[House Hearing, 117 Congress]
[From the U.S. Government Publishing Office]


                STRENGTHENING THE CYBERSECURITY POSTURE 
                 OF AMERICA'S SMALL BUSINESS COMMUNITY

=======================================================================

                                HEARING
                                
                                BEFORE THE

                      COMMITTEE ON SMALL BUSINESS
                             UNITED STATES
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED SEVENTEENTH CONGRESS

                             FIRST SESSION

                               __________

                              HEARING HELD
                             JULY 20, 2021

                               __________

[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
                               

            Small Business Committee Document Number 117-026
             Available via the GPO Website: www.govinfo.gov
             
                               __________

                    U.S. GOVERNMENT PUBLISHING OFFICE                    
45-122                     WASHINGTON : 2021                     
          
-----------------------------------------------------------------------------------               
             
                   HOUSE COMMITTEE ON SMALL BUSINESS

                 NYDIA VELAZQUEZ, New York, Chairwoman
                          JARED GOLDEN, Maine
                          JASON CROW, Colorado
                         SHARICE DAVIDS, Kansas
                         KWEISI MFUME, Maryland
                        DEAN PHILLIPS, Minnesota
                         MARIE NEWMAN, Illinois
                       CAROLYN BOURDEAUX, Georgia
                         TROY CARTER, Louisiana
                          JUDY CHU, California
                       DWIGHT EVANS, Pennsylvania
                       ANTONIO DELGADO, New York
                     CHRISSY HOULAHAN, Pennsylvania
                          ANDY KIM, New Jersey
                         ANGIE CRAIG, Minnesota
              BLAINE LUETKEMEYER, Missouri, Ranking Member
                         ROGER WILLIAMS, Texas
                        JIM HAGEDORN, Minnesota
                        PETE STAUBER, Minnesota
                        DAN MEUSER, Pennsylvania
                        CLAUDIA TENNEY, New York
                       ANDREW GARBARINO, New York
                         YOUNG KIM, California
                         BETH VAN DUYNE, Texas
                         BYRON DONALDS, Florida
                         MARIA SALAZAR, Florida
                      SCOTT FITZGERALD, Wisconsin

                 Melissa Jung, Majority Staff Director
            Ellen Harrington, Majority Deputy Staff Director
                     David Planning, Staff Director
                            
                            C O N T E N T S

                           OPENING STATEMENTS

                                                                   Page
Hon. Nydia Velaquez..............................................     1
Hon. Blaine Luetkemeyer..........................................     2

                               WITNESSES

Ms. Tasha Cornish, Executive Director, Cybersecurity Association 
  of Maryland, Inc., Baltimore, MD...............................     5
Ms. Sharon Nichols, State Director, Mississippi Small Business 
  Development Center, University, MS.............................     7
Ms. Kiersten Todt, Managing Director, Cyber Readiness Institute, 
  New York City, NY..............................................     8
Mr. Graham Dufault, Senior Director for Public Policy, ACT/The 
  App Association, Washington, DC................................    10

                                APPENDIX

Prepared Statements:
    Ms. Tasha Cornish, Executive Director, Cybersecurity 
      Association of Maryland, Inc., Baltimore, MD...............    43
    Ms. Sharon Nichols, State Director, Mississippi Small 
      Business Development Center, University, MS................    45
    Ms. Kiersten Todt, Managing Director, Cyber Readiness 
      Institute, New York City, NY...............................    51
    Mr. Graham Dufault, Senior Director for Public Policy, ACT/
      The App Association, Washington, DC........................    58
Questions for the Record:
    None.
Answers for the Record:
    None.
Additional Material for the Record:
    National Association of Federally-Insured Credit Unions 
      (NAFCU)....................................................    74
    The National Cybersecurity Society...........................    77

 
                    STRENGTHENING THE CYBERSECURITY 
             POSTURE OF AMERICA'S SMALL BUSINESS COMMUNITY

                              ----------                              


                         TUESDAY, JULY 20, 2021

                  House of Representatives,
               Committee on Small Business,
                                                    Washington, DC.
    The Committee met, pursuant to call, at 10:01 a.m., in Room 
2360 Rayburn House Office Building and via Zoom, Hon. Nydia 
Velazquez [chairwoman of the Committee] presiding.
    Present: Representatives Velazquez, Crow, Davids, Mfume, 
Phillips, Newman, Carter, Bourdeaux, Delgado, Houlahan, Mr. 
Kim, Craig, Luetkemeyer, Williams, Hagedorn, Stauber, Meuser, 
Tenney, Garbarino, Ms. Young Kim, Van Duyne, Donalds, and 
Fitzgerald.
    Chairwoman VELAZQUEZ. Good morning. I call this hearing to 
order.
    Without objection, the Chair is authorized to declare a 
recess at any time.
    Let me begin by saying that standing House and Committee 
rules and practice will continue to apply during hybrid 
proceedings. All Members are reminded that they are expected to 
adhere to these standing rules including decorum.
    House regulations require Members to be visible through a 
video connection throughout the proceeding, so please keep your 
cameras on. Also, please remember to remain muted until you are 
recognized to minimize background noise. If you have to 
participate in another proceeding, please exit this one and log 
back in later.
    In the event a Member encounters technical issues that 
prevent them from being recognized for their questioning, I 
will move to the next available Member of the same party and I 
will recognize that Member at the next appropriate time slot 
provided they have returned to the proceeding.
    For those Members and staff physically present in the 
Committee today, we will continue to follow the most recent OAP 
guidance. Masks are no longer required in our meeting space for 
Members and staff who have been fully vaccinated. All Members 
and staff who have not been fully vaccinated are still required 
to wear masks and socially distance.
    As new technology has made America more dependent on 
digital tools, malicious actors have been launching more 
frequent and severe cyber attacks. In the early months of 2021, 
we have seen a wide array of headlines detailing attacks on 
institutions like large corporations and municipal governments.
    Just yesterday, the Biden administration acknowledged that 
hackers affiliated with the Chinese government were responsible 
for hacking Microsoft email systems, compromising tens of 
thousands of computers worldwide and exposing reams of 
sensitive data. The fallout of the attack is still being 
evaluated, but it is estimated the hack could have affected 
hundreds of thousands of small businesses. Episodes like this 
exhibit the significant threat cyber attacks pose to small 
businesses.
    This risk has increased in recent years as small businesses 
have begun to rely more heavily on digital technologies. 
According to the Connected Commerce Council, 72 percent of 
small firms increased use of digital tools during the pandemic.
    Unfortunately, as digital adoption has increased, 
investment in security measures has not kept pace. Small 
businesses often do not have the resources to invest in an 
adequate cyber defense system or hire a dedicated specialist. 
Guarding against cyber attacks often comes with high 
implementation costs and substantial investments of time and 
resources. Many are already operating on thin margins and slim 
human resources.
    Failing to prepare for a cyber attack can have disastrous 
impacts. Damage to information systems, regulatory fines, lost 
customer trust, decreased productivity, and lost income are all 
potential consequences of a cyber breach.
    Because of their structural importance to the overall 
economy, attacks on small firms can have severe impacts on 
larger enterprises and governments connected to them through 
the supply chain. Given the greater risk cyber attacks pose to 
small employers and their limited capacity to protect against 
them, this Committee must find ways to help entrepreneurs 
strengthen their cybersecurity posture.
    Today's hearing gives us the chance to examine how existing 
cyber resources can be enhanced and integrated into small 
business support mechanisms.
    I also look forward to discussing new initiatives that can 
alleviate the financial burden of cybersecurity preparedness. 
Small businesses are the foundation of our economy, so their 
vulnerability is our nation's vulnerability. Investment in 
their security will make us all more secure.
    I would now like to yield to the Ranking Member for his 
opening statement.
    Mr. LUETKEMEYER. Thank you, Madam Chairwoman.
    In preparing for today's hearing, I am reminded of how 
pervasive the use of the internet and information technology 
has become in our society in such a short period of time. We 
bank online, we work online, for the past year, we have held 
many congressional hearings online. Our growing dependency on 
constantly evolving information technology is fundamentally 
altering the way we live, and the way businesses of all size 
operate.
    Although benefits springing from the utilization and 
adoption of new technologies are incalculable, we are forced to 
contend with a new threat, specifically, the explosive growth 
of a criminal industry seeking to steal valuable data and 
manipulate critical systems for financial gain.
    As the world continues to embrace new technology, we 
increase the attack surfaces through which cybercriminals can 
infiltrate and wreak havoc to a devastating effect.
    These attacks are not without consequence. The cost of 
cybercrime is absolutely overwhelming. Experts estimate global 
damages totaling $6 trillion this year alone, projected to 
reach a staggering $10.5 trillion annually by 2025.
    Because small businesses are the intended targets of 
cybercriminals approximately half the time, the damage 
inflicted upon small businesses is catastrophic. These attacks 
push many to the brink with one in six businesses reporting the 
financial impact materially threatening the company's future. 
In addition to financial costs, many are unable to recovery 
from the loss of their intellectual property, resources, and 
reputation following a cyber-attack.
    During my time with this Committee as a member and now as 
Ranking Member, I have had the privilege to speak with many 
small businesses in my district and beyond, and I say with 
certainty that many small businesses do not have the resources, 
knowledge, and awareness to properly defend against such 
attacks which is precisely what makes them attractive targets. 
Many lack insufficient inhouse expertise to deal with these 
breaches, leaving it up to the small business owners themselves 
to handle the matter with predictable results.
    Make no mistake; this is asymmetrical warfare. 
Cybercriminals expend little effort targeting small businesses 
that often have fragile to nonexistent cybersecurity defenses, 
while small businesses must allocate valuable time and precious 
resources to defend against this faceless enemy. While attacks 
against large businesses consistently make frontpage news, 
small businesses must not be disregarded. The new reality is 
that large organizations are merely sprawling networks of 
interconnected business partners consisting of all sizes of 
companies including small businesses, each a viable vector for 
attack.
    And one of the most effective means of shoring up 
cybersecurity defenses is knowledge. Knowledge is power and we 
need to empower small businesses with the tools they need to 
protect themselves, and by extension, the wider network of 
businesses and organizations they touch.
    A critical component to knowledge is the need for 
information sharing among the public and private sectors. As 
fast as cybersecurity systems are established and patched, 
cybercriminals are already looking for and in many cases 
successfully finding new creative ways to infiltrate 
organizations' internal networks. Having a robust information 
sharing system is fundamental for a strong and effective 
cybersecurity defense not just for small businesses but for our 
country as a whole.
    Unfortunately, small businesses experience significant 
resistance to participating in cybersecurity information 
sharing activities for a variety of reasons. They may be 
reluctant to risk exposure to potential legal liabilities 
resulting from the disclosure and they may harbor doubts 
regarding the government's ability to adequately protect 
reported data and privacy information.
    The federal government recognizes these concerns and has 
made significant strides towards alleviating these fears. 
However, these effects must continue to improve in order to 
make the most impact on small businesses which derive the 
digital economy's growth, innovation, and job creation.
    To that end, there are several pieces of bipartisan 
legislation introduced by my colleagues on this Committee which 
attempt to begin resolving some of the issues and reservations 
small businesses have. I hope we will engage in a fruitful 
dialogue with our witnesses about this legislation today. 
Combatting cyber threats is a vastly complicated issue that 
will require largescale coordination across the entire federal 
government and private sectors.
    We must not let that complexity deter us from our goal. 
Rather, we must redouble our efforts towards strengthening the 
cybersecurity of our country starting with small businesses. I 
look forward to hearing the testimony of the witnesses.
    And with that, Madam Chair, I yield back.
    Chairwoman VELAZQUEZ. Thank you, Mr. Luetkemeyer. The 
gentleman yields back.
    I would like to take a moment to explain how this hearing 
will proceed. Each witness will have 5 minutes to provide a 
statement and each Committee Member will have 5 minutes for 
questions. Please ensure that your microphone is on when you 
begin speaking and that you return to mute when finished.
    With that, I would like to introduce our witnesses.
    Our first witness is Ms. Tasha Cornish, the Executive 
Director of the Cybersecurity Association of Maryland known as 
CAMI, located in Baltimore, Maryland. CAMI is dedicated to 
enhancing the local cybersecurity ecosystem by offering 
training, cyber career networking, and the Cyber SWAT team 
which is a free cybersecurity incident hotline. Ms. Cornish has 
nearly a decade of nonprofit leadership experience and she 
earned her master's degree at Johns Hopkins Bloomberg School of 
Public Health and holds a bachelor's degree in neuroscience 
from Cedar Crest College. Welcome, Ms. Cornish.
    Our next witness is Ms. Sharon Nichols, the State Director 
for the Mississippi SBDC. The state's SBDC network provides 
business services at 15 centers and sites, including the 
Mississippi State University Center for Cyber Innovation. The 
MSU SBDC hosts a cybersecurity project to help small businesses 
with data protection in the wake of COVID-19. Before coming to 
Mississippi, Ms. Nichols spent 10 years working for the 
Oklahoma SBDC. Ms. Nichols has an MBA from the Northeastern 
State University and a bachelor's degree from the University of 
Central Oklahoma. The Mississippi SBDC was named Resource 
Partner of the Year for 2020. Congratulations, and welcome, Ms. 
Nichols.
    Our third witness is Ms. Kiersten Todt, the Managing 
Director of the Cyber Readiness Institute known as CRI located 
in New York City. CRI provides prescriptive, accessible, and 
free content and tools to improve the resilience and readiness 
of small and medium-sized enterprises. Ms. Todt has a master's 
in public policy from the John F. Kennedy School of Government 
at Harvard University and earned her bachelor's degree at 
Princeton University. We appreciate your time and expertise, 
Ms. Todt.
    Now I yield to the Ranking Member to introduce our final 
witness.
    Mr. LUETKEMEYER. Thank you, Madam Chair.
    I would like to welcome our final witness, Mr. Graham 
Dufault. Mr. Dufault is the Senior Director for Public Policy 
at ACT/The App Association, representing more than 5,000 app 
makers and connected device companies in the mobile economy. 
The app association gives voice to small technology companies 
and its mission is to help members promote an environment that 
inspires and rewards innovation while providing resources to 
help them raise capital, create jobs, and continue developing 
incredible technology. Mr. Dufault is no stranger to Capitol 
Hill having served as counsel for the House Energy and Commerce 
Committee. He now leads a number of critical public policy 
initiatives on behalf of The App Association members. He earned 
his JD with a concentration in communications law from George 
Mason University and a bachelor's degree in Economics from 
Emory University. Mr. Dufault, welcome back to the Hill. And 
thank you for your participation today. We look forward to your 
testimony. And you are parking at a very good spot along the 
street this morning by the way, right across from my apartment. 
So anyway, thank you, Mr. Dufault for being here. I yield back.
    Chairwoman VELAZQUEZ. The gentleman yields back.
    Ms. Cornish, you are now recognized for 5 minutes.

STATEMENTS OF TASHA CORNISH, EXECUTIVE DIRECTOR, CYBERSECURITY 
ASSOCIATION OF MARYLAND, INC.; SHARON NICHOLS, STATE DIRECTOR, 
 MISSISSIPPI SMALL BUSINESS DEVELOPMENT CENTER; KIERSTEN TODT, 
 MANAGING DIRECTOR, CYBER READINESS INSTITUTE; GRAHAM DUFAULT, 
   SENIOR DIRECTOR FOR PUBLIC POLICY, ACT/THE APP ASSOCIATION

                   STATEMENT OF TASHA CORNISH

    Ms. CORNISH. Great. Thank you again for the invitation to 
be here.
    So CAMI is an approximately 580-member association based in 
Maryland. We were founded in 2015 to grow the industry. About 
80 percent of our members are cyber providers, providing 
products and services to small businesses and the government. 
The other 20 percent supports the industry through cyber 
liability, data privacy law, and other business building 
resources.
    So one of our main roles is to provide business building 
resources to these cyber companies and the other is to educate 
small and medium-sized businesses about cyber hygiene and to 
provide solutions. So I am here specifically to talk about 
that. I am going to cover three of our programs today: our 
Cyber SWAT team; our variety of curated directories of products 
and services; and our advocacy work for financial incentives. 
Additionally, we do collaborative workshops with our business 
partners and chambers of erce and other trade associations, and 
we also do workforce development initiatives to build that 
critical pipeline of IT and other professionals in cyber.
    So our Cyber SWAT team came out of this huge shift to work 
from home that happened last year. As mentioned before, it 
really expanded the threat surface that our small businesses 
experienced. Virtual machines, VPNs and remote access points 
are commonly high targets for threat actors. So we developed 
the Cyber SWAT team in partnership with the State of Maryland 
and it is a coordinated breach response with all components--
technology providers, cyber providers, cyber insurance, legal 
and compliance, and communication and PR. So businesses who are 
either experiencing a breach or suspected breach can submit 
their request via email and online form or via the phone. So 
within 1 hour, they will receive a call from our triage team. 
We will triage their request to our best fit cyber companies 
based on their size, location, industry, and breach needs.
    So there is no cost to connect with this information, 
resources, or referrals. They get that 1-hour free 
consultation. Of course, if they do choose the services, they 
enter a contract and then pay for those services. But this has 
helped greatly to assist companies in Maryland and beyond 
really with external threats such as phishing campaigns and 
ransomware. And also internal threats, including when 
terminated employees have unauthorized access to systems.
    So moving further upline in the protect and defend section, 
we provide an online directory of all of our member companies 
with relevant designations, including minority-owned small 
businesses, women-owned small businesses, service-disabled 
veteran-owned small businesses, 8(a), et cetera.
    So this is helpful for prime contractors and others looking 
for subs at government agencies, of course, but also private 
sector companies who prioritize diverse vendor pools. We also 
do publications with our local business guides and we are 
launching a program now with Exelon, a Fortune 100 company that 
works in every stage of the energy business. I do not need to 
tell you that there have been some pretty high profile breaches 
within that industry, and typically that is an industry that 
has not had a lot of regulations and compliance. So we are 
working Exelon to connect them through our new database with 
providers in our membership who can help their vendors build 
security programs and complete assessments to really secure 
that supply chain for the energy industry. It is a very highly 
specialized industry so many of these vendors are seeing this 
information for the first time so we are pleased to partner 
with them to do that.
    Additionally, we will be doing something similar for our 
DOD contractors as CMMC or Cybersecurity Maturity Model 
Certifications come down the pipeline to again provide those 
resources to our small businesses who are doing government 
work.
    Lastly, I want to touch on some of the financial incentives 
that we have advocated for. So in 2018, we actively advocated 
for the Buy Maryland Tax Credit which was approved by the 
Maryland General Assembly and signed by Governor Hogan. So it 
offers qualified Maryland businesses fewer than 50 employees to 
receive a tax credit, which is worth 50 percent of the purchase 
price when they buy it from qualified Maryland cyber providers 
of products and services. So qualified sellers are, again, 
small companies or companies owned by the specific 
designations. And this offers up to $4 million worth of tax 
credits each year and has an active directory of about 50 
companies.
    Additionally, there are funds that come down from the 
federal government. So, for example, the Defense Cybersecurity 
Assistance program, which, again, being in Maryland, we have a 
lot of government contractors who do work with the DOD so there 
are specific funds that we help promote that those contractors 
can use for assessments and remediation. Thank you.
    Chairwoman VELAZQUEZ. Thank you, Ms. Cornish.
    Now we recognize Ms. Nichols for 5 minutes.
    Ms. Nichols, you need to unmute yourself, please.

                  STATEMENT OF SHARON NICHOLS

    Ms. NICHOLS. It says that I am unstable. Can you hear me?
    Chairwoman VELAZQUEZ. Yes, we can hear you now. Thank you.
    Ms. NICHOLS. Thank you. Good morning.
    In order to survive the pandemic, many small businesses had 
to quickly pivot to online platforms to sell their product and 
shift to remote work. The small businesses of our nation are at 
high risk for hackers due to the inadequate cybersecurity 
protection for their data and intellectual property as was 
discussed before.
    Why are they at an increased risk? Just like it was said, 
owners simply do not know how to protect their business or they 
lack the funds to do so. Most hackers want money but that is 
not all that is at risk here. No small business wants its 
customers or clients to know that they have been breached and 
it is a fear that they will lose the business or that hard-
earned trust. And so many go unreported.
    In 2016, it was estimated that 10 to 12 percent of all 
cybercrimes were reported. In Mississippi alone, in the last 
couple of weeks, there was a medical clinic in our small town 
that had to pay a ransom to get their data back. This was never 
reported in the news. Just 2 weeks ago, our own office was hit 
by an email phishing scam and I was given an email yesterday in 
regards to a heating and air company that lost a couple of 
weeks of work due to a scan.
    My name is Sharon Nichols. I am the state director of the 
Mississippi SBDC where we offer connection, education and 
guidance for thousands of businesses across the state.
    In response to the cybersecurity crisis, the MSBDC 
allocated a portion of the CARES Act funds we received to 
develop a cybersecurity center to help Mississippi small 
businesses become cyber aware and more prepared. This center 
that was developed offers training based on the CMM model and 
the CMMC, but we call it the CMM model because we do not do 
certification, offering actionable steps any business owner can 
take. Also, access to trained cybersecurity counselors for 
individual counseling, as well as on-demand cybersecurity 
workshops that are available on our website. Everything that we 
offer is for free.
    The Cybersecurity Maturity Model that we have implemented 
is based on a program initiated by the U.S. Department of 
Defense in order to measure their defense contractors' 
capabilities, readiness, and sophistication in the area of 
cybersecurity. And we have adopted this model because it is a 
tool that can be personalized and expanded to meet each 
business's unique levels. Levels one through three, and there 
are five in the CMMC model, are considered attainable by small 
businesses and are designed to make securing a business 
affordable, yet very effective.
    Please know, again, we do not offer the certification at 
the end of each level but business owners can pursue that on 
their own if they choose.
    Collaboration and connection in all of our organizations is 
key and it is the future. The Mississippi Cyber Initiative we 
call MCI was created to offer a central location for the 
exchange of ideas and beneficial information about the 
cybersecurity. The Air Force Base on the Gulf Coast of 
Mississippi, Mississippi State University, and Mississippi Gulf 
Coast Community College are part of MCI. Our organization, the 
Mississippi SBDC has been invited to explore ways MCI resources 
can be shared with the business community. This is an example 
of collaboration and connection.
    The Mississippi SBDC serves the small businesses of our 
state with connection, education, and guidance. And I would 
like to point out how we have applied these guiding principles 
in response to the cyber crisis. Through connection, we are 
connecting our business owners with valuable cybersecurity 
resources via the MSU Cybersecurity Center and MSI into MCI and 
other collaborations. We are acting as a conduit for the 
Federal, state, and local resources to the small businesses in 
our state.
    In education, we are utilizing the Cybersecurity Center to 
educate business owners so that they can evaluate the threat 
that they have and their threat level and institute measures 
for protection. We will be employing a variety of marketing 
platforms reaching out through videos and PSAs and pushing 
awareness on all six of our social medial channels. We are 
working to dismantle the idea that small business owners are 
powerless to take charge of cybersecurity and make the process 
involved simple, yet effective.
    Finally, through guidance, we actively supply support and 
guidance via our one-on-one counseling with cybersecurity 
counselors at no cost to business owners. By supplying one-on-
one guidance, business owners can get answers to specific 
questions and solutions unique to their situations. There is no 
putting the genie back in the bottle. Our lives and livelihoods 
are connected via the cyberworld.
    Small businesses play a huge part in the welfare of our 
communities and the nation. We must put cybersecurity and cyber 
safety of our businesses at the forefront of everything that we 
do and equip them with every tool to succeed and protect their 
businesses.
    I very much appreciate the opportunity to be a voice for 
the small businesses of Mississippi, as well as the nation. 
Thank you for inviting me to testify.
    Chairwoman VELAZQUEZ. Thank you, Ms. Nichols.
    Ms. Todt, now you are recognized for 5 minutes.

                   STATEMENT OF KIERSTEN TODT

    Ms. TODT. Thank you, Chairwoman Velazquez, Ranking Member 
Luetkemeyer, and members of the Committee. Thank you for the 
opportunity to testify before you today.
    I currently serve as managing director of the Cyber 
Readiness Institute, a nonprofit effort that convenes senior 
executives of global companies to share resources and best 
practices that inform the development of free cybersecurity 
tools for small businesses, including the Cyber Readiness 
Program, a five-step, self-guided program, several guides all 
based on human behavior.
    In 2016, I served as executive director of President 
Obama's Commission on Cybersecurity, and after the conclusion 
of the Commission, several of the commissioners and myself came 
together to launch this effort. Relevant to the hearing today, 
I also served as a senior staff member on the Senate Homeland 
Security and Governmental Affairs Committee before, during, and 
after 9/11 and helped to draft the legislation to create DHS.
    The assaults on our nation's digital infrastructure, 
particularly over the last 12 months, underscore the urgent 
need to close a critical gap in our nation's cyber defenses. 
When we think about cybersecurity, we tend to think at a 
macrolevel, about state actors and state secrets, hacks of 
millions of online identities, and direct threats to critical 
infrastructure. And when we think about remedies, we tend to 
focus on digital giants and on national or multinational policy 
making. These policy solutions are necessary and appropriate 
but they are not sufficient. The threats we face as a nation 
and as individual consumers and citizens are not restricted to 
the macro level.
    Given that over two-thirds of large businesses outsource a 
portion of their functions and allow third-party access to 
their data, insufficient cyber protection among SMBs can be 
consequential for larger firms, too, as we saw with solar winds 
in Kaseya. SMBs, which are constrained by limited resources and 
unable to invest proportionately in cybersecurity expand our 
risk exposure significantly. Eighty percent of America's 
businesses have fewer than 10 employees, and 95 percent have 
fewer than 100.
    SMBs are the backbone of our economy but they are 
inherently fragile. During the pandemic, according to the SBA 
administrator at the time, a small business was closing every 
hour. These small enterprises lacked the resilience to 
withstand a barrage of cyber attacks. Small businesses do not 
have the safety nets that large businesses do. An attack of any 
size can challenge their viability.
    At the end of 2020 and earlier this year, we experienced 
the impact of several high-profile attacks, with impacts across 
multiple supply chains and critical infrastructure. We have 
been forced to now understand that in addition to physical 
supply chains, all businesses, especially small businesses, 
must pay attention to their IT supply chains.
    These events have brought us to another so-called 
inflection point. So-called because we use this term frequently 
when it comes to cybersecurity, yet we continue to fail to do 
what is necessary to improve America's cyber defenses. These 
events and attacks are symptoms of the challenges we face. 
Policies are not enough, nor can we simply shrink tools and 
techniques employed by major corporations into compact versions 
for SMBs.
    Small businesses need access to cybersecurity resources and 
support from the federal government. They need prescriptive, 
easy to adopt programs that strengthen their everyday 
operations while not pinching their budget. Because a small 
business may not have a department or even a single employee 
solely focused on cybersecurity, approaches grounded in 
creating cultural change through human behavior and education 
are critical to helping small businesses become more resilient.
    Human behavior can be a force multiplier for cybersecurity 
in small businesses and larger ones as well. Small businesses 
must be educated on the threats and the fundamental actions 
that they need to be resilient.
    The federal government can play a critical role. Earlier 
this year, the Cyber Readiness Institute released a white 
paper, The Urgent Need to Strengthen the Cyber Readiness of 
Small and Medium Sized Businesses: A Proposal for the Biden 
Administration, outlining actions to help small businesses. 
Here are five steps from the white paper that the federal 
government can take to improve small business cybersecurity 
defenses.
    My prepared testimony goes into greater detail and I am 
happy to elaborate during our Q&A.
    1. Create a Small Business Cybersecurity Center. Today, no 
single government agency curates cybersecurity resources from 
multiple vetted sources for SMBs. Given the ongoing work to 
support SMBs by the Cybersecurity and Infrastructure Security 
Agency and the recent allocation of additional resources to the 
agency. CISA is a recommended agency to perform this function.
    2.Establish cybersecurity incentives. Tax credits to SMBs 
that invest in cybersecurity can incentivize cybersecurity 
efforts.
    3.Set cybersecurity standards. We need minimum standards 
for cybersecurity that all organizations must follow, including 
small businesses.
    4.Launch national cyber squads. We should amplify the 
existing cyber corps with government-funded cyber squads of 
student interns to help minority-owned SMBs and to fill a 
desperately needed talent pipeline.
    5.Roll out a national cyber readiness education campaign. 
Awareness is critical for small businesses in the entire 
population. We need an effective public service campaign that 
would focus on a single, basic cybersecurity issue, such as 
using multifactor authentication which experts assert would 
reduce cyber attacks significantly.
    Our nation's cybersecurity challenges are diverse. One 
foundational way we can improve our defenses is by supporting 
and investing in the cyber readiness of small businesses. 
America's hundreds of thousands of small businesses can be 
mobilized, educated, and supported to be our resilient 
frontline of cyber defense and to become a great strength for 
our country. This critical investment in building that strong 
defense will pay major dividends for our nation. Thank you.
    Chairwoman VELAZQUEZ. Thank you, Ms. Todt.
    We recognize Mr. Dufault for 5 minutes.

                  STATEMENT OF GRAHAM DUFAULT

    Mr. DUFAULT. Thank you, Chairwoman Velazquez, Ranking 
Member Luetkemeyer, members of the Committee. My name is Graham 
Dufault, and I am senior director for Public Policy at ACT/The 
App Association. The App Association is the leading trade group 
representing small, connected device and mobile software 
companies in the app economy which is about a $1.7 trillion 
sector globally that supports about 5.9 million jobs in the 
U.S., including in your districts.
    I am here to ask for your help to improve the cybersecurity 
resources for small businesses that are the backbone of your 
districts.
    In Brooklyn, Ali Iberraken founded Chaperone, an app to 
help teachers organize and manage fieldtrips. Jason Oesterly, a 
former IBM and MasterCard developer created WASHMO Media in 
Washington, Missouri. So app economy innovators like Chaperone 
and WASHMO deal with cyber threats all the time. Small 
companies, even in industries associated with a higher level of 
technical expertise, like our members, our favorite target is 
cybercriminals. In fact, about 71 percent of companies 
reporting cyber attacks are small firms. And around 80 percent 
of small firms say they are not prepared for a cyber attack. 
Most of them are reticent to tell anyone about the fact that 
they are victims as you have heard from other testimony today.
    We want to highlight four main things for this hearing.
    1. While recent high-profile ransomware attacks are 
grabbing headlines, it is difficult for small companies to 
share information about threats, incidents, and defensive 
measures they use. Legislation like H.R. 1649 and 1649 from 
last Congress would help create better conditions for 
information sharing and readiness. So we appreciate the 
Committee's work on those pieces of legislation and we are 
pleased to see that at least one of them is being reintroduced 
this week.
    2.Cybersecurity is a team sport in many ways. Small 
companies, especially app makers, leverage the cybersecurity 
capabilities of software platforms such as app stores, 
operating systems, and Cloud services to protect their clients 
and customers. Federal policy should enable these platforms to 
take protective measures and to avoid undue interference with 
them on antitrust and other grounds.
    3.Cybersecurity begins with good defenses. Small companies 
rely on technical protection measures like encryption of data 
in transit and at rest and on devices, so where is the 
Committee to push back on proposals that would weaken 
encryption?
    And a bonus,
    4.I would be remiss if I did not mention the number one 
daily issue my industry faces and that is finding and hiring 
enough qualified people. With about 3.5 million unfilled 
cybersecurity jobs globally, Federal investment in this area is 
necessary. So we support programs like the Master Teacher Corps 
and legislation like the Computer Science for All Act, H.R. 
3602.
    App Association members and our customers have everything 
to lose when it comes to cyber threats. The onslaught of recent 
attacks comes amid a global talent shortage so we cannot simply 
hire our way out of the problem. Therefore, we need your help.
    Cybersecurity for mobile devices is important for everyone. 
For example, Black and Hispanic Americans rely 
disproportionately on mobile devices as opposed to desktop 
computers to access online services. These devices now contain 
our most sensitive personal data, including financial real-time 
location and health information. Therefore, app makers in 
particular must leverage the security features of software 
platforms and Cloud services. Unfortunately, in some proposals 
in Congress and in some states that prohibit these gating 
functions ostensibly to help my member companies and your 
constituents but in truth they would do much more harm than 
good. So we urge you to reject those ideas as the make smart 
devices much less secure and much more attractive targets. Why? 
Because cybercrime is a business after all. And cybercriminals 
benefit also from the silence of their victims.
    If Congress's goal is to make it harder for cybercriminals 
to do business, information sharing plays a key role. We need 
to make it too costly for cybercriminals to target small 
companies with $15,000 ransoms. The attacks we see on small 
firms from real estate investment to neighborhood bike shops 
are often well-designed to ensnare specific kinds of victims. 
The attackers learn the lingo of the sector they target and 
study everyday practices to disguise phishing attempts so that 
they look legitimate. Understanding these shifting forms of 
camouflage requires rapid intelligence sharing and we need to 
counterbalance the potential legal exposure and reputational 
harm of disclosure.
    While small companies often rely on outside support and 
expertise for cybersecurity, it is impossible to contact away 
risk or accountability for security. It is incumbent on small 
companies to develop a level of independent working knowledge 
of cyber threats to their business and information sharing best 
practices.
    The Committee is well-positioned to help improve 
cybersecurity, literacy for small firms, and the conditions for 
information sharing, and we look forward to assisting with 
those efforts.
    Thank you for the opportunity to share our views, and I 
look forward to your questions.
    Chairwoman VELAZQUEZ. Thank you, Mr. Dufault. I will begin 
by recognizing myself for 5 minutes. I just want to say that it 
is kind of scary listening to your stories and your expertise 
regarding the threat of cybersecurity. I would like to ask Ms. 
Todt, based on your own experience having worked for the 
federal government, and now as the CEO of this institution, do 
you think that there is an ongoing education throughout the 
federal government in terms of different agencies as to the 
threat that they are exposed to? How does that trickle down to 
those most vulnerable--in this case, small businesses?
    Ms. TODT. Thank you, Madam Chairwoman.
    There is absolutely an education challenge. And when we 
talked to small businesses, and I think this holds true 
certainly for large businesses, the issue is not that they do 
not know, they do not want to do anything, the issue is that 
they often do not know what they should be doing and where the 
threat is.
    There was a survey done by Apple recently that said that 
many small businesses asked, well, is this not part of my 
software package, the security piece? And so we have to be more 
prescriptive. So when we are looking at the Federal agencies, 
and this is where I think the increase in resources to CISA is 
going to play a significant role as well as the new leadership 
working in collaboration across agencies to create a 
synchronized effort that educates the agencies on the 
priorities and also creates a unified government approach so 
that you do not have agencies looking to others to understand 
what is happening but that there is leadership both within the 
White House and within CISA that helps to streamline what needs 
to happen because the threats are certainly consistent across 
all of our agencies and I think as Chris Inglis, the new 
national cyber director said in the context of the 
international arena but it certainly is in the domestic arena 
as well, in order to get one of us you have to get all of us 
and I think that approach for government needs to hold true.
    Chairwoman VELAZQUEZ. Thank you.
    Ms. Nichols, what were the most common services requested 
by small business owners in the transition to telework because 
of COVID-19?
    Ms. NICHOLS. You know, I would like to say it was 
cybersecurity but that was not it. It was mostly sources of 
capital because they were concerned about how they were going 
to keep their doors open. And confidence to survive, trying to 
find out how to handle their financial projections as well as 
the logistics of employees, Internet connections, suppliers, 
and commitments. Cyber was not that one thing that they 
contacted us about. And so while it was the greatest need, it 
was not what they contacted us about.
    Chairwoman VELAZQUEZ. Ms. Nichols, the SBA rolled out 
several COVID-19 programs in 2020. Did any of these programs 
provide cybersecurity specific guidance?
    Ms. NICHOLS. To my memory, neither the EIDL nor the PPP 
programs provided cybersecurity specific guidance. The PPP was 
primarily for payroll followed by other items, such as rent and 
utilities and the EIDL had an allowance for accounts payable 
and other bills but not specific to cyber unless it was already 
a related expense.
    Chairwoman VELAZQUEZ. Thank you.
    Ms. Cornish, with respect to commerce directly, what is the 
importance of including the designations or certifications 
small businesses may have as part of the company information?
    Ms. CORNISH. Sure. So part of it is for, you know, 
subcontractors and prime contractors and even government 
agencies to better diversify the government contracting 
workforce. Additionally, when our companies are looking at 
their own DEI plans, many of them want to incorporate diverse 
vendors in that pool as well. So we are excited to help support 
those efforts through our designations.
    Chairwoman VELAZQUEZ. Thank you. Do you think that 
including such designations can promote diversity and 
cybersecurity contracting?
    Ms. CORNISH. Absolutely.
    Chairwoman VELAZQUEZ. Mr. Dufault, recent security breaches 
have heightened the importance of continuously monitoring 
against outside threats but the necessary technologies and 
practices are too expensive for small firms. How much on 
average is the cost to secure networks?
    Mr. DUFAULT. That is a great question. It is one of the 
main areas of focus that a lot of our member companies have to 
pay a lot of attention to. I am not sure exactly what the cost 
is per small company. It probably varies as to what kinds of 
tools you want to adopt. One of the observations of one of our 
member companies is that for a lot of really specific 
cybersecurity focused tools that help you manage your threats 
across your supply chain, the number of licenses that you have 
to buy is really high. And so it is kind of you have to buy in 
bulk, and this particular member company just signed up as a 
reseller so they could get access to a smaller number of 
licenses. And so that is potentially a problem and a potential 
area of focus here to provide more Federal resources so that 
companies can buy smaller and not necessarily in bulk access.
    Chairwoman VELAZQUEZ. What can SBA and its resource 
partners do to remove barriers for small firms that want better 
protection?
    Mr. DUFAULT. That is a great question, Chairwoman. There 
are a few things that you guys can do. We were really happy to 
see Congress introduce H.R. 1648 and 1649 last Congress. These 
are bipartisan bills that would help ensure that there are 
liability protections for information sharing with the 
government, but also to provide more resources for small 
companies through the federal government through the SBA to 
have access to cybersecurity counselors. And so that was H.R. 
1649 which has a certification program for SBA employees. So 
access to that through the SBDCs is something that we feel 
would be a great improvement and would help them.
    Chairwoman VELAZQUEZ. Thank you. My time has expired.
    Now we recognize the Ranking Member, Mr. Luetkemeyer.
    Mr. LUETKEMEYER. Thank you, Madam Chair.
    Mr. Dufault, you know, one of the things that is concerning 
to me is the cost to be able to protect the small businesses 
out there. And so it is a two-part question. The first part of 
it is what would be the average cost that a small business 
would have to anticipate occurring to be able to protect 
themselves? And then the problem becomes, well, you have got to 
protect it today but there are a lot of smart guys out there 
that are going to figure out how out how to break into the 
security you have got right now so you are going to have to 
continue to update your security and you are always behind the 
curve, so to speak here in trying to protect yourself. And so 
these ongoing costs are sometimes things that I think deter 
small business from even, they throw their hands up and say, 
well, I probably cannot afford the first set of security 
measures. I sure cannot continue to pay money out the door when 
I think my exposure is small. How would you answer that 
question?
    Mr. DUFAULT. So it is a great question, Congressman. I 
think, you know, one of the member companies described the cost 
of just trying to get penetration testing, which is kind of an 
entry level set of services where an outside firm comes in and 
tests your network. Tests the integrity of the security systems 
that you are using. And that can cost between $10,000 and 
$30,000 according to the member company. And that is just the 
one-time cost. And that is just for that service. So if you 
want to buy the full suite of services it goes up from there.
    Now, we also have member companies that have worked with 
other customers that have had trouble putting together $200 to 
pay for antivirus software which is the lowest, sort of the 
lowest level tool that you can invest in. So it ranges quite a 
bit, I think, depending on the kind of company you have and 
your focus and whether or not you are seeing these threats.
    Another thing I will point to is the IT sector coordinating 
council. So DHS has various sector coordinating councils where 
they focus on cybersecurity in different sectors. The IT sector 
coordinating council did a survey of small businesses, and 
about 38 percent said they do not expect to see a cyber 
incident in the next 2 to 3 years which is a little bit of 
overconfidence I think. And so there is a baseline level of 
sort of an appreciation that you have to have in addition to 
the amount of money that comes along with the basis for 
spending that kind of money on these protective measures. So on 
an ongoing basis as you pointed out, it is even harder.
    Mr. LUETKEMEYER. Thank you.
    Ms. Cornish, you talked about a tax credit that was put 
together by I think the State of Maryland I think you 
indicated, which is intriguing to me. But I was curious, what 
kind of participation rate was there among the small 
businesses? And what was the average cost that they actually 
were able to get a credit for? Or do you know that information 
off the top of your head?
    Ms. CORNISH. Sure. I can speak a little bit to that.
    So it certainly is not utilized to its full potential by 
our small business community. So we know that there is work to 
do on our end to help promote that as well. I think to Graham's 
point, many of the costs range between $5,000 to about $30,000. 
There are ways to do continuous monitoring that is a little bit 
less expensive on the defensive side. So then it only cost 
about $6,000 to $10,000 a year.
    Mr. LUETKEMEYER. One of the things I think, Mr. Dufault, I 
think back to you again. I think somebody else mentioned, 
talked about the number of folks within the industry worth 3.5 
million jobs, people short to be able to fill the number of 
folks. What is the problem here? We just do not have enough 
people interested in the field? The wages are too small to 
attract people into it? Nobody likes to do that kind of work? 
What do you think?
    Mr. DUFAULT. There are a number of different factors. Some 
of it is cultural. There is a lack of, I think, awareness of 
the available jobs. When you are going into college and when I 
was going into college there was not a whole lot of emphasis on 
sort of STEM fields at that time. So there is sort of an 
outreach campaign that can be done to make sure the folks know 
that this is where high-paying jobs are. It is $89,000 median 
salary for this kind of work here in the U.S. across the 
country.
    Mr. LUETKEMEYER. Let me interrupt. My time is about up 
here.
    Is this something that Small Business Administration could 
do? They could entice or enhance or send out information to the 
high schools and folks, colleges, to let them know that there 
is availability of all this? I mean, we have to get the SBA 
engaged in this somehow because this is a small business issue.
    Mr. DUFAULT. I think that is a great idea. I think that 
there is definitely a role for the Small Business 
Administration there. There are other Federal agencies that 
ought to be involved but the Small Business Administration in 
particular because small companies do have trouble finding 
access to qualified folks.
    Mr. LUETKEMEYER. My time is expired. Thank you. I yield 
back.
    Ms. HOULAHAN. The gentleman's time is expired and the 
gentleman yields back.
    The gentleman from Colorado is now recognized for 5 
minutes.
    Mr. CROW. Thank you, Madam Chair.
    For more than 20 years, the SBA Office of the Inspector 
General has listed IT security as one of the most serious 
management and performance challenges facing the SBA. So this 
is not obviously a new thing but it is more acute and becoming 
more of a problem as particularly nation state actors and 
others weaponize the ability to go after our small businesses.
    Recently, I reintroduced the bipartisan SBA Cyber Awareness 
Act which would direct the agency to issue an annual report 
assessing its cybersecurity infrastructure. It also requires 
the SBA to report cyber threats, breaches, and cyber attacks to 
the respective House and Senate Small Business Committees. And 
then to notify affected individuals within 30 days because we 
know that notification is one of the biggest issues, is the 
required notification.
    So that is part of it. But even after the notification then 
there is the issue of what happens next? And in all of your 
testimonies you referenced the challenges particularly facing 
small businesses that just do not have the resources.
    So Ms. Cornish, starting with you, can you describe, flush 
out for me a little bit more what resources are available, 
could have the biggest impact on providing resources or support 
to small businesses particularly in high tech sectors? Like, I 
have a lot of defense, aviation, and aerospace within my 
district and a lot of those are small businesses and they are 
prime targets of hacking and intellectual property theft. What 
is out there and what could make the biggest impact that is not 
out there?
    Ms. CORNISH. Sure. So in the defense industry, 
specifically, there is the Defense Cybersecurity Assistance 
Program which provides funding for assessments, and honestly, 
you know, investing in the assessment and the protection phase 
is really where you are going to get the largest ROI for the 
SBA and others. So I would certainly encourage investment 
there. When companies are breached, you know, definitely it 
varies by the situation, but certainly shoring up interventions 
to improve your chances moving forward are critically important 
there.
    So I would love to see that the DCAP comes down from DOD. I 
would love to see other agencies also do something similar 
through their Office of Small Business work.
    Mr. CROW. Thank you.
    Ms. Todt? Mr. Dufault?
    Ms. TODT. Thank you. One of the key issues that we focus on 
at the Cyber Readiness Institute is human behavior because it 
recognizes that regardless of the sector that you are in or the 
resources that you have you have got to start by creating these 
cultures of behavior. And if we make the analogy to safety, 
creating cultures of safety that we did with businesses 
particularly following 9/11, it helps us to understand that 
while this is all new to us and it is somewhat foreign and 
uncomfortable, we often say security is not convenient, we can 
create those cultures. And by doing so, you have force 
multipliers in your companies when every individual recognizes 
that he or she can be an access point to the network, that he 
or she can be the strength that actually prevents an attack or 
can be the opportunity. And I think that is one of the pieces 
in the education that we have got to be focusing on to help 
employees have that accessibility to those resources and the 
knowledge.
    Mr. DUFAULT. Yeah, Congressman. And I agree 100 percent 
with the comments of Ms. Todt because all it takes is one weak 
point in a company or an organization and that is why you saw 
with some of the recent cyber attacks they used the password 
spray where they try really common passwords on a large number 
of accounts because chances are in an organization of a couple 
hundred people or a couple thousand people somebody will use 
password123. And so creating that culture that Ms. Todt 
described is extremely important. And also understanding which 
kinds of threats are being directed to your specific industry 
because they are kind of, as I said in the oral statement just 
a minute ago, the attackers are studying the everyday habits 
and trying to mimic those and they do a pretty good job of that 
based on specific sectors. So, info sharing within sectors is 
extremely important.
    Mr. CROW. Thank you.
    And Ms. Nichols, to you, and I guess to that last point 
since you are with an SBDC, on the training piece, training of 
employees and others, how can we better do that or assist small 
businesses in conducting the training?
    Ms. NICHOLS. So we are basing our model on the DOD 
cybersecurity model, the CMMC, but just using the CMM portion 
of it. And I liken it to the Maslow's Hierarchy of Needs. 
Basically, on level one through three is basic cyber hygiene, 
and it is all about education and awareness, where also I think 
it is very imperative that we look at what is our consistent 
voice and what is that consistent messaging because there are a 
lot of resources out there and a lot of organizations, and I 
believe that the consistent messaging and education and 
training is very key not only just for employees but for 
potential employees because there needs to be that standard 
base and education.
    Mr. CROW. Thank you. My time is expired. I yield back.
    Ms. HOULAHAN. Thank you. The gentleman's time is expired 
and the gentleman yields back.
    The gentleman from Texas, Representative Roger Williams, 
the Vice Ranking Member of the Committee is now recognized for 
5 minutes.
    Mr. WILLIAMS. Thank you, Madam Chair.
    A 2021 Cybersecurity Trend Report shows that phishing is 
the top cyber threat for small businesses as we have talked 
today. In this type of attack, simply clicking on a link or 
opening an attachment can compromise an entire company's 
network. Rather than target a vulnerability within the cyber 
network, this tactic targets unknowing employees. Regardless of 
what additional resources or best practices are shared to the 
industry, we must ensure that we are not leaving out the 
socially engineered attacks that can occur on untrained 
employees.
    So Ms. Nichols, first of all, Mississippi State has a great 
baseball program.
    Ms. NICHOLS. Yes, they do.
    Mr. WILLIAMS. That is good.
    Secondly, can you discuss the training that SBDCs, and we 
have talked about this a little this morning, have to ensure 
employees are aware that they could be targets of these 
phishing attacks?
    Ms. NICHOLS. Specifically attacking employees, is that what 
you are asking?
    Mr. WILLIAMS. Yes.
    Ms. NICHOLS. Yes. And it is just a matter of awareness. 
Just like I said in my presentation, our organization had been 
phished. And it is raising awareness of that basic, what to be 
ready for and, you know, what are the very basic minimal things 
that you have to look for. And that is what we want to show our 
small businesses is how to prepare their employees to work 
remotely but also keep their intellectual property and their 
information safe. So the social engineering is really the focus 
of most training that is going on right now. And while it is at 
a higher level and you hear about the big ones like the 
pipeline and different things that have happened, it is the 
smaller phishing that is really affecting the smaller 
businesses. So education is key.
    Mr. WILLIAMS. Thank you.
    When small businesses are targeted with cyber attacks, it 
may not make the news like some of the more high-profile cases 
we have seen lately such as the Colonial Pipeline or Microsoft 
attacks. Unfortunately, since many of these smaller companies 
operate on tighter budgets, they are often easier targets and 
then the intruders can go undetected for long periods of time 
than some of the more established businesses.
    So Mr. Dufault, you mentioned in your testimony that 
smaller firms could leverage the cybersecurity capabilities of 
Cloud services. Can you elaborate on the advantages of using 
this service and why it may be a more attractive option for 
smaller firms who do not have as large of a budget to dedicate 
to cyber defense?
    Mr. DUFAULT. Absolutely, Congressman. It is a great 
question.
    As there was testimony earlier this year in the Homeland 
Security Committee where witnesses sort of elaborated on the 
capabilities that Cloud providers have in contradistinction to 
where you are using on-premises hosted servers. Right? Where if 
you have your own servers there at the small business, it is 
incumbent upon you, the small business, to install updates that 
could have security patches. It is also incumbent on you to 
sort of on your own go out and find threat indicators and 
indicators of compromise whereas all that stuff sort of happens 
quickly and efficiently if you are using Cloud-hosted servers 
where the updates are sent automatically, that patch potential 
vulnerabilities, and you also sort of benefit in real time and 
quickly from indicators of compromise that other folks are 
seeing that are using the same Cloud services. And so that is 
sort of what I am referring to when I say the ability to 
leverage those capabilities.
    Mr. WILLIAMS. Very good.
    Cybersecurity breaches are only going to become more common 
as we know and technology continues to advance and criminals 
get more sophisticated. While small businesses do what they can 
to protect themselves from attacks that never happened in the 
first place, it is ultimately the government's responsibility 
to track down and hold these bad actors accountable. If we use 
every tool at our disposal to hold these criminals accountable, 
it will deter these attacks in the future.
    Ms. Cornish, are there any roadblocks that are preventing 
the federal government from more aggressively prosecuting 
cybercrimes?
    Ms. CORNISH. To my understanding, no. But I do----
    Mr. WILLIAMS. You believe that?
    Ms. CORNISH. I am encouraged by the partnership, the 
public-private partnership that we are continuing to discuss 
because I do also believe that that is part of it. But I do not 
feel like I can speak to the roadblocks specifically at the 
Federal level blocking that.
    Mr. WILLIAMS. Well, public-private partnerships only work 
better. No question.
    I yield my time back, Madam Chair. Thank you.
    Ms. HOULAHAN. Thank you. The gentleman's time is expired 
and the gentleman yields back.
    The gentleman from Maryland, Representative Mfume, the 
Chairman of the Subcommittee on Contracting and Infrastructure 
is now recognized for 5 minutes.
    Mr. MFUME. Thank you very much, Madam Chair. Good morning, 
everyone.
    I have got a question for any of you or either of you who 
may know the answer should feel free to address. With respect 
to cyber attacks, what do you estimate the average loss to be 
as a percentage of overall revenues to small businesses 
regardless of their size?
    Ms. TODT. So based on research and studies that we have 
conducted with some of our member partners and the larger 
global companies, we estimate that a cyber breach can cost 
about $4 million per small business. So when you think about 
the revenue that small businesses have, sometimes that does not 
even cover their revenue. And the number of employees, whether 
it is 2, 20, or 200, the significance of that piece. And I 
think the challenge for small businesses is their awareness 
that they are an access point to larger companies but that they 
also hold data. And data a couple years ago surpassed oil as 
the most valuable global commodity. And I think these issues 
for small businesses require the education so that they are not 
in a position where they are paying $4 million to respond 
because the recovery takes quite a long time.
    Mr. MFUME. And so how many small businesses does that wipe 
out on an average per year?
    Ms. TODT. So there are different statistics around this but 
what we saw with the pandemic is that over 65 percent of small 
businesses that suffered a breach did not go back online 6 
months later. So that given a 6 month recovery time, those 
small businesses did not recover.
    And I think one of the things that we have learned again, a 
lot from our large member companies is that the recovery piece 
to this, it is like a hurricane. We get very involved in the 
crisis response. It is on the front page of the paper. We are 
looking to see how everybody is doing. But when you go back 6 
months later into the community, or 12 months later, you are 
seeing long-term and devastating impact. The same is true for 
businesses, particularly with ransomware attacks because of the 
impact it has.
    Mr. MFUME. And what about 5 years ago. What would you have 
said that same dollar amount would have been?
    Ms. TODT. So I would say it would have been a lot less. I 
cannot estimate but I think, you know, and I do not even 
believe that small businesses were the target that they are 
today. What has happened with IOD and the interdependencies of 
the digital economy is that small businesses are such critical 
parts of global supply chains that now to the point that we 
have all discussed, they are a target because they are the 
weakest link.
    Mr. MFUME. And because of that, do any of you know or are 
aware of the number of states that offer the kind of tax credit 
that Ms. Cornish referenced earlier?
    Ms. TODT. I am not aware of others. I do not know if----
    Ms. CORNISH. I am not either.
    Ms. TODT. I do think it is something the federal government 
could look at.
    Mr. MFUME. So let's talk about Maryland since we know about 
that, Ms. Cornish. You said that that tax credit is being 
underutilized.
    Ms. CORNISH. It is.
    Mr. MFUME. Why do you think that is?
    Ms. CORNISH. I think partially there is an under awareness 
among users as well as cybersecurity companies. So we certainly 
have a cybersecurity audience, so we will continue to promote 
among our membership and also among our strategic partners and 
other trade associations and such.
    Mr. MFUME. I think it would have to be an aggressive sort 
of promotion. If you have been around offering a tax credit and 
people are not taking advantage of it and yet they are being 
hit by these attacks that we just heard could just completely 
wipe them out. How are you going to do that over the next few 
months?
    Ms. CORNISH. Yeah. I can certainly reach out to our close 
partners at the Department of Commerce because I do believe it 
is a state-driven approach as well.
    Mr. MFUME. And I do not know how much time I have left but 
what, if any of you think the SBA should be doing to lower the 
threat level? Have you got some concrete suggestions for us?
    Mr. DUFAULT. I will take that one, Congressman. That is a 
great question.
    I think the SBA could, number one, provide personnel and a 
certification program for SBA personnel to get up to speed on 
the latest cyber threats and be in a position to counsel 
companies from SBDCs and then provide some funding for those 
programs on an ongoing basis. That is a great way to do it 
because SBDCs are a great resource that folks use quite a lot. 
And then the SBA could also create sort of a hub for 
information sharing, a little bit like what CISA does through 
NCCIC at the Department of Homeland Security. And so those are 
two ways that small businesses could be better supported and 
help them on a more cost-effective basis deal with----
    Mr. MFUME. Mr. Dufault, I get the sense that you have more 
than two ways to suggest. So could you write those down and 
transmit those to the Committee? I want to specifically try to 
follow up with the SBA to make sure that those sort of 
suggestions get heard outside of this Committee room.
    Mr. DUFAULT. That is excellent. Absolutely. We will do 
that.
    Mr. MFUME. Thank you. I yield back, Madam Chair.
    Ms. HOULAHAN. Thank you. The gentleman's time is expired. 
The gentleman yields back.
    The gentleman from Minnesota, Representative Hagedorn and 
the Ranking Member of the Subcommittee on Underserved, 
Agricultural, and Rural Business Development is now recognized 
for 5 minutes.
    Mr. HAGEDORN. I thank the Chair and the Ranking Member for 
holding this Committee. Thanks to the witnesses. And Mr. 
Dufault, one of your members is in our district in Rochester, 
Minnesota, Southern Minnesota, Advantage Software, and it 
sounds like they have had a great business for going on 40, 50 
years providing farmers with real-time data and inventory and 
doing all sorts of things that production agriculture really 
makes a big difference in that type of thing. So we appreciate 
that work and all the other members that you have going quite 
something. It seems to me this might be one of these areas 
again where big government, some politicians think let's impose 
standards. Let's force the small businesses to do all these 
things to comply in order to do business with the government 
and it becomes unreasonable, the mandates. And then they turn 
around and say, well, let's subsidize it. That is kind of a 
typical pattern that we see.
    But one of the things that bothers me is I am concerned 
that the agencies sometimes require the contractors, the 
smaller businesses to comply and do things that they themselves 
do not do. I mean, I am one of 21 million Americans who had 
their records stolen from OPM. The Communist Chinese, I guess, 
know whatever they want to know about me and yet nobody could 
be sued. There was no liability. The government has a different 
standard than they impose to others. Do you think small 
businesses who work in good faith with the government provide 
the information, do what they can in order to protect 
themselves and the business operations? Do you think they 
should have a liability standard similar to the government 
where they are not sued?
    Mr. DUFAULT. Congressman, it is a great question. I think 
it points to two things. One, Federal agencies need to probably 
do a better job when it comes to securing their networks. And I 
think that points then to whether or not my member companies 
and other businesses across the nation are willing to share 
threat data and share sensitive, potentially sensitive 
information that shows what the threats might be with Federal 
agencies. They do not want that information to be breached.
    And then secondly, the other point that you made, whether 
or not there ought to be some sort of liability protection for 
information sharing and other measures that my member companies 
and other companies like them take to make sure that other 
companies are ready and that other folks in the sector are 
ready. Absolutely. I think CISA is a great start. I think that 
other legislation that was introduced last Congress and I think 
hopefully will be introduced again this Congress would ensure 
that there is additional liability protections for small 
businesses because we have to overcome the reputational damage, 
not just as my fellow witnesses pointed out, the initial 
problems.
    Mr. HAGEDORN. I think most businesses have real incentive 
to make sure that they can protect their customers and do work. 
They do not want to lose business. They do not want to go 
broke. They like to be able to continue to build their 
business. So your industry is quite fascinating. You said 
something like $1.7 trillion, all these millions of employees, 
and that there is all these open jobs--3, 4 million open jobs, 
some of which are paying $50,000, $60,000, $70,000, $80,000 
just to get going.
    Can you walk us through what the average person in your 
industry would do in order to be trained up or get education? 
And how are some of the small businesses, are they working with 
them to try to bring them in and pay for some of that?
    Mr. DUFAULT. That is a great question, Congressman.
    Some of our member companies have just developed their own 
training programs because they need access to more folks that 
will write software. And so one of our member companies in 
Denver created a coding academy and they sort of focus on 
cybersecurity measures and secure coding. I think that is one 
of the things that training programs are trying to emphasize 
right now but write software that is secure at the beginning. 
It is sort of like what the Federal Trade Commission says about 
privacy by design. If you are designing a software product, 
build security into it. And so they have developed training 
program that have specific focuses like that. We also have a 
member company, Bit Source in Kentucky that sort of specialized 
in training former coal miners to code so that they would have 
a bigger workforce base.
    Mr. HAGEDORN. So one bill that we have introduced, I have 
introduced, is the American Workforce Empowerment Act which 
would enable people who have 529 education savings accounts to 
use that for an array of different purposes, not just to go to 
a 4-year college or whatever. It seems like there could be 
areas here where folks could utilize those types of money in 
order to get into your industry. So I would encourage folks to 
cosponsor that bill and try to get things moving for you. 
Thanks very much.
    Mr. DUFAULT. Thank you.
    Chairwoman VELAZQUEZ. The gentleman yields back.
    Now we recognize the gentleman, Mr. Phillips from 
Minnesota, Chairman of the Subcommittee on Oversight, 
Investigations, and Regulations for 5 minutes.
    Mr. PHILLIPS. Thank you, Madam Chair.
    Ms. Cornish, you mentioned the DOD program that makes 
funding available to contractors to perform assessments and 
take steps to defend against cyber threats, of course. And we 
all know that large firms like Intel and Google engage in what 
are called bug bounty programs that provide rewards for 
identifying security threats and vulnerabilities on their own 
platforms. And just last month, CISA had launched the first 
Federal Civilian Security Vulnerability Disclosure program--
boy, that needs an acronym, I think--to work with the hacker 
community to secure its networks. So would you support the 
establishment of a fund at SBA or NIST or CISA to support small 
businesses that want to partner with bug bounty programs and 
identify and repair weaknesses in their cyber defenses?
    Ms. CORNISH. Certainly. That is a wonderful idea.
    Mr. PHILLIPS. I like those easy answers. Thank you.
    Ms. Todt, how do you feel about that notion?
    Ms. TODT. I can continue to make it easy for you. 
Absolutely, because I think small businesses need to be told 
not only what to do but what is going on and the reasons behind 
that. And I think the bug bounty programs help to demonstrate 
where the threats are coming from. And as Graham said earlier, 
if they can understand that approach, then they have a better 
education for their employees, as well as for the businesses 
themselves.
    Mr. PHILLIPS. Wonderful. I appreciate that and happen to 
feel the same.
    Ms. Nichols, I want to thank you for your services that you 
are providing to your community. You are bridging the gap for a 
lot of businesses who need guidance about how to protect 
themselves and their customers from malicious attacks.
    Not long ago I Chaired an Oversight and Investigations 
Subcommittee hearing that examined the challenges facing small 
businesses seeking to adopt a CMMC certification and enter into 
Defense Department contracts. At that hearing, we learned that 
when the initiative is fully implemented, it has the potential, 
the likelihood to shut out small firms who lack the expertise 
or resources to navigate that certification process. So if this 
Committee considers legislation empowering SBDCs to lead 
cybersecurity outreach to small businesses, how would you 
recommend that we instruct SBDCs to incorporate guidance about 
CMMC into their outreach and training?
    Ms. NICHOLS. Thank you for the question.
    So last year, our association embraced the CMM model and we 
recognize that we would not ever provide the certification 
piece of that but we felt that their levels one through three 
is something that we could embrace on the education piece. And 
so we have worked with our association to develop a training 
model to prepare the small businesses so that they will be 
prepared, maybe not just for the DOD or defense contracts or 
contracts with the federal government, but also just the 
general small businesses.
    So to prepare the SBDCs, I think that we are already on 
that pathway because we did recognize that this would be a good 
partnership and I hope that answered that question.
    Mr. PHILLIPS. No, it did. Absolutely.
    And I just want to thank our Chairwoman and Ranking Member 
for holding this hearing. I cannot help but think that this 
issue is going to grow in importance and it is our 
responsibility to ensure that small businesses can defend 
themselves and, of course, their customers.
    So with that, I yield back.
    Chairwoman VELAZQUEZ. The gentleman yields back.
    Now we recognize the gentleman from Pennsylvania, Mr. 
Meuser, Ranking Member of the Subcommittee on Economic Growth, 
Tax, and Capital Access for 5 minutes.
    Mr. MEUSER. Thank you, Madam Chairman. And thank you to our 
Ranking Member.
    So, certainly an interesting conversation. Interesting 
hearing. In 2020, I think it is no surprise to any of us that 
ransomware attacks were up double, over 102 percent. So let me 
ask, let me start with Mr. Dufault, if I can.
    The cyber attack, cybersecurity insurance I understand is 
through the roof as far as expense goes. So is there any group 
plan that any of your organizations perhaps work to try to 
bring down that cost and create that as an opportunity for 
businesses?
    Mr. DUFAULT. I think, absolutely, thank you for the 
question, Congressman. Cybersecurity insurance is very 
expensive. I think Ms. Todt might have a good handle on this as 
well. But for our member companies, they are looking for 
affordable options here and they are looking for--and also as 
Ms. Todt pointed out, $4 million is what it costs a small 
company to have a cyber incident. So the level of investment 
and the frequency with which our member companies are targeted 
kind of leads us to believe that we are going to have to invest 
a little bit more, even though we are small companies. And so I 
will just say that, you know, they are willing to invest a lot 
in cybersecurity insurance and in other measures but we are 
definitely looking for those plans that will be group plans or 
other ways of making the risk pool a little more affordable.
    Ms. TODT. If I may add to that. So I think cyber insurance, 
it is a challenging sector right now. The Cyber Readiness 
Institute has focused a lot on it this year. The challenge is 
that if you are a small business and you do not have cyber 
insurance you are often seen as being negligent. But if you are 
truly evaluating on an ROI perspective, it does not always make 
financial sense.
    There is a great opportunity for the insurance industry to 
step up to say you have to do these basics in order to be 
covered. That will both help the premiums stay down and it will 
also create a momentum shift in doing the basic cyber standards 
without having to talk about regulation or anything like that. 
It is the choice. It is like a good driver discount. If you do 
well by these standards then we will cover you. And I think 
that is where the insurance industry really has an opportunity 
to improve what it is doing.
    Mr. MEUSER. I imagine the IT companies as well would find 
some protection measures by charging for added security. And I 
know that is certainly occurring as well.
    In my district it is not like any other. I have many small 
businesses, medium sized businesses, large businesses getting 
hit, some more than once. Some pay, some do not. And they work 
their ways around it but usually at quite a cost. Sometimes 
just being shut down for 6, 7, 8 days. So it is a serious 
issue.
    I want to just backtrack for a moment. We had a hearing 
with the Department of Defense, Cybersecurity Maturity Model a 
few weeks back and we saw that small businesses that made for 
the defense industry, it was very difficult to get the type of 
levels of security that they wanted. In fact, I have one 
business in my business that spent over $100,000 and they are 
not even exactly sure what level that they are. They think they 
are at level three. So it is discussed in the Mississippi SBDC 
how small businesses would, or I guess my question is, are your 
models helping gain compliance for the DOD?
    Ms. NICHOLS. So ours is through education and training 
because we cannot, and we can also provide guidance so that we 
can say, you know, here is our situation. We can give them some 
information. Again, we cannot provide that certification but 
the education piece, and we have really outlined it so that it 
is very clear. We have created training specifically right now. 
All it is posted is for level one because we believe that is 
basic hygiene. And it is raising that awareness. And to 
reiterate, it is important that they have that basic 
understanding so that they can get that certification. A lot of 
people do not think it is attainable because they do not 
understand. And if you can educate them that it can be very 
simple but yet very effective to get them to that level one 
through level three.
    Mr. MEUSER. Okay. All right. Thanks, Ms. Nichols.
    Ms. TODT. Congressman, if I may just add a quick point to 
that because we are actually working with Cyber Hawaii and the 
Department of Defense to create a primer to help small 
businesses get ready for CMMC. And it is taking that point 
where most small businesses are, which is with no 
understanding, and getting them ready for CMMC. And it is a 
model that we hope to be able to replicate across the country 
because it addresses the points that you are calling out which 
it can be very costly and take a lot of time without the right 
preparation.
    Mr. MEUSER. Last quick question. I am out of time.
    Does cryptocurrency affect this whole situation?
    Ms. TODT. I think an unregulated monetary currency that is 
being used for a malicious and criminal act cannot be expected 
to be a positive force. If we are using cryptocurrency, it 
should be regulated along other international monetary sources.
    Mr. MEUSER. Thank you, Madam Chairwoman, I yield back.
    Chairwoman VELAZQUEZ. The gentleman yields back.
    The gentlelady from Illinois, Ms. Newman, is recognized for 
5 minutes.
    Ms. NEWMAN. Thank you, Madam Chair, and thank you Ranking 
Member for putting this discussion together. Very helpful. And 
thank you to our guests, illuminating and really helping us 
understand the gravity and depth and width of this problem.
    So mine is pretty simple, my line of questioning, and I 
think it is likely for Mr. Dufault or Ms. Todt. So we are 
looking at all these things to help small businesses. I think 
all the suggestions today have been fantastic and we should 
look at it as a Committee for sure to see if there is 
legislation there to support small business.
    My question is the other lane. So deterrence. Right? So how 
is the SBA and all of these organizations represented here 
working with law enforcement, whether it is FBI or CIA, once 
these attacks occur, are they following them? Are they tracking 
them? Are they investigating? What is happening there? And then 
do you have any suggestions around deterrents? And what would 
that model look like?
    I will ask Mr. Dufault first.
    Mr. DUFAULT. Thank you for the question, Congresswoman.
    I think when it comes to the deterrents, one idea that we 
talked about here and some of the witnesses mentioned was sort 
of creating a clearinghouse for information sharing through SBA 
but perhaps co-locating it with Department of Homeland Security 
so that it is rapid intelligence sharing and that the Federal 
agencies are on the same page. With that kind of apparatus that 
kind of says to cybercriminals, well, I guess there is a good 
mechanism in place for folks to learn about what I am trying to 
do to deceive my intended targets. And that, in and of itself, 
can be a little bit of a deterrent because suddenly you are 
talking, back to cybercrime as a business, you are increasing 
the cost of the attack because you might have to do a little 
bit more to try and trick that one person that you need to fool 
to get into the network. So that can go towards deterrence. And 
sort of co-locating the SBA center with DHS can help advance 
threat sharing and SBA's role as just sort of a facilitator of 
information getting to law enforcement agencies is maybe the 
appropriate role for SBA as well.
    Ms. NEWMAN. And then Ms. Todt?
    Ms. TODT. Yes. Building off of that, I think when we can 
share the techniques, tactics, and procedures, the TTPs with 
other businesses then they are aware of what needs to happen. 
And I think that is one of the challenges that we have had, and 
we saw this with Colonial Pipeline when Colonial did not share 
what was going on the government was not able to then 
distribute that TTP that was being used. And, oftentimes, what 
we learn from large businesses we can apply to small 
businesses. And so to Mr. Dufault's point, sharing the TTPs.
    Also, when we talk about deterrence, we have to prosecute 
criminals. The biggest challenge we have right now is that 
ransomware is going to continue to be a very lucrative business 
because you can do it without getting prosecuted and having any 
repercussions. And so particularly for small businesses, this 
is one of the challenges. And this is also why reporting 
incidents and also when there is ransomware that particularly 
small businesses have to pay to stay viable, being able to 
share that with the government so that you can help to 
prosecute the criminals, this gets us to a better place. 
Obviously, we have talked about all the liability protections 
that come with that but we are only going to be better if we 
have better exchange of the attacks that are being used and the 
tactics and the techniques.
    Ms. NEWMAN. So if I may follow up, and either of you can 
answer, is it that companies, small businesses are not 
reporting these? Or is it that when reported they cannot be 
investigated for whatever reason or are not being investigated? 
Is it both or is it either?
    Ms. TODT. You go first.
    Mr. DUFAULT. Yeah, Congresswoman, I think it is both. There 
is a real reluctance I think among small companies to notify 
authorities and to notify maybe others of either an 
unsuccessful or a successful attack, especially the successful 
attacks because they are sort of an automatic conclusion that 
folks draw fairly or unfairly that the company that is subject 
to a successful breach was not taking the proper measures to 
secure their networks. And so there is a lot of underreporting 
I think.
    Ms. NEWMAN. I think that needs to be a part of any 
communication or kit that any of your organizations put out, 
SBA puts out, and we can follow up. And if you can include 
those recommendations in the recommendations that Congressman 
Mfume talked about, I think that that would be great for the 
Committee to take up as a whole. So I do appreciate your work 
and thank you for sharing today. And I yield back.
    Chairwoman VELAZQUEZ. The gentlelady yields back.
    Now we recognize the gentlelady from New York, Ms. Tenney, 
for 5 minutes.
    Ms. TENNEY. Thank you, Chair Velazquez and Ranking Member 
Luetkemeyer for this, and to our witnesses. I really appreciate 
you being here.
    I have a couple of questions. First, Ms. Cornish, in your 
testimony you described your newest initiative surrounds the 
critical lack of skill diverse cybersecurity professionals to 
protect critical infrastructure and essential services. Do you 
find that this shortage is in urban and rural communities? And 
how can we meet those needs? And I am particularly curious 
because we are looking at rural broadband in our communities 
and trying not do, based on a municipal level, just like we 
have municipal electricity and others, and that is going to be 
particularly interesting to us as we move into that realm. And 
how is that going to be something your taskforce is going to be 
looking into?
    Ms. CORNISH. Certainly. I think that is a huge challenge, 
the lack of broadband, especially in rural communities, 
especially when you are thinking about small and medium-sized 
businesses. And really, how the workforce is distributed; 
right? You want to make sure that your rural areas are still 
competitive for that.
    So our main task in the workforce initiatives is really to 
connect the dots. We have 17 centers of excellence in Maryland 
alone for cybersecurity, yet we have 19,000 unfilled positions. 
So for us, it is really creating comprehensive and wraparound 
services and connecting those who are doing the training with 
those who really need the work. And to the point made already, 
in small businesses it can be really challenging to take on 
that training yourself. It can be challenging to have the 
manpower to do that training and to support that. So we are 
really looking to see how we as an association can take away 
and kind of pool together all of our resources to put less onus 
on the small businesses who really need that workforce.
    Ms. TENNEY. More and more small businesses are going to be 
depending on this rural broadband that we are trying to 
explore, and actually, we have a test site in my own community 
of Sherburne, New York, where we are going to be having 
municipal broadband opportunities which we are trying to do 
anything to minimize the risk of cyber attacks which is my 
concern, and also on this, and I would like to address it to 
the other witnesses. I know that SBA is going to be designated 
as the single Federal entity for the small business 
cybersecurity information sharing.
    I have a concern though. I come from New York State and 
there was a point in time where we consolidated all of our 
services, including all banking and insurance into the New York 
State Department of Financial Services and we felt that that 
could put us at great risk for cyber hacks because the 
government typically does not have, and the taxpayers are 
paying for maintenance of this when banks were spending 
billions of dollars to protect their customers. Because of the 
liability and insurance was referenced before, how can we make 
sure that SBA is going to be able to handle this kind of burden 
and making sure that our small businesses are going to be 
protected when you are consolidating this type of issue? I do 
not know if you want to address it, either Mr. Dufault or----
    Mr. DUFAULT. Sure, Congresswoman. It is a great question. 
That is one of the reasons that you see some hesitancy among 
the member companies and other small companies that are being 
asked to share data with Federal agencies. The question is, 
well, we have seen the recent headlines where other Federal 
agencies and maybe SBA have been the victims of compromise. So 
they want to be assured, basically, that these Federal agencies 
are taking the steps that they need to take to ensure that that 
data is protected adequately and that all of the personnel that 
work at these agencies are observing the proper protocols 
because as we have discussed throughout this hearing, all it 
takes is just the one employee that has the weak password or 
that otherwise makes the wrong move to compromise the network. 
And so, anything that the Committee can do to ensure that there 
are greater resources, more accountability and other levers 
that would ensure that the agency is taking the proper 
precautions, those would help our cause quite a lot.
    Ms. TENNEY. Yeah. Thank you. Because I have concern as a 
small business owner. We obviously spend a lot of money in 
making sure we do not get hacked. We have a lot of heavy data 
downloads in our business. And so to be hacked at some point 
and finding out that it is SBA without any duplication of 
protections or redundant storage areas, where are we going to 
be? And that concerns me.
    I do not know if anyone else wanted to weigh in on it.
    Ms. TODT. If I may, Congresswoman. Yes.
    Ms. TENNEY. I have got 30 seconds left.
    Ms. TODT. Yes. Absolutely. I think certainly when we talk 
about a single point of success, it is also a single point of 
failure. But that is really what the new money and the new 
authorities for CISA are supposed to address. And I believe if 
we look at agencies, SBA is not going to be the only agency 
that has this type of responsibility and this type of 
challenge. And so what we should expect and you are seeing some 
of the beginnings of this happen already, which is looking at 
how CISA will work with the agencies to ensure that there is 
that redundancy and that resilience built in. Because, as we 
know, small businesses cannot afford to not have that safety 
net. But again, with those additional authorities, this is not 
going to be SBA on its own. It will be SBA in collaboration 
with the other cybersecurity infrastructure and the federal 
government.
    Ms. TENNEY. Thank you. I appreciate it. Great testimony. 
Thank you.
    Chairwoman VELAZQUEZ. The gentlelady yields back.
    Now we will recognize the gentlelady from Pennsylvania, Ms. 
Houlahan, for 5 minutes.
    Ms. HOULAHAN. Thank you, Madam Chair. And thank you to 
everybody for joining us today. And I think I would like to 
follow up on many of the different lines of questions that we 
have heard today. They all seem to have a real common thread. 
One is to try to understand how much of all of this has to do 
with just changing culture and changing the ways that people 
perceive their responsibility and their role in cybersecurity 
for their companies. I am trying to cess out, you know, that 
seems to be a very large part of the problem. And then kind of 
the other 20 percent of the problem seems to be what kind of 
software and hardware that you should have and you should 
invest in the types of teams that you should have to be able to 
protect from the rest of the 100 percent of the universe. My 
understanding is that is in the thousands of dollars of range 
in cost. My understanding is that the consequences is in the 
millions of dollars of range in cost. My other understanding 
having run and owned and operated a lot of businesses and been 
responsible for IT is that there is a need for seats or logins 
for some subset of software that people do not have the ability 
to afford. Is there any sort of universe where, imagine a 
cloud, imagine, you know, certified or approved vendors that 
are part of that cloud that the Small Business Administration 
can administer or some other organization can administer that 
would allow you to pick up logins rather than seats so to 
speak, you know, to be able to defray the costs that small 
businesses are experiencing in their cybersecurity? Is that 
something that already exists and I just do not know about it? 
Is that something that could be useful to design is sort of a 
clearinghouse of software that would defray the costs for 
smaller businesses?
    And I guess, Mr. Dufault, you seem to be doing most of the 
conversation on that. And we will start there.
    Mr. DUFAULT. Thanks, Congresswoman.
    It is a good idea. And I think there could be a role for 
SBA there, whether it is providing just a grant program or 
funding or something more hands-on where the agency is sort of 
designing a fulsome sort of program. So I think it is worth 
discussing. It is a good idea and I think we would want to just 
continue to engage on this because it is a need that was 
identified sort of by a couple of our member companies and 
that, you know, I think it is worth further discussion probably 
at this point. Yeah.
    Ms. HOULAHAN. Okay. Thank you.
    Ms. Todt?
    Ms. TODT. Thank you. It is actually something that we are 
hearing from small businesses at the Cyber Readiness Institute 
because we do not advocate for vendors but we are hearing we 
need to have a clearinghouse to know which ones to turn to or 
at least the general categories. And it is something that we 
are looking at this year because we want to be prescriptive and 
not leave everybody in the dark and recognize that when you 
outsource the function as a small business, you still have a 
responsibility and you do not outsource the responsibility.
    If I may address your question about culture. I do think 
this is the 80 percent component of cybersecurity, particularly 
for small businesses. And cultural change takes a lot of time. 
If we think about, we have all heard the analogies, seatbelts. 
It was inconvenient for a long time and then you saw the safety 
requirements. Or if you even make the analogy to physical 
hygiene and health, we are not doctors, but we have learned 
over time from doctors that we should have certain tests taken 
on a regular basis. And so you do not need to be an ID 
specialist to know that these are the basics that need to 
happen.
    And we have talked a lot about workforce training. And to 
your point about culture, I think it is important when we see 
all these cybersecurity positions that people out there 
recognize it is not just about math and science. Cybersecurity 
is interdisciplinary and we need capabilities and 
qualifications in sociology, history, politics, psychology, 
that those all play into this so that the workforce that we are 
talking about for cybersecurity is much larger than I think we 
conceptualize because it is not just math and science.
    Ms. HOULAHAN. Ms. Cornish, anything?
    Ms. CORNISH. Certainly. We have experience curating these 
lists by business protocols and also specific needs. So if you 
would like to speak further about building this clearinghouse, 
I would be happy to answer that more specifically.
    Ms. HOULAHAN. Thank you. I appreciate that.
    And with what is left of my time, I want to focus on a 
piece of legislation that I am a co-sponsor of, the Small 
Business Development Center Cyber Training Act of 2021, which 
would certify 5 or 10 percent of the number of employees of a 
small business development center to provide cybersecurity 
assistance to small businesses. If enacted into law, this 
program would provide expertise to small business owners on the 
proper steps towards cybersecurity.
    With my last remaining seconds, what are some of the best 
practices that SBA could showcase their cybersecurity efforts 
on? Do you know also similarly of best practices that the DOD 
has had? How can we encourage interagency best practice 
sharing?
    Ms. TODT. If I may, this is what the Cyber Readiness 
Program is. We focus on four issues. Strong authentication, 
which is a pass phrase of 15 characters or more. Phishing 
training. Not using USBs but instead looking at the cloud. And 
software updates. Helping individuals understand that every 24 
hours they should actually download the patch. Those are our 
foundation and I am certainly happy to talk to you more about 
that because this is the core of how we can help small 
businesses and I commend the act and the legislation.
    Ms. HOULAHAN. Thank you.
    And with that, I yield back, Madam Chair.
    Chairwoman VELAZQUEZ. The gentlelady yields back.
    Now we recognize the gentlelady from California, Ms. Young 
Kim, Ranking Member of the Subcommittee on Innovation, 
Entrepreneurship, and Workforce Development.
    Ms. KIM of California. Thank you, Chairwoman Velazquez and 
Ranking Member Luetkemeyer for holding this important hearing. 
And I want to thank the witnesses for being with us today to 
discuss the ways of strengthening our cybersecurity for small 
businesses.
    I am very troubled by the increase of cyber attacks. They 
just seem to be designed not only for monetary purposes but 
also to instill distrust in our economic system and our 
institutions. Just between 2019 and 2020, our country saw 400 
percent in cyber intrusions. Successful cyber attacks on our 
small businesses also discourage future entrepreneurs from 
establishing a small business and creating jobs. Some estimate 
that 60 percent of small businesses go out of business within 6 
months of a cyber incident.
    So let's think about that. Cyber attacks are putting 6 out 
of 10 of our entrepreneurs out of business. So given this 
urgency of the moment, I was happy to join my colleague, 
Representative Crow, to introduce the SBA Cyber Awareness Act 
to find ways to improve the SBA's cybersecurity infrastructure 
and share information with Congress if there is a reasonable 
basis to believe that a cybersecurity incident occurred at the 
administration.
    Let me pose the question to all witnesses. Let me start 
with Mr. Dufault.
    In your testimony, you indicated that threat-sharing for 
small companies is complicated because usually they lack the 
resources to join and participate in information sharing at 
analysis centers. Can you elaborate on what can Congress do to 
incentivize higher participation of small businesses in NCCICs?
    Mr. DUFAULT. Thank you, Congresswoman. It is a difficult 
task to create an incentive that would really cause small 
companies to participate in a robust way in these information 
sharing enterprises. One of the ways that we can at least start 
on that task is to provide potentially additional liability 
protections at least, right, because the couple of issues that 
small companies face when they are being asked to share 
information about the threats that they receive or even 
incidents that they are victims of is that, number one, the 
reputational fallout will cost quite a lot of money, over and 
above the cost of actually remediating the breach, and then 
number two, it is just a matter of am I going to be liable for 
anything associated with sharing this information? Whether it 
is a privacy cause of action or just simply that they did not 
take the precautions necessary to protect their networks. And 
therefore, they run afoul of data security laws in the states 
or at the Federal level, the Federal Trade Commission Act. So 
it is the liability and the reputation. And so a good start is 
to help them defray some of that potential liability.
    Ms. YOUNG KIM. Ms. Todt, could you briefly elaborate on 
that, too?
    Ms. TODT. Thank you.
    I think the other piece is that when we look at the supply 
chains that small businesses are a part of, there is a 
responsibility on the larger companies to work with them to 
incentivize because those large companies, as we saw with solar 
winds in Kaseya, can be taken down if the small businesses are 
vulnerable. And there is a better infrastructure of support 
that can happen within supply chains. And I think as we have 
seen the interdependencies grow with the digital economy, this 
is another opportunity to incentivize that engagement, that 
threat sharing. We work with large manufacturing companies and 
one of them has put out very specific efforts and information 
to their small businesses to help them understand where the 
threats are but also to facilitate that sharing because they 
know that as a large company, if their small businesses get 
taken down that will affect them. So there is more 
responsibility and collaboration that can happen across supply 
chains than we have seen before.
    Ms. YOUNG KIM. Thank you very much.
    You know, I am a big proponent of advancing STEM education, 
especially with underrepresented communities to increase our 
21st Century talent pipeline and our economic competitiveness. 
So I am sure you understand the importance of STEM education 
and computer science in training and expending our 
cybersecurity workforce.
    How could our small businesses and our economy benefit from 
increasing the cyber workforce?
    Mr. DUFAULT. Thank you, Congresswoman.
    One of the most significant problems my member companies 
face is access to folks that are trained in software 
development or computer science more generally. And so my 
member companies would benefit quite a bit I think from 
investments in K-12 education, but also in workforce 
development programs.
    I mentioned earlier that some of our member companies 
developed these training programs on their own but there is a 
role for Federal investment as well and that is why we support 
the Computer Science for All Act and also the Master Teacher 
Corps, which is a training program for K-12 educators to 
provide computer science education.
    Ms. YOUNG KIM. Thank you. I see that my time is up. I yield 
back.
    Chairwoman VELAZQUEZ. The gentlelady yields back.
    Now we recognize the gentleman from Louisiana, Mr. Carter, 
for 5 minutes.
    Mr. Carter, you need to unmute.
    Mr. CARTER. Yes, thank you.
    Madam Chair and Ranking Member, thank you very much for 
giving us this opportunity for this hearing. Much has been said 
and many questions have been answered. But Ms. Cornish, if you 
could perhaps touch on this and any other member, maybe Ms. 
Todt can as well.
    We know that we obviously are concerned about small 
businesses and making sure that they have the security to 
operate their businesses via Internet, and cybersecurity is 
certainly an issue that touches us all. I know my credit card 
has been breached several times with large companies. I will 
not say what the company is but I will say that it has been 
breached. And I know that they have all of the algorithms, all 
of the security known to man to secure them. I know that cities 
have had their systems breached. The City of New Orleans has 
had ransomware. What have we learned from what the large 
companies are doing that we can pass on to our smaller 
businesses, best practices, if you will. Even at their highest 
level of security they have still been caught in ransomware and 
cybersecurity threats.
    Ms. CORNISH. So I would reiterate the importance of human 
behavior and training of our staff and our employers because in 
addition to being our largest threat, they are also our largest 
defenders. So we can empower them to treat data care instead of 
cybersecurity and empower them to protect the data they are 
entrusted with.
    Additionally, I think the thing that has not been belabored 
here a lot but as documented policies and procedures, there are 
many holes that we are missing simply because there are not 
checklists or we do not really understand all of our assets 
that we are managing. So I think documentation and training is 
key in this.
    Mr. CARTER. But could you elaborate? If we talk about the 
larger companies that have a robust security system where they 
are empowered with significant tools to counteract these 
threats, yet they are still caught in the lurch, if you will, 
what can we as Congress, what can SBA, what suggestions would 
you give us that we can aid in this battle? Because obviously, 
on many fronts we are losing.
    Ms. CORNISH. Sure. I think Ms. Todt's outline of the Cyber 
Readiness Institute does a great job of how we can empower our 
employees because, again, that is really our biggest threat.
    Mr. CARTER. Ms. Todd, can you weigh in, please?
    Ms. TODT. Sure. I think, you know, the good news and the 
bad news is that these large companies are getting breached by 
very basic attacks. So when we look at Colonial Pipeline, they 
were breached because they were not using multi-factor 
authentication, and they actually did not need to shut down the 
pipeline. They were just worried about getting paid because 
their payment system shut down. And so that showed the 
interdependency of the systems and the importance of separating 
IT technology with your operations. And so those lessons, the 
sophisticated attack of a nation state adversary is separate 
and distinct, but when we have seen the other issues with solar 
winds and others, those are getting breached through 
authentication. Through network access. And so what we are 
talking about for small businesses, obviously at a smaller 
level, really holds true for the large businesses as well. And 
that is where I think we have learned the most from these 
breaches over the last 6 to 12 months is that we have got to 
create those basic standards in helping businesses do all of 
those. And this is, again, we talked earlier about where I 
think insurance companies can play a role and others to have 
those incentives so that those basics become a requirement for 
further resilience.
    Mr. CARTER. And real quickly before my time expires. As a 
member of Congress with tons of small businesses throughout my 
congressional district, what can we do in the way of Town Hall 
meetings or ways of better educating our small businesses in 
our communities to utilize these resources? Are there leave 
behinds? Are there handouts? Are there things that we can do? 
We often do Town Hall meetings for various issues. This could 
be one that certainly can benefit our small businesses. What 
suggestions would either of you have as to how we could better 
serve and provide resources? You have about 43 seconds.
    Ms. TODT. What we have seen, what we are hoping to see with 
CISA and with SBA is this collaboration of resources focused on 
human behavior. So taking the work of the nonprofits and making 
those available to you so that when you go to these town 
meetings there is a simple, accessible, basic protocol. These 
are the things you need to be doing on your personal devices as 
well as your professional devices, an education campaign that 
does this.
    One of the points in my testimony talks about an awareness 
campaign. If we get every business to use multifactor 
authentication, the decrease in cyber attacks would be 
exponential.
    Chairwoman VELAZQUEZ. The gentleman's time has expired.
    Mr. CARTER. Fantastic. Thank you very much.
    Chairwoman VELAZQUEZ. Now we recognize the gentleman from 
New York, Mr. Garbarino, for 5 minutes.
    Mr. GARBARINO. Thank you, Madam Chair and Mr. Ranker for 
holding this hearing.
    As the Ranking Member on the Cybersecurity Subcommittee, 
Department of Homeland Security Committee, I have learned a lot 
over the last 6 months about cyber attacks and ransomware, 
which is why I have worked on several pieces of legislation.
    Ms. Nichols, this question is for you. Yesterday, I 
introduced H.R. 4515, the Small Business Development Center 
Cyber Training Act. I am honored to have the support of my 
fellow colleagues on the Committee here, Mr. Evans and Ms. 
Houlahan, and I encourage others on the Committee to co-sponsor 
this bipartisan piece of legislation.
    Small businesses often lack the resources or technical 
knowledge to prevent cyber attacks, and with the high cost of 
hiring specialized employees and cybersecurity experts, it can 
be difficult to bridge the sizeable education gap. My bill 
would help small businesses get the information they need to 
implement their own cyber strategy and take appropriate steps 
in the event of a cyber attack against their business.
    Ms. Nichols, given your position as the state director of 
the Mississippi SBDC, would you share your thoughts and provide 
feedback on the bill, the Small Business Development Center 
Training Act, please?
    Ms. NICHOLS. Thank you. I have not reviewed the whole bill. 
I was given a little bit of information this morning in regards 
to that. However, just like Ms. Todt and several of the other 
people said, communication and education and the consistent 
messaging is very key. And I think that raising the awareness 
to be able to be that voice for the small businesses and given 
that information, I think we are at this time where we need to 
create those base standards and create an information--I do not 
want to say an overload--but be very consistent in how we 
provide the information to our small businesses.
    And as an SBDC, we have to serve all 82 counties of 
Mississippi and so it is not just rural. It is every aspect. 
And it does not matter if it is a small business, medium-size 
business, or large business, they are still at risk. And I 
think it is very important and we appreciate that the 
government is passing this legislation or is attempting to in 
proposing these bills because it is so imperative that our 
companies are prepared for cyber.
    Mr. GARBARINO. And we feel that since you already have the 
employees and have been coming up with this program where your 
employees, or at least a number of them are trained to address 
these cyber issues with small businesses, especially ones that 
you are helping develop and create and get started up, that 
this would be very helpful.
    I want to move to Ms. Cornish and Ms. Todt. You talked 
about, in your testimony, Ms. Todt, you talk about doing a tax 
Credit. Ms. Cornish, you run an agency that deals with tax 
credits. One thing I have seen is major corporations and 
governments can spend a lot of money on cybersecurity. Small 
businesses, they cannot. They cannot hire a dedicated person. 
And it is not just about best practices. You know, okay, making 
sure that you change your password. That is one thing that we 
have to do and CISA has been great with that in coming up with 
best practices and what businesses and small governments should 
do, local governments should do. But there is also a cost of 
keeping your system upgraded. You cannot just buy a good piece, 
the best piece of equipment today because 6 months from now or 
3 weeks from now it is going to be outdated. That is a heavy 
cost especially for small businesses. Is a tax credit the best 
way to help offset that cost? What is the best way to do this? 
And Mr. Dufault, you can jump in, too, if you have an answer.
    Ms. CORNISH. For us, it was a great place to start, but 
certainly, I think there needs to be more incentive, financial 
incentive, perhaps I heard some mention of grants, projects to 
get that off the road because, as you mentioned, it does take 
money to maintain it but there is certainly a lot of startup 
costs that that could help defray as well.
    Ms. TODT. Tax incentives are certainly not the only answer. 
One of the things that we were looking at particularly with the 
pandemic was could you use some portion of the PPP loans that 
could turn into a grant if it were used towards cybersecurity. 
And so looking at the tools available to small businesses for 
money to incentivize them to allocate a percentage towards 
cybersecurity. And I think it is a piece of the pie in all of 
this and we have just got to find those tools that together can 
help incentivize small businesses to be motivated to invest and 
to understand why they need to be, the role that they have and 
their vulnerabilities.
    Mr. DUFAULT. I will mention, Congressman, it is a great 
question and we are supportive of H.R. 4515. When we were 
preparing it did not have an H.R. number yet but happy to see 
that. And we are supportive. We were supportive last Congress, 
too, of substantially similar legislation. So tax credit is a 
great idea. I also do not want to underappreciate what our 
member companies rely on when it comes to a software platform. 
So app stores and operating systems and the ways in which they 
harden those systems and ensure that unvetted software is not 
accessing personal data, not accessing device features and 
things like that, these are baseline practices that software 
platforms use and that our member companies sort of rely on at 
this point to ensure that there is protection from threats in 
the mobile space in particular. And so that is a piece that I 
think we want to make sure is on the record here. And so to 
ensure that the Committee is sort of on the lookout for 
proposals that would make it harder for companies to use those 
measures.
    Chairwoman VELAZQUEZ. The gentleman's time has expired.
    Now we recognize the gentlelady from Georgia, Ms. 
Bourdeaux, for 5 minutes.
    Ms. BOURDEAUX. Thank you so much. And thank you to our 
witnesses for joining us to discuss an issue that really is top 
of mine for many small business owners, and large business 
owners, which is cybersecurity.
    In my home state of Georgia, we saw what happens when 
critical infrastructure is not secured from cyber attacks when 
the Colonial Pipeline attack left many of my constituents high 
and dry at the gas pump for several days. But the Colonial 
Pipeline is just one rather extreme result of cyber 
vulnerability. The Department of Homeland Security, Secretary 
Mayorkas said at a recent event that 50 to 70 percent of cyber 
attacks are aimed at small to medium-sized companies, costing 
an estimated $350 million in 2020. And this threat is not going 
anywhere anytime soon. Ransomware attacks against smaller 
businesses have increased 300 percent over the past year.
    Listening to some of the testimony and discussions today, 
it occurs to me that there are several ways that you can 
approach this. And there are a lot of great ideas out there 
about how to change the behaviors of small businesses, 
training, you know, all of that kind of outreach. And that is 
very, very important. But one other way to approach all of this 
is to require the software that is sold to small businesses or 
the products that are sold to them to be more conscious of 
security and ways to protect from breaches.
    Ands o I just wanted to check in with I guess Ms. Todt 
might be a good person to talk on this, are there recommended 
practices for software developers or for people who are selling 
to small businesses to help protect them from cyber attack?
    Ms. TODT. It is an important question and it is something 
that we have spent a lot of time looking at. So to your point, 
right now, the market does not incentivize security. It 
prioritizes first to market, convenience, ease of use, before 
security. As a result, we are seeing software go to market that 
has holes and bugs in it that is not being secure. When you 
look at the research that has been done, it is absolutely 
possible to build secure software but the economic incentives 
are not there.
    So I commend what the Biden administration has done in the 
executive order, which is to look at software transparency, a 
software bill of materials to understand what goes into it, but 
as a nation and as a government, we have to create. This is 
where I do think regulations and standards around building 
secure software need to be discussed because right now if you 
look at where the vulnerabilities are coming from, often it is 
because of holes in the software. The Kaseya attack most 
recently was a result of that. And we have an opportunity to--
we call it secure by design, choose your phrase--but the idea 
is building that safety and security. Again, if we use the car 
analogy, we would not think about building a car without an 
airbag anymore. And we have got to be thinking about safety and 
security when it comes to software and hardware development.
    Ms. BOURDEAUX. Thank you. It is very, very difficult to 
change individual behavior at massive scale to deal with 
security. It is much quicker if we could catch it early on 
through the product itself.
    Just kind of on that vein, and I do not know, Ms. Todt, 
maybe you would have an answer on this or Ms. Cornish, what has 
been done in terms of the policing side of things? So one of 
the things we see an awful lot of is we have these attacks and 
then, you know, we get out from under it somehow, we deal with 
the ransomware situation, and then what kind of policing 
capacity do we have or do we need to build up in order to bring 
people who do this to justice?
    Ms. TODT. This is a huge gap in our defense right now 
because criminal actors are getting away with a lot of attacks. 
And whether it is a simple lone wolf in the United States or it 
is a nation state, but we have to be able to prosecute 
criminals who are committing these types of actions. If you 
think about Colonial Pipeline again, if someone had put a bomb 
in that pipeline to prevent the gas and jet fuel from going to 
the East Coast, we would have no qualms about what to do with 
that individual. Essentially by shutting down--I live in 
Virginia so I had a similar--we saw the lines a few blocks down 
the road. There was an impact and it was a psychological impact 
because people were afraid. And when we look at that type of 
impact, we have to think about what are the repercussions for 
these types of actions? And I think this is something that the 
United States just should not do by itself. This is where we 
would look to cooperate with our likeminded economic partners, 
our allies, to understand what are the boundaries and the lines 
that are being crossed for criminal actors, and what are the 
consequences for this type of activity? Because even though we 
are not seeing the immediate devastating effect if we look at 
solar winds, the repercussions continue to cascade. And this is 
why we have to create those boundaries and the definitions 
around what is a criminal act and what are the consequences for 
that act?
    Ms. BOURDEAUX. Thank you so much.
    I yield back the balance of my time.
    Chairwoman VELAZQUEZ. The gentlelady yields back.
    Now we recognize the gentleman from Minnesota, Mr. Stauber.
    Mr. STAUBER. Thank you, Madam Chair and Ranking Member 
Luetkemeyer for holding this. And to the panelists who spoke 
with us today. Very informative.
    As we have seen over the last few years, cybercrime is 
becoming more and more common. The cyber attacks affect our 
small businesses both directly and indirectly. Most recently as 
we talked about, the Colonial Pipeline was hacked by the 
Russians and created a huge gas shortage in the nation. Small 
businesses that relied on any sort of transportation or travel 
for daily operations were adversely impacted. While big 
businesses have the capital to proactively protect themselves 
from cyber attacks, as well as recover from them, small 
businesses do not have that same luxury.
    And so to the panelists, what can the federal government do 
to help small businesses protect themselves from and/or recover 
from cyber attacks? And does this assistance need to look 
different for small businesses with 10 employees versus 100 
employees and so on?
    Mr. Dufault, go ahead.
    Mr. DUFAULT. Congressman, that is a great question. 
Congressman Garbarino and Congresswoman Houlahan mentioned a 
bill that they just introduced which urged folks to support 
H.R. 4515, which would require the Small Business 
Administration to develop a certification program for SBA 
employees and then to deploy them to SBDCs (small business 
development centers), and to provide cybersecurity expertise 
and counseling for small companies in the area that they cover.
    That is one thing that the federal government can do, and a 
little can go a long way in that respect because a lot of small 
companies use SBDCs as sort of a clearinghouse for help in a 
number of different ways. Now, if you had personnel there that 
could help with cyber readiness but also, as you said, 
remediating after a breach, that would be very helpful and that 
is something that the federal government can do specifically 
for small companies.
    Mr. STAUBER. And I think that it is important to get that 
small business back up and running as soon as practicable 
because the days, I mean, you are losing a lot of money each 
day.
    If the other two witnesses would like to comment on that 
question, please?
    Ms. TODT. Sure. In addition to the piece of legislation 
that was introduced, which just to reiterate, I think really 
calls upon the resources of the Small Business Administration 
by using SBDCs and the effectiveness of that. One of the things 
that we recommend in a white paper at the Cyber Readiness 
Institute earlier this year was an opportunity to curate the 
resources that are out there. There are a lot of nonprofits, a 
lot of organizations that are looking to help small businesses. 
But if you are a small business, and this goes to another 
question, that has been attacked, you often do not even now who 
the first call should be. Is it an IT provider? Is it the local 
police? And just being able to provide a prescriptive roadmap 
for small businesses on incident response plans as well as what 
to do when attacked, I think that this is something that CISA, 
in coordination with the SBA, could just provide a resource and 
curate those tools to help small businesses.
    Mr. STAUBER. Well said.
    Ma' am?
    Ms. CORNISH. I would just add to that, having a documented 
incident plan as mentioned is not often enough. People are in 
panic. They are not taking the proper channels. So supporting 
something or exploring something like we have in Maryland as a 
Federal Cyber SWAT team or, you know, even organizing it maybe 
at the SBDC level to have a response line to support small 
businesses when they are going through a breach, to connect 
them to the different types of resources they need.
    Mr. STAUBER. Yeah.
    And my last question, and this is specific to 
cybersecurity, specific. What would you caution the government 
from doing?
    Mr. Dufault?
    Mr. DUFAULT. One thing that comes to mind for us is, I 
mentioned this a minute ago where a lot of our member companies 
are specifically concerned with security in the mobile space. 
So what measures are we taking to harden our devices and to 
prevent unwanted software on our mobile devices? Because these 
mobile devices now have very sensitive personal information on 
them. Health care information, financial information, and then 
real-time location data. So all of the measures that software 
platforms take, (software platforms like the app stores and the 
operating systems) to ensure that unvetted software and 
software that has not been reviewed for security flaws is not 
inadvertently downloaded via clickbait or some other vector. 
Those are really important measures to be able to take. So I 
would caution the federal government not to overreach on 
antitrust, for example, because these are companies that are 
larger firms that have a lot of customers and they are sort of 
in the crosshairs right now when it comes to antitrust. There 
are proposals in House Judiciary that would make it illegal to 
take those measures to prevent access to personal data on 
antitrust grounds. And we are very concerned with those.
    Mr. STAUBER. Thank you. My time is up. And thank you very 
much, and I appreciate this opportunity.
    Madam Chair, I yield back.
    Chairwoman VELAZQUEZ. The gentleman yields back.
    The gentlelady from Texas, Ms. Van Duyne, Ranking Member of 
the Subcommittee on Oversight, Investigations, and Regulations, 
is recognized for 5 minutes.
    Ms. VAN DUYNE. Thank you. Thank you much, very much, 
Chairwoman Velazquez and Ranking Member Luetkemeyer.
    Yesterday, the Biden administration announced China was to 
blame for the sweeping cyber attack on Microsoft earlier this 
year that left hundreds of thousands of small businesses 
vulnerable to cyber intrusion. And then just a month ago 
Russian hackers were able to cripple operations at both the 
world's largest meat supplier and one of the largest pipelines 
in the United States. In 2021 alone, cybercrimes could cost $6 
trillion, which would make it the third largest global economy.
    Cybersecurity, for a number of reasons, is very, very 
important for small businesses, both real and rapidly 
intensifying as we have heard today. It is a new way for our 
adversaries to wage war. Companies need to be ready and we must 
determine the appropriate role for the federal government in 
prepping the businesses that we serve as the engine of our 
economy. And while the need for improved cybersecurity is 
clear, adding too many requirements can be overly complicated 
and counterproductive. And one example is the DOD's new 
cybersecurity assessment framework (CMC). Last month, the 
Oversight Committee, which I serve as the Ranking Member, we 
held a hearing to review this program. And one image that just 
stuck in my mind is the sheer amount of paperwork that was 
needed for a small business to complete just be certified. One 
of the witnesses held up this three-ring binder that I swear 
took him two hands to hold up because it was just so intense. 
And pretty much most of their guidance was coming from LinkedIn 
because DOD and SBA simply were not helpful.
    So moving forward, we have to make sure that we have simple 
framework, which is easy to understand, but also , companies 
need to know how they can be secure, who they can turn to for 
help and how to respond when they are attacked.
    I want to thank the witnesses all for being here today, but 
I also want to reiterate my concern that we are discussing such 
a significant small business issue without a representative 
from SBA present. And if we are going to have a collaborative 
solution to address this matter, it is crucial that SBA is here 
to at least demonstrate their willingness to discuss their 
plans. And I hope they can join us in the future.
    Ms. Nichols, in your experience working with small 
businesses, when they have an issue regarding cybersecurity or 
they get breached, who do they typically turn to for help? Is 
it the SBA or a private partner? And who do you believe they 
should turn to?
    Ms. NICHOLS. That is a good question.
    When they get to us, they are really not sure who to talk 
to. They do try to reach to a private industry and to have help 
with that. Because they do not initially think to refer to the 
government, specifically SBA, because they do not know the 
resources that are there and we would like to change that.
    Ms. VAN DUYNE. Okay. That makes a lot of sense.
    In your testimony, you said the average time--and this will 
still be for Ms. Nichols--you said the average time to identify 
and contain breaches is around 120 days. I am sorry, 280 days. 
Can you explain why it takes this long and how Congress can 
help to shorten that period?
    Ms. NICHOLS. Well, it has to do with they have to find it 
and they may not be prepared to figure out how to do that so 
they have to hire and it is very expensive. And it is just like 
any other IT issue. You have to rule out everything that is 
going on. And again, I am going to default to this. I am a 
state director. I do not run the department. And it is very 
challenging because when you deal with a small business who 
knows nothing and they have a data breach, that was not what 
their initial concern is because they are delivering a service. 
They are trying to make money. And so they are trying to still 
stay in business and mitigate that data breach and get past 
that. So that is just going alongside the business. And I am 
looking at this as a business approach. It does take a long 
time because they are not going to shut down while they try to 
deal with this. They are going to try to keep it as far under 
the table as possible and just keep moving forward. And it does 
take time. So it does take time for any other type of disaster.
    Ms. VAN DUYNE. So, no, I was not being critical that it 
took so long. I am asking how can Congress help to shorten that 
period?
    Ms. NICHOLS. Oh, I do not know. I do not know. Any other 
suggestions?
    Ms. VAN DUYNE. Yeah. I was not being critical. This is just 
how long it takes so what can we do to help?
    Mr. Dufault, overall small businesses are unprepared when 
it comes to cybersecurity. A recent report said that 70 percent 
of small businesses are unprepared for a cyber attack and only 
about half are allocating any money towards cybersecurity. With 
small businesses running on such tight margins, especially 
after a pandemic, how can we make it easier for small 
businesses to be prepared without breaking the bank?
    Mr. DUFAULT. It is a great question, Congresswoman. And 
again, I go back to H.R. 4515, which would provide some 
expertise via the Small Business Development Centers for 
cybersecurity. And by creating a certification program inhouse 
at the SBA, you are creating a Federal resource that can be, 
sort of that can reach a lot of small companies via on-the-
ground folks that are at the SBDCs. And so that would go some 
distance toward helping ensure that folks are aware of the 
current cyber threats but also the best practices that Ms. Todt 
has referred to on authentication, software updates, and just 
training around social engineering and phishing scams. So that 
is what I would point to.
    Chairwoman VELAZQUEZ. The gentlelady's time has expired.
    Now we recognize the gentleman from Wisconsin, Mr. 
Fitzgerald.
    Mr. FITZGERALD. Thank you, Madam Chair. Thank you very 
much.
    I do not want to rehash some of the earlier questions and 
kind of discussions but let me go back to the idea of the cloud 
and the applications associated with it. So maybe, Mr. Dufault, 
you could comment.
    Obviously, when COVID-19 struck, many of the businesses 
moved to remote work and it seemed like the only way for them 
to kind of survive what was going on. But they did switch up 
kind of their cloud applications at the time. And you know, in 
some instances that may have helped them streamline kind of 
their business practices and they may adopt those permanently 
now; right? But it also increased the security risk is the 
assumption that is being made by some, not all, who think maybe 
that is not the case. But you know, do you share those 
concerns? And you know, I think it is something that small 
business specifically struggles with because of not necessarily 
having the resources and the personnel and the ability to kind 
of track this on a regular basis. So I just wanted you to maybe 
comment on that.
    Mr. DUFAULT. Well, thank you for the question, Congressman. 
And it is something that we are concerned about. As more work 
is being done, more education is happening remotely, certainly 
during the pandemic, and as you said, going forward, more 
commerce I think, in general is going to be transacted in the 
cloud and on smart devices. And so it does point to the need as 
I mentioned earlier for us to allow software platforms, like 
the app stores and the operating systems to take measures to 
remove and keep out sideloaded software. That is where you 
click a link accidentally and it downloads something onto your 
devices. Those measures in place to keep that software off of 
the device are really important.
    I would also point to the fact that, for example, we have 
got a member company in the Minneapolis area, Vemos, that 
provides remote services for restaurants. So you can split a 
check just with one click on your handheld device. I think 
there is an assumption that if more of that is happening online 
and over the Internet, that there are more potential attack 
surfaces, and so I think that observation is correct and that 
that should cause us and your Committee to look closely at what 
the opportunities are to ensure that the threats are adequately 
being dealt with and that small businesses are taking 
precautions.
    Mr. FITZGERALD. And some of these managed service 
providers, you know, they are going to have to adapt kind of 
new, standard operating procedures when it comes to cyber 
hygiene; right? So I am just wondering, you know, how far 
behind the 8-ball are we on this stuff? Because it came at us 
so quickly and now trying to adapt to it, it is probably going 
to take a while; right? I mean, we just do not have the ability 
to make this kind of do a 180 like small business is being 
asked to do.
    Mr. DUFAULT. Well, one thing that came up earlier in the 
discussion was, you know, are people at greater risk if they 
are using on-premises servers? And that is not necessarily 
true. And to your point that folks are using the Cloud a little 
bit more, one of the aspects I pointed to in my written 
testimony was the fact that if you are using off-premises Cloud 
services, then you do have access to a faster patches and 
updates, software updates that can address the newest threats 
and the newest vulnerabilities. Whereas, if you have on-
premises servers, you are manually installing those updates and 
you are trying to keep up with those threats manually and on 
your own. And you also do not have access to sort of the real-
time updates for indicators of compromise that others are 
experiencing that are using the same Cloud service.
    And so from that perspective, we may be in a little bit 
better of a position to the extent that we are relying more on 
Cloud services because we have better access to real-time 
threat sharing and we have better access to real-time updates 
to software. So that is one dynamic that sort of cuts the other 
way that I wanted to point out.
    Mr. FITZGERALD. Very good. Thanks for being here today. I 
yield back, Madam Chair.
    Chairwoman VELAZQUEZ. The gentleman yields back.
    Well, thank you again to our witnesses for being here today 
to testify on this critical topic. Your words have highlighted 
the significant risks that small businesses face without 
adequate cybersecurity measures. With more entrepreneurs online 
and more bad actors looking for targets, cyber preparedness has 
never been more important. Today's hearing has made it clear 
that Congress must take an aggressive approach to shield small 
businesses from cyber attacks. It is also vital that federal 
agencies and the private sector continue to collaborate on 
resources, training, and technical assistance to understand and 
reduce small businesses' cyber vulnerabilities.
    I look forward to working with my colleagues on both sides 
of the aisle to make this happen as we consider three 
cybersecurity bills at our markup next week.
    I would ask unanimous consent that Members have 5 
legislative days to submit statements and supporting materials 
for the record.
    Without objection, so ordered.
    If there is no further business to come before the 
Committee, we are adjourned. Thank you.
    [Whereupon, at 12:11 p.m., the committee was adjourned.]
                            
                            A P P E N D I X

[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

                                 [all]