them like an Amazon or an 
eBay, where you point and click and you put a thing that you 
want to buy in your shopping cart. And then, you pay with money 
that you might have in your wallet.
    So, it is easy to do. We are all really familiar with doing 
eCommerce on the surface Web, similarly as how you can do 
eCommerce or by purchasing things on the dark Web.
    I would offer that you noted some notable takedowns. But 
taking down some of these big sites, like Silk Road, AlphaBay, 
Hansa, are good but that just leaves market share for other 
Websites, for other market places to come in.
    So, law enforcement's efforts are like trying to drain the 
ocean with a cup. Every time they take out a market place, 
there is market share available and plenty of cyber criminals 
and nefarious actors to jump in to take that.
    Mr. Kustoff. Can you also--you went through the different 
categories of bad actors. You talked about--one of the 
categories was cyber-terrorist. Obviously, I am talking about 
those foreign actors. Those who aren't here.
    Where do they train? And do any of them train and get their 
education here in the United States?
    Ms. Ablon. Cyber-terrorism is an interesting category of 
cyber-threat actor. It is--in general, they are--they combine 
traditional terrorism and attacks via cyber-space. For an act 
to be cyber-terrorism, it needs to occur through digital 
domain.
    At this point in time, people who are cyber-terrorists or 
acts of cyber-terrorism are more akin to hacktivism. People in 
the groups like Anonymous.
    Now, that is not to say a question that you might think is, 
well, are terrorists involved with the Internet? Are they 
involved with cyber in some way?
    They are. They use the Internet for a number of reasons. 
To--information gathering, like learning how to build bombs. 
Recruiting, meeting, and conducting--connecting with like-
minded individuals. Spreading propaganda or collecting money or 
other efforts in the sense that they might be cyber criminals 
online but terrorist in the--in the physical world.
    Mr. Kustoff. Thank you very much.
    Mr. Bernik, you testified, in relation to somebody's 
question, about ways to protect yourself, in terms of 
preventing stolen identity. Like you talked about locking the 
credit report.
    Is that analogous to freezing the credit report?
    Mr. Bernik. Correct. It is the same thing.
    Mr. Kustoff. Obviously, I would assume that the three 
credit agencies don't want that, although they do offer that 
service.
    That could be onerous on people who are trying to, 
obviously, take out loans, mortgage refinance, et cetera.
    Is there any other middle ground? Or is that, in fact, the 
most secure way to protect one's identity?
    Mr. Bernik. So, in my experience, that is the easiest way. 
Today, you can unlock it immediately on the Websites by pushing 
a button. They have all made that--all the agencies have made 
that feature available.
    And in the event that you do need to take a loan out or you 
do--you are going to, you just unlock it and it is 
instantaneously available again.
    So, it is merely a question of not allowing those kinds of 
hook-ups to be done or requests to be made of you without you 
first unlocking that button online and unlocking the report.
    Chairman Pearce. The gentleman's time is expired.
    Mr. Bernik. Thank you.
    Chairman Pearce. The members are advised that there is a 
vote in progress. A little over 6 minutes left in the vote.
    For me, I would like to thank our witnesses for your 
testimony today.
    The Chair notes that some Members may have additional 
questions for this panel, which they may wish to submit in 
writing. Without objection, the hearing record will remain open 
for 5 legislative days for Members to submit written questions 
to these witnesses and to place their responses in the record. 
Also, without objection, Members will have 5 legislative days 
to submit extraneous materials to the Chair for inclusion in 
the record.
    I ask our witnesses to please respond as promptly as they 
are able.
    This hearing is adjourned.
    [Whereupon, at 3:23 p.m., the subcommittee was adjourned.]

                            A P P E N D I X



                             March 15, 2018
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

                                 [all]