[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]
PROTECTING SMALL BUSINESSES AGAINST EMERGING AND COMPLEX CYBER-ATTACKS
=======================================================================
HEARING
before the
SUBCOMMITTEE ON HEALTH AND TECHNOLOGY
OF THE
COMMITTEE ON SMALL BUSINESS
UNITED STATES
HOUSE OF REPRESENTATIVES
ONE HUNDRED THIRTEENTH CONGRESS
FIRST SESSION
__________
HEARING HELD
MARCH 21, 2013
__________
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Small Business Committee Document Number 113-008
Available via the GPO Website: www.fdsys.gov
_____
U.S. GOVERNMENT PRINTING OFFICE
80-172 WASHINGTON : 2013
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC
area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC
20402-0001
HOUSE COMMITTEE ON SMALL BUSINESS
SAM GRAVES, Missouri, Chairman
STEVE CHABOT, Ohio
STEVE KING, Iowa
MIKE COFFMAN, Colorado
BLAINE LUETKEMER, Missour
MICK MULVANEY, South Carolina
SCOTT TIPTON, Colorado
JAIME HERRERA BEUTLER, Washington
RICHARD HANNA, New York
TIM HUELSKAMP, Kansas
DAVID SCHWEIKERT, Arizona
KERRY BENTIVOLIO, Michigan
CHRIS COLLINS, New York
TOM RICE, South Carolina
NYDIA VELAZQUEZ, New York, Ranking Member
KURT SCHRADER, Oregon
YVETTE CLARKE, New York
JUDY CHU, California
JANICE HAHN, California
DONALD PAYNE, JR., New Jersey
GRACE MENG, New York
BRAD SCHNEIDER, Illinois
RON BARBER, Arizona
ANN McLANE KUSTER, New Hampshire
PATRICK MURPHY, Florida
Lori Salley, Staff Director
Paul Sass, Deputy Staff Director
Barry Pineles, Chief Counsel
Michael Day, Minority Staff Director
C O N T E N T S
OPENING STATEMENTS
Page
Hon. Chris Collins............................................... 1
Hon. Janice Hahn................................................. 2
WITNESSES
William H. Weber, Senior Vice President, General Counsel,
Cbeyond, Atlanta, GA, on behalf of COMPTEL..................... 4
Justin Freeman, Corporate Counsel, Rackspace, San Antonio, TX, on
behalf of the Application Developers Alliance.................. 6
Dan Shapero, Founder, ClikCloud, on behalf of CompTIA............ 8
Phyllis A. Schneck, Ph.D., Chief Technology Officer Public
Sector, McAfee, Inc., Reston, VA............................... 9
APPENDIX
Prepared Statements:
William H. Weber, Senior Vice President, General Counsel,
Cbeyond, Atlanta, GA, on behalf of COMPTEL................. 17
Justin Freeman, Corporate Counsel, Rackspace, San Antonio,
TX, on behalf of the Application Developers Alliance....... 24
Dan Shapero, Founder, ClikCloud, on behalf of CompTIA........ 43
Phyllis A. Schneck, Ph.D., Chief Technology Officer Public
Sector, McAfee, Inc., Reston, VA........................... 49
Questions for the Record:
None.
Answers for the Record:
None.
Additional Material for the Record:
NTCA - The Rural Broadband Association....................... 57
NAFCU - National Association of Federal Credit Unions........ 59
PROTECTING SMALL BUSINESSES AGAINST EMERGING AND COMPLEX CYBER-ATTACKS
Thursday, March 21, 2013
House of Representatives,
Committee on Small Business,
Subcommittee on Health and Technology,
Washington, DC.
The Subcommittee met, pursuant to call, at 10:00 a.m., in
Room 2360, Rayburn House Office Building. Hon. Chris Collins
[chairman of the subcommittee] presiding.
Present: Representatives Collins, Luetkemeyer, Hahn and
Schrader.
Chairman COLLINS. Good morning. The hearing will come to
order.
We are going to have votes called sometime in the next--
between the next five minutes and the next 30 minutes, at which
point we will have to adjourn for maybe a half an hour and then
we will come back, but just to put everyone on notice. We are
not too sure; it could be as early as 10:05 and as late as
10:30 that we are going to be voting on the budget today.
I want to welcome our new members to the Subcommittee,
especially Ranking Member Hahn. I look forward to working with
you and all of our members during the 113th Congress. I also
want to give special thanks to our panel of witnesses for
taking time away from your full-time jobs and making the trip
to Washington for this important hearing, and I certainly also
want to welcome the high school students today who are seeing
how democracy works. Welcome.
Our nation's digital infrastructure has become an essential
component of how small businesses operate and compete in the
21st century. It provides access to a variety of innovative
tools and resources to help reduce costs and increase
productivity. E-mail, social media, online sales, and global
video conferencing are just a few of the examples. New
innovations and capabilities are being developed every day as a
result of the Internet, and this means new jobs for Main Street
America, new tools for small business. The rapid development in
information technology is truly fascinating to watch. A couple
of the most dynamic industries that have emerged are cloud
computing and mobile applications. It is now easier than ever
for small businesses to store and access their information from
anywhere in the world without purchasing thousands of dollars
in IT equipment. In addition, the boom in mobile applications
is a great success story for both entrepreneurs looking to
create the next best app and for small businesses that use
them. From mobile banking to online marketing there is a
plethora of applications available to help small business firms
increase productivity. In considering the NCAA tournaments set
to tip off any minute now, I am sure there may be some even in
this room who may stream the games from an application on their
mobile device.
Unfortunately, the growth of information technology has
also attracted a growing number of cyber criminals looking to
steal sensitive information, including intellectual property
and personal financial information. These attacks can be
catastrophic, leaving many small businesses unable to recover.
A recent report shows that nearly 60 percent of small
businesses will close within six months of a cyber-attack. The
recent string of cyber-attacks on high profile companies is a
stark reminder of the current threat, and although small
businesses do not make the headlines, a recent report shows
that 20 percent of cyber-attacks are on small firms with less
than 250 employees. Small businesses generally have fewer
resources available to monitor and combat cyber threats, making
them easy targets for expert criminals. In addition, many of
these firms have a false sense of security, and they believe
they are immune from a possible cyber-attack. The same report
shows that 77 percent of small firms believe they are safe from
a cyber-attack, even though 87 percent of those firms do not
have a written security policy in place.
There is clearly a gap in education and resources.
Moreover, the sophistication and scope of these attacks
continues to grow at a rapid pace. A report by the Office of
National Counterintelligence Executive indicated that tens of
billions of dollars in trade secrets, intellectual property,
and technology are being stolen each year by foreign nations
like China and Russia. These are not rogue hackers. They are
foreign governments engaged in complex cyber espionage with a
mission to steal our trade secrets and intellectual property.
As the leader in producing intellectual property, the United
States and small businesses will continue to be a primary
target for cyber criminals seeking an economic advantage.
Protecting our digital infrastructure is complex and no one
federal agency or private business can do it alone. It takes a
true public-private partnership to identify, combat, and share
information regarding the sophisticated cyber-attacks. As we
consider new cyber legislation, we must work to identify the
correct balance between imposing new onerous regulations for
small business and protecting proprietary information and our
digital infrastructure.
Again, I want to thank our witnesses for participating
today. I look forward to hearing how we can better assist small
businesses in utilizing new technologies while protecting them
against cyber-attacks. I will now yield to Ranking Member Hahn
for her opening statement.
Ms. HAHN. Thank you, Chairman Collins. I am proud to be
serving as a ranking member of this Subcommittee, and I know
that there is a lot of work that we can do together to empower
our small businesses to put technology to work for them and to
help them access all the resources that are available to them
to strengthen their businesses hire, and grow. And of course,
while the Internet and new information technology offers
tremendous possibilities for our small business, as you said,
it exposes them to cyber threats that can be particularly
difficult for them to counter. Developing new innovations is
fundamental to our prosperity in the 21st century, but even
more essential is enabling the nation's small firms to adopt
these new technologies and become even more successful and
efficient. Over the next decade, we can expect the growth of
this field to produce good-paying jobs for millions of
Americans. The number of jobs dependent on technology is
expected to grow, creating opportunities for large and small
companies in every sector of the U.S. economy.
Internet and telecommunication technologies have not only
changed how we communicate, but also how business is conducted.
America's 23 million small businesses are some of the savviest
users of technology by using the Internet to access new markets
to grow and diversify. In fact, small businesses are the
driving forces behind further technological innovation as they
produce about 13 times more patents per employee than other
businesses. For the established small business, modern
technology can expand a firm's client base using a company
website, social networking, or other forms of online
advertising. Firms can utilize voice and video communication as
a low cost method to connect with customers around the world
and reach previously untapped markets. They can store data
online, access office productivity tools, and even improve the
energy efficiency of their business.
Yet for all the benefits technology brings to the equation,
it also creates more challenges for small business owners,
consumers, developers, and vendors. One such challenge is
cybersecurity because being connected also means being exposed
to new threats. Cyber threats can come in many forms but they
are all devastating to both business owners and their
customers. A single attack can wipe out a small business, which
is why cyber crime poses severe problems for small businesses
that are not prepared to mitigate this kind of risk. According
to studies, 40 percent of all threats are focused on firms with
less than 500 employees and reveal that a total of nearly $86
billion is lost with companies incurring an average of $188,000
in losses. Sadly, some small companies fail to recognize the
benefit of cybersecurity as an investment until it is too late.
On the other hand, those firms that understand the importance
of such an investment often lack the resources to implement and
effective security system.
The testimony we hear today will not only highlight the
variety of opportunities created by new technology but it will
also help to better protect the nation's small businesses from
growing cyber threat. This Congress, the strengths and
weaknesses of comprehensive cybersecurity, including issues of
privacy and notification, will once again receive significant
consideration. Small businesses have much at stake in how this
debate plays out. It is my hope that today's discussion will
shed light on what these policies mean for online
entrepreneurism.
In advance of the testimony I want to thank all of the
witnesses for their participation and insights into this
important topic. Thank you, Mr. Chairman, and I yield back my
time.
Chairman COLLINS. Thank you. Before we get started and hear
testimony from our four witnesses I would like to take a moment
and explain the timing lights for everyone. You each have five
minutes to deliver your testimony. The light will start out as
green. When there is one minute remaining, the light will turn
yellow, and finally, it will turn red at the end of your five
minutes. And if we can stick to that time limit we would
certainly appreciate that.
Our first witness is Mr. William Weber. Bill is the senior
vice president and general counsel for Cbeyond in Atlanta,
Georgia. Cbeyond is a communications service company that
provides specialized services, including Internet and cloud
computing exclusively to the small businesses nationwide. Bill
received his B.A. from the U.S. Naval Academy and his J.D. from
the University of Georgia. He spent 12 years in the Marine
Corps. Thank you for your service. He is testifying on behalf
of COMPTEL, that is a trade organization. Thank you and
welcome. You have five minutes to present your testimony.
STATEMENTS OF WILLIAM WEBER, GENERAL COUNSEL, CBEYOND, INC.,
TESTIFYING ON BEHALF OF COMPTEL; JUSTIN FREEMAN, CORPORATE
COUNSEL, RACKSPACE, TESTIFYING ON BEHALF OF THE APPLICATION
DEVELOPERS ALLIANCE; DAN SHAPERO, FOUNDER, CLIKCLOUD,
TESTIFYING ON BEHALF OF COMPTIA; PHYLLIS SCHNECK, VICE
PRESIDENT AND CHIEF TECHNOLOGY OFFICER, GLOBAL PUBLIC SECTOR,
MCAFEE, INC.
STATEMENTS OF WILLIAM WEBER
Mr. WEBER. Mr. Chairman, Ranking Member Hahn, Distinguished
Members, thanks very much for the opportunity to speak with you
today about what is an incredibly important issue for small
businesses across the United States.
My company, Cbeyond, represents 60,000 small businesses and
that is the only group of companies that we represent. We do
not represent large enterprises or microbusinesses. So we have
a lot of experience in dealing with the kinds of security
issues that they face. But I wanted to start out today to talk
to you a little bit about cloud services, what they really are,
and how they are being used by small businesses today because
it is easy to get confused about what kind of cloud services
small businesses are utilizing.
When people talk about cloud services, there are three
kinds that they will talk about. Software is a service, and
there are a lot of consumer-focused cloud services.
Technically, software is a service. Netflix is a one. Facebook
is another. Small businesses tend to use software as a service
provider such as Salesforce.com to help run their sales force.
You also have platform as a service, which is much more
complex. Small businesses tend not to use it. It is kind of an
operating system in the cloud. And then the people that we have
here talking today are primarily going to be discussing
infrastructure as a service. When you hear people in the cloud
industry talk about infrastructure as a service, what we mean
is taking things that in the past were physically located on a
business's premises and moving them off the premises somewhere.
And I think giving you a concrete example of a business that
might do this would be helpful.
Let us take a typical small business that we might serve,
like a doctor's office. They have got three physicians working.
They have got staff people, 10 PCs, and they very likely have a
server on their premises. When we say a server, it is just
simply a computer that does not necessarily have a monitor
hooked up to it but that the other doctors and administrative
staff could access their billing software on that server that
would be located on their premises. And that would be connected
into their premises network via Ethernet cables like you see
all over the place. There is a green one right here. You
probably have some in the desk in front of you.
When we talk about infrastructure as a service, what we are
really talking about is taking that server and if you can
imagine extending that Ethernet cable 250 miles into a data
center, and now instead of sitting on the premises, that
server, with all their billing software on it, customer records
on it, is sitting in a data center. And instead of having to
buy that as a capital expenditure for the company, that server
is rented from a company like mine, Cbeyond or Rackspace or any
of the other companies that provide servers in the cloud.
Now, what are the advantages of doing that? Well, some of
the advantages are the small business can preserve capital.
Instead of having to do a $2,000 or $3,000 outlay to buy that
server they can rent it by the month from us. Physically, it is
much more secure. It is in a datacenter that has all the most
up-to-date firefighting equipment and power backups and
everything you can imagine to protect it physically. So those
are two of the major advantages they get. Do they get security
advantages? They do get security advantages because we can move
not only servers off their premises, we can move firewall
devices off their premises and they can rent those from us. We
can move storage devices off their premises and they can rent
those from us. So from a security perspective, rather than
being responsible for maintaining the cybersecurity that server
themselves, which they are not professionals doing--they want
to run a doctor's office and that is what they are professional
at--they shift that burden to the cloud provider, and we are
experts in that--maintaining the firewalls, maintaining the
operating system, making sure virus software is kept up-to-date
and doing all those things for them. So it sounds like a
complex thing but if you do think about it as simply moving
that server that is on your premises into the cloud and letting
people who do nothing for their job but think about security
for those things maintain it, it can be of tremendous value to
small business. Thank you.
Chairman COLLINS. I think we can do one more witness and
the two of us will jog down to the floor to vote.
Thank you, Mr. Weber. I think that was a good explanation
of what cloud computing is all about. Maybe we can have some
questions on that later.
Our next witness is Mr. Justin Freeman, corporate counsel
for Rackspace. Rackspace is a global leader in providing cloud
computing services for all types of businesses, including
mobile applications for small firms. Justin has expertise in
both the legal and technical areas of the rapidly expanding
field of cloud computing law. In his role he oversees complex
technical agreements and directs their public policy strategy.
He received his J.D. from Southern Methodist University and is
a certified information privacy professional. He is testifying
on behalf of the Application Developers Alliance. Thank you for
being here. We look forward to your testimony.
STATEMENT OF JUSTIN FREEMAN
Mr. FREEMAN. Thank you, Chairman Collins and Ranking Member
Hahn and the rest of the Committee members.
On behalf of both myself and Rackspace and the Application
Developers Alliance, thank you for your time today and for this
opportunity to discuss contemporary cybersecurity challenges,
which are all the more difficult for our small business
community to address.
I would like to begin by providing a little bit of
background on Rackspace hosting founded in 1998 and
headquartered in San Antonio. With our focus on fanatical
support, which is a fierce commitment to a customer-oriented
set of core values, we have grown rapidly and currently serve
more than 170,000 customers across 120 countries. Rackspace
focuses on providing the cloud infrastructure and support
technologies, which enable businesses both large and small--
especially small these days--to benefit from the cost savings
that cloud computing provides.
Our latest focus is on open stack, an open source cloud
platform which we jointly developed with NASA. Open cloud
technologies are at the forefront of this information
technology revolution. They make previously inaccessible
technology available to businesses, small and large alike,
without initial investment in research and development costs,
and they eliminate proprietary lock-in which helps foster
industry standards for cloud computing providers and it is a
critical first step in allowing users to move their
applications and data from provider to provider as they see
fit.
There is no doubt that small businesses face growing cyber-
threats, especially in the form of intellectual property theft
and business disruption, such as what happens when a small
business's website is knocked off the Internet by a denial of
service attack. It is more important than ever for small
businesses leveraging new technologies to provide innovative
services and solutions to ensure that they have a trusted
provider ecosystem on which they can rely.
Rackspace has increasingly supported small businesses via
start-up programs which provide free or discounted cloud
resources to new enterprises. This helps remove some of the
initial roadblocks to success. The mobile application space is
particularly explosive with small business-led innovation as
entrepreneurs are able to leverage diverse and powerful cloud
computing resources to deliver innovative, integrated, and
mobile application experiences to customers, professionals, and
enterprises with little or no barrier to entry. And that is
really the key point in the application space.
To further support this innovative sector, Rackspace has
joined with the Application Developers Alliance, an industry
association dedicated to meeting the unique needs of
application developers as creators, innovators, and
entrepreneurs. The Alliance includes more than 20,000
individual application developers and more than 100 companies,
investors, and stakeholders, and it strives to deliver
essential resources, serve as a collective voice on policy
issues for all the small businesses who might not otherwise be
able to be present, and act as kind of the connective tissue in
the app ecosystem. Rackspace-assisted start-ups have run the
spectrum of the mobile app space, including iPad applications
to support physicians and information management, literature
apps to help book lovers share the reading experience, language
learning and test prep apps, and app systems that frankly make
it easier to make even more apps.
Turning back to the critical question, what can the federal
government do to help protect small businesses from cyber-
threats, it is first important to acknowledge that because of a
lack of resources to invest in expensive security appliances or
with which to maintain a large staff of security professionals,
many common prescriptions have limited effectiveness when it
comes to protecting the small business environment from cyber
threats. That is not to say that these challenges are by any
means insurmountable. Policies which focus on education and
training can help equip small business professionals with the
know-how necessary to respond to cyber threats and economic
incentives to implement security appliances can help offset the
cost of maintaining a secure infrastructure. It is crucial that
privacy and security regulations are implemented in addressable
fashion so as to provide a foundation of security principles
while allowing businesses to retain the flexibility necessary
to remain competitive and innovative.
We must avoid regulating small businesses out of the
marketplace by imposing retrospective or overly burdensome
requirements to implement security measures which ensure or
outright guarantee that no data can be breached. Instead, we
should focus on requiring reasonable and appropriate controls
to address threats in the context of a competitive business
environment, disseminating critical information about current
threats and best practices to the small business community, and
promoting a coherent set of sector-specific regulations,
privacy protections, security requirements, and collaborative
commitments. While it may be impossible for any company to
guarantee the security of its systems, together we can lay a
foundation to keep the American technology sector secure,
innovative, and internationally competitive.
Thank you very much for your Committee's time.
Chairman COLLINS. Thank you, Mr. Freeman. We will have to
adjourn now for I am thinking about 30 minutes to go cast our
votes. You can see what is going on right now, at which point
we will be back. Thank you.
[Recess]
Chairman COLLINS. The Committee will now reconvene. Ranking
Member Hahn had to catch a flight so I would now like to
introduce our third speaker. Dan Shapero is the founder of
ClikCloud, a company that provides cloud-based digital
marketing services for the IT service channel. As an
entrepreneur, Dan has extensive experience growing his own
company and helping other SBAs grow their businesses by
leveraging cutting edge technologies to gain strategic
advantages over larger and better capitalized competitors. He
is testifying on behalf of CompTIA.
Welcome. You have five minutes to present your testimony.
STATEMENT OF DAN SHAPERO
Mr. SHAPERO. Good morning, Chairman Collins, Ranking Member
Hahn, and Distinguished Members of the House Subcommittee on
Health and Technology. I would like to thank you for holding
this important hearing. This testimony is submitted on behalf
of the Computing Technology Industry Association (CompTIA).
My name is Dan Shapero. I am a CompTIA member and founder
of ClikCloud, a company I launched in 2010 focusing on offering
a variety of IT services, such as digital marketing, website
hosting, search engine optimization, blogging, e-mail
newsletters, and other business advisory services.
I am a California native and I am a graduate of the
University of California in San Diego. Prior to ClikCloud I
spent over 20 years working in the IT sector in various
capacities. I have also launched or helped other entrepreneurs
launch several IT startups. My past clients include Vicinity,
which is now Microsoft Maps, and Avamar, which is now part of
EMC.
My colleague on the panel will share with you some more
technical details of cybersecurity threats and attacks
prevailing on our Internet ecosystem. I hope to contribute to
the discussion by sharing with you my perspective from an IT
small business owner. I can assure you that cybersecurity is
one of the most pressing issues facing the small business
sector, but first I would like to provide you a quick overview
on CompTIA.
CompTIA is a nonprofit trade association and its members
include thousands of small computer service businesses, as well
as nearly every major computer hardware manufacturer, software
publisher, and service provider. In addition, CompTIA is also
the leading global provider of IT workforce vendor-neutral
certification and there are over 1.4 million CompTIA IT vendor-
neutral certification holders worldwide. Many of those are for
IT security.
As a baseline, the IT security infrastructure for small
business is as vulnerable to cyber-attacks and threats as large
companies and firms. Unfortunately, small businesses are less
resilient than their larger counterparts because they have
fewer IT resources in terms of personnel, hardware and software
to combat the onslaught of cyber threats and attacks that many
SMBs encounter on a daily basis.
Some small businesses are comprised of as few as 5 to 20
employees, so resources come at a premium. As a small business
owner, I have to rely on my own expertise to implement adequate
measures to ensure that the IT infrastructure that supports my
business is secure. I also have to make sure that my clients
understand cybersecurity risks and the threats to their
business. I advise them on the types of cybersecurity
compliance measures that they must implement to keep their IT
systems secure.
In the last five years, we have seen a steady transition
from a server environment to a cloud-based environment. This
has created tremendous opportunity for the small business
sector. The emergence of cloud technologies is now allowing
small businesses affordable access to IT infrastructure,
including software that was financially beyond reach just a few
years ago, so it is even more critical now that we ensure that
adequate measures and controls are in place to protect small
businesses from cybersecurity threats and attacks.
I would like to highlight two policy issues. First, the
majority of cyber-attacks create exposure across state lines.
This is the reason that data breaches are of serious concern.
There are 47 different state data breach notification laws in
place. In addition to the legal and regulatory compliance
costs, there is also an impact of loss of revenue and loss of
reputation that can be overwhelming to most small businesses.
CompTIA believes that the creation of a national framework for
data breach notification can go a long way toward reducing
costs and eliminating barriers to entry for small business
firms and it will also serve as an incentive towards job growth
in the small business sector.
Another issue that we face as small to medium businesses is
the ability to recruit and retain in-house talent to help
protect ourselves from cyber-attacks. All of our employees have
responsibility in keeping us secure, especially those in IT-
related roles. However, there is a skills gap that is an issue
that is affecting our IT community as a whole. There are
approximately 250,0000 open IT jobs in the U.S. at any given
time. IT training and certification is not a magic bullet;
however, it is a critical part of the solution.
In closing, I would like to thank you again for the
opportunity to share our perspective on the issue of
cybersecurity and would be happy to answer any questions.
Chairman COLLINS. Thank you, Mr. Shapero.
Our final witness is Dr. Phyllis Schneck. She is the vice
president and chief technology officer for McAfee and has
certainly testified before this Committee a year or so ago. Dr.
Schneck received her Ph.D. in Computer Science from Georgia
Tech University where she specialized in the field of
information security. In addition to her role at McAfee, she
serves as the chairman of the board of directors of the
National Cyber Forensics and Training Alliance, a public-
private partnership used to prosecute cybercriminals worldwide.
Welcome back to the Committee. You have five minutes to
present your testimony.
STATEMENT OF PHYLLIS SCHNECK
Ms. SCHNECK. Thank you. And good morning, Chairman Collins
and other members of the Subcommittee.
I am Phyllis Schneck, vice president and chief technology
officer for Global Public Sector for McAfee. I really
appreciate the Subcommittee's interest in this topic of
cybersecurity for small business. I am pleased to address the
Subcommittee once again.
My testimony will focus on four key areas. The threat
landscape and its implications for small business, what in
general can we do about that for small business, what are the
mitigations, and then what is it that the private sector and
the public sector and government can do to address this.
A bit of background. I come from the high performance
computing world. Balancing how you take hardware design,
software design, and get a CPU to do everything it can do for
cryptography. So it is a balance of strong security and strong
computing. I also had a startup of my own and understand some
of the challenges in having a small business and was one of the
founding designers of our Global Threat Intelligence at McAfee,
which enables us as a large company to see 160 million points
of light of where bad things may be happening across the
Internet and create a weather map that protects everyone else.
And as you mentioned, I do run the National Cyber Forensics
Training Alliance, and the passion there is the information
sharing and collaboration which we need desperately to get to
the small businesses so that they, too, can benefit from that
even though they may not have the time or the money or the
resources to participate in that themselves.
At McAfee, we are relentless. We are dedicated to providing
connected security ecosystems that benefit small business,
large business, government all over the world but that make
sure that every part of the security ecosystem is learning as
it protects and as a wholly-owned subsidiary of the Intel
Corporation, we go all the way to the hardware and we are able
to look at the actual pieces and parts and metal and silicon
that run the instructions and make sure that we can detect
adversary behavior and protect.
Small to medium businesses make up 99.7 percent of our
business fabric. They hold intellectual property, personal
information. Many times they are the contractors building the
next engines, yet they cannot afford strong security teams and
they cannot afford separate resources which is why my
colleagues and others today provide amazing services to them so
they do not have to buy the equipment; they have the services.
What I will address today is how we can help those small
businesses that leverage so much on cloud and mobility and also
help, as Ranking Member Hahn pointed out, 23 million small
businesses. How we help them also gain the information sharing
and collaboration that the larger businesses are getting the
benefit of right now.
On the mobile space, that has increased from what we have
seen 70 percent in the past year. We went from 792 samples in
our malware zoo as we call it to 37,000, and 95 percent of that
increase was in 2012. Small business leverages these mobile
devices because they are inexpensive in many cases. They are
easy. They can do their home transactions, their work
transactions all at once. They take them on the road and they
leverage it with cloud services because there is very little
computing resource on the small device so they can outsource
the data storage. The threats to this and mobility, we see
those threats of the adversary trying to access that device to
get your personal information and/or access your computer
network, so the small business that cannot afford necessarily a
team to watch this has an even stronger vulnerability because
they have so much of their infrastructure dependent on mobile.
On the cloud side, you are basically outsourcing the
processing and storage of your data. So the key there is to
watch the data in motion and at rest. When you plug in that
Ethernet cable or a quote or send our data somewhere else, you
need to make sure they are encrypted and protected. You need to
make sure that that cloud provider has forensics for you when
you do want to report a breach and you do want to share
information. Some cloud providers will charge extra to do that
forensics investigation, so we would ask to look at that to
make sure that the best security on the planet is affordable
for the biggest business sector on the planet.
When we start looking at what we can do as private sector,
focus on security. Cybersecurity is a boardroom risk issue even
in the smallest businesses. Design and invest in cybersecurity
upfront. Mobile devices can be managed. That policy can be
pushed from the boardroom to every phone and every table. It
can be pushed to how you categorize what data is outsourced to
the cloud and what data perhaps is not.
On the government side, we need to incentivize
cybersecurity, incentivize innovation, ensure that small
business has the protection that big business has, ensure that
small business is not forced into the heavy regulatory
compliance side and moreover can do their real business and
build the next engines and the next drugs.
On the information sharing side, the Rogers-Ruppersberger
bill, it would be a wonderful way to encourage information
sharing between the largest companies and the smallest so that
you get that 99 percent of the business fabric to be able to
contribute what they see in the situational awareness and let
them have access to what we see as big business. Currently, the
ISACs are not affordable for most small businesses, the
Information Sharing and Analysis Centers that are set up with
government and private sector. We need to level that playing
field and get all that information and all of that security
protection, all that safety into our small business
infrastructure.
Thank you very much, and I look forward to any questions.
Chairman COLLINS. I want to thank all the panel members.
One reason we are having the meeting is to shine a light on the
fact that 77 percent of small businesses are not even
considering this. They are coming to work every day to make a
sale, to have some cash in the bank, pay their bills. It is not
on their radar. We want to put it on their radar.
So I guess I will start with the basic question that each
of you could address, which is a small businessman comes in
unsure if it is malware and it is the old-fashioned, somebody
just trying to wreak havoc with his system. You will know it
because your system will not turn on and funny things will show
up. But today what we are worried about is they are going to
steal intellectual property. They are going to steal personal
information. How does the small business owner that this is not
on his radar even know he was hacked? How would he come in and
know someone snuck in a back door and stole that information?
Or would he not know?
Mr. WEBER. Mr. Chairman, I am going to do something that
you almost never see a witness do. I am going to stop talking
immediately because I am not an expert on these things and we
have incredible experts on exactly the sort of systems that can
detect an intrusion so that you would know about it.
Mr. FREEMAN. I will address a couple of points about that
question. The first is that most small businesses that are
hacked have no idea that they have been hacked. Most large
companies that have been hacked also have no idea that they
have been hacked. This is especially applicable to corporate
espionage and the theft of intellectual property. Outside of
the case of business disruption attacks where you know you have
been hacked because your website does not function anymore, the
theft on the data breach side is much more difficult to spot.
So if you start looking to solve the problem after a breach has
occurred you are way too late. And I absolutely agree with your
remarks that this has to be on the radar well in advance.
Intrusion has to be detected in order for it to be responded
to. And a number of the products from our other witnesses here
can help businesses with intrusion detection and analysis but
the fundamental answer is that security has to be part of that
conversation. As Dr. Schneck put it, it has to be part of the
boardroom conversation well in advance. We have to integrate
security into our fundamental planning of all types of business
development processes. Thank you.
Mr. SHAPERO. I concur with Mr. Freeman. Chances are the
small business owner does not really know. Now, if they are
relying on cloud infrastructure, it may be incumbent on the
cloud provider to notify them if there is a data breach or a
data leak which may be conceived as a benefit of having your
assets in the cloud. But more often than not, if it was just on
their own network within their premises, chances are it went
undetected.
Ms. SCHNECK. I will concur, and I will say pretty much
everybody is owned, meaning there is a visitor most likely
everywhere on every network. The idea is to be able to run well
under attack. The trick here is resilience. How is this event--
because it will happen--it is just like the human body. You
will get a cold but it will not kill you. So how is it that
networks keep running? How do we build in resilience? It goes
to the boardroom policy issue and it also goes to making your
network, no matter how small or large it is, making your
network smarter. There are a lot of shiny products out there.
We all have them. But making sure when you invest in those
shiny products they click together and they talk to each other
and they make your network smarter, like an ecosystem. So if
part of your body spots a germ, your body attacks it without
having a meeting to do it. This is how we build our networks
now. This is that connected philosophy. And one of the best
things we can do is enable. Part of what we do, first of all at
McAfee, is take our global threat picture and apply it to every
small point that we protect. But as a community, we can take
everybody's global picture, connect it, and protect even the
smallest of businesses. So the detection of the intrusion will
be earlier, but also the resilience to it will be a lot
stronger. You will know how to recover from that. You will
probably lose less. A very tactical example is the way
intellectual property is ``lost'' is the access is gained by an
intruder that knows how to execute their instruction next on
your computer's list so they have control. They look for what
they want and they make a copy of it. They copy it and they
make a web connection and they send it back to a server that is
waiting for it. We can spot that stuff. It is not even
expensive. The idea is to know what you are looking for and it
is not static. Know what you are looking for based on what the
rest of the world is seeing right now, and a lot of that comes
from information that would be shared to and from cloud
providers.
Chairman COLLINS. Thank you. I mean, again, our concern is
it is one thing to say we should address this at the board
level and we should, but that starts with an owner who thinks
he is vulnerable. Seventy-seven percent of small business
owners do not think they are vulnerable. They are. We know it
and we just need to heighten that. So, again, from this
Committee, if we said what are the top three things we should
as a Committee focus on or explain to small business, besides
going in the cloud, right? Number one, go to the cloud. But
what are the first three things that we could do to try to
highlight this? Or what would you recommend a small business
do?
Mr. WEBER. Mr. Chairman, if I was going to make one
recommendation, the thing that hurts our customers more than
anything else is using poor passwords. It sounds so basic. You
would think that today in 2013 that people would know what they
ought to be doing but they do not. They are very dumb about
password selection. So today a secure password ought to be at
least 12 digits long. It ought to have capital letters, it
ought to have lower case letters, and it ought to have a number
or two in it. A password like that is not going to be cracked.
But small businesses do not want to do that because it feels
inconvenient. There are all kind of techniques you can use for
generating these passwords and make them easy to remember.
I will give you just one example of a problem that we had
with this. Our company has a website called Cbeyond Online
where you can go to modify your services, whether it is cloud
servers or your phone services. And we had a large law firm in
Atlanta with 90 attorneys who use our service, and one of the
attorneys who had access to Cbeyond online had a very, very
weak password. It was the name of his college mascot and they
got hacked. And the hackers came in and, forwarded the firm's
main telephone number to their cell phone. They then went to
the firm's bank and deposited checks in their name worth
$40,000. The bank called the law firm to verify. We had not
seen this vendor before. We want to make sure that we should
release these funds. Of course, their phones were forwarded so
it rang to the criminal cell phones. They said, ``Absolutely.
This is a top shelf vendor of ours. Please release those
funds.'' And they lost $40,000 that way, just because of a weak
password.
So if I were going to focus on one thing, the first line of
defense is strong passwords. And if every small business in the
United States started using appropriate passwords it would have
a very significant impact on cyber crime.
Chairman COLLINS. Thank you.
Mr. FREEMAN. To carry on the notion that passwords are a
first line of defense, I would just like to also emphasize it
is critical to maintain a variance of passwords. At Rackspace,
the number one threat we see to customers are when their
systems are compromised because a malicious third party has
garnered a list of passwords from another service. When you
reuse the same password on your Evernote account as your Gmail
account and someone is able to hack one or the other, they get
a list of the passwords and they are able to use that against
all of your infrastructure. An d routinely third parties will
go out and simply bang against every provider available to see
if the same user name and password combination exist.
In combination with that, another practical approach is
that business need to utilize encryption of all sensitive data,
both economically sensitive and regulated data. Encryption
really is the only means that has the fundamental integrity
with which to protect data. Because systems will be compromised
because we cannot guarantee that an intruder will not get
access to a system, the only thing we can do is really secure
the data that they might get access to, and encryption is far
and beyond the gold standard when it comes to that type of
security.
From sort of the broader approach, I agree with you there
is sort of a chicken and egg problem. How do we have the
security conversation when no one is having the security
conversation? I think it is critical to look at policies that
promote the conversation amongst users, businesses, and then
the businesses' providers. So the providers consider it just
part of doing business when they go and enter, whether it is
with a cloud service provider or security provider or with
another vendor, that security of information is simply
integrated into that conversation and becomes part of the
ordinary course of business.
One possibility in order to incentivize that is to
incentivize economically the use of security resources rather
than to attempt to incentivize it through punitive regulations.
I think that small businesses in particular are going to be
much more responsive to economic incentives rather than to
changing their behavior out of fear of punitive regulations,
which often they do not have time to review in their mass and
complexity. Thank you.
Mr. SHAPERO. Well, first I would like to acknowledge the
Committee for starting the dialogue. You asked what could the
Committee focus on, exactly right, and it is great to know that
small business is part of that dialogue--small businesses and
their customers, frankly--and I urge you to continue on with
the debate. For the business owners themselves I start off tip
number one advice is make sure that your network is compliant.
And when I say compliant, you do not just have anti-virus,
anti-malware software, a firewall in place, but you are making
sure that all your definitions are up-to-date, meaning that you
are up-to-date on what the latest threats are. That your
firmware on your firewall is up-to-date so that you have got
the latest and greatest to protect yourself from those threats.
And also your operating systems. So all those patches that come
out on a regular basis. They might seem like a nuisance to many
small business owners and it may be a basic thing like
passwords, but make sure that you are applying them as
recommended by your IT service provider. Encrypting your data
is also an important part of ensuring that you have a compliant
network. Doing a periodic network scan is something that you
should do as part of making sure that you have a compliant
network. So there is a whole list of checklists to make sure
your network is compliant.
The next thing is policies. So you pointed out most
companies do not have a written policy for their employees. It
might be something like acceptance use for mobile devices in
their organization. Am I allowed to have corporate data on my
personal device? Am I allowed to have personal data on my
corporate device? Because it can get really tricky when a
device might be lost or stolen and you are trying to lock down
that data if you do not have those policies in place. Policies
for what to do in case of a breach. Who do I notify? Which of
those 47 states am I required to disclose to when I have lost
data from my consumers? So having those policies in place is
really important.
And then I actually have four on my list so I will cut the
last one off. The third is training. So it is really an
educational process, not only for the business owner but for
their staff as well so the employees understand the importance
of why they cannot just have that 12 digit alpha numeric with
caps and character password, but why it is important not to
paste it on a post-it and stick it on your cubicle because you
might forget it. So just making sure that you have the
employees onboard as well because they really are the first
line of defense. And as Mr. Weber pointed out, might be the
ones taking that phone call, giving out or leaking out data in
the organization. So it is really important that we raise the
level of education of the business owners and their employees.
Ms. SCHNECK. So I will echo. A lot of these comments are
right on. This is not just a technology problem; this is a
people problem. So a lot of emphasis on the training and
education. When you incorporate a new business there are a lot
of steps that people know they need to go through and not one
of them is cybersecurity. So that is an afterthought
completely, so already you start off behind. Many small
businesses are harboring some of the neatest inventions for the
next decades. They do not necessarily think about where they
store stuff or categorize those assets and how you protect it.
So it is very much a legal and policy challenge.
As a ``security vendor'' I will say something potentially
funny but anti-virus is not so much the way of the future; it
is all the other things that were mentioned. But it is not
having one of each; it is taking a step back and making a plan
that fits that company, one that fits that budget, and that can
get done when a company is incentivized to take a really good
nontechnology look at the cybersecurity they need. What are my
assets? What are my risks? I absolutely will have an intrusion.
And then how do you bounce back from that and how do you create
a culture of security, a culture of resiliency? And the modern
maturity models that we see show that a good upfront investment
in cybersecurity--and it does not mean an expensive one, it
means a smart one, an educated one--is the upfront investment.
And over time you actually spend less money and get more
resilience because that connected security system is learning.
Anyone can protect against an attack we know about. What we get
hurt by as a community are the attacks that we have never seen
before, and those are very well crafted because our enemies are
innovating. So the only counter to that is innovation itself.
And what I would ask for and suggest is something like tax
breaks or insurance breaks. Those things are very attractive to
new businesses. So when you stand up that new business, what
are the things I can do to save the most money and be the most
secure that look good to the three people that work for me or
to the venture capitalist that put his money into me? And I
think so from the training perspective, the people perspective,
and overall holistic risk perspective. Then you can start
adding all these wonderful technologies that we all have.
Chairman COLLINS. Well, thank you. I want to thank all the
members for participating because I just think this is a step
in the direction for the Small Business Committee on an
awareness front and I think also interfacing with the SBA. I
think just saying to someone who calls up and says I am
creating a business, making sure that the issue of
cybersecurity and the importance of it is on the checklist. I
mean, let us just for one thing get it on the checklist. So I
think there is a lot we can do just shining a spotlight and we
have done some of that today. We intend to do more. We are
going to make sure that at the end of this meeting that we do
send a letter to some of the key federal agencies and summarize
the findings here. We will also be talking in a broader
perspective with some of the news media about cybersecurity,
and we are going to ask the federal agencies to come back to us
and detail what they are doing to deal with the issue of
cybersecurity, the importance, and especially as we said today,
small companies do not even know they just lost their strategic
plan, they just lost their bank statement, they just lost a
list of all their employees and their employees' social
security numbers, their strategic plan. I mean, if you could
imagine setting them in the lobby for someone to copy, to some
extent that is what they are open to. So we are just going to
step forward and make sure that small business understands the
risk. It is real. It is more severe today than it was 10 years
ago, and so your testimony today is helpful, and certainly your
list of suggestions. We will make sure that we include that.
They were very common sense and in many cases not that
expensive.
So I will ask unanimous consent from the members. Seeing
there is no objection I will so order that. And this meeting is
now adjourned. Thank you very much.
[Whereupon, at 11:32 a.m., the Subcommittee was adjourned.]
Statement for the Record
William Weber, General Counsel, Cbeyond, Inc.
Before the
United States House of Representatives
Committee on Small Business
Subcommittee on Healthcare and Technology
Hearing on
Protecting Small Businesses Against Emerging and Complex Cyber-Attacks
March 21, 2013
Mr. Chairman and members of the Subcommittee, Cbeyond
appreciates the opportunity to provide a statement for the
record for today's hearing. Cbeyond provides cloud and
communications services to more than 60,000 small and medium
businesses (SMBs) nationwide; in our most established markets
including Atlanta, Dallas, Denver and Houston, we provide
services to more than 15% of all businesses with between 5 and
250 employees. Our annual revenue is nearly $500 million, and
we have approximately 2000 employees. Last year, Forbes
magazine named us one of America's Most Trusted Companies and--
together with Kraft Foods and Timberland--we were given the
Points of Light Corporate Engagement Award of Excellence.
I hope today to give you a brief overview of what cloud
computing is, why it matters to SMBs, the cyber-security
threats facing these companies and ways that those threats can
be mitigated.
What is Cloud Computing?
Unfortunately, I am old enough to remember the giant
computers of the 1960's with their punch cards and putty-
colored terminals with ghostly green type. These machines
differed from the computers our children grew up with in that
their computing power was not in the terminals themselves; the
computing power was in a mainframe computer located in another
room or another building. This was why you sometimes heard the
machines you typed on described as ``dumb terminals.''
Beginning in the late 70's and moving through the 80's,
computing power gradually migrated from the network core to the
network edge. This was the rise of the personal computer, and
as competition blossomed and prices tumbled, true computing
power became available to home and small business users for the
first time. This democratization of computing resources remade
our economy and fundamentally changed the way many of us work.
As PCs became ever smarter, faster and cheaper, we began to
make demands on them that were difficult to achieve without a
network. So we built a new kind of network. These new networks
were fundamentally different from the old because now the
computing power resided primarily at the edges. The networks
themselves served to route information (like email) from PC to
PC and to store information in central locations that needed to
be accessed by many people simultaneously (like databases).
Soon, though, we discovered a need to return some real
computing power to the network itself. Let's take a law firm as
an example. By the mid-90s, law firms got tired of having to
buy the same programs for all their computers, particularly the
programs they used to bill their time, store and access
important documents and organize their calendars. Software
makers responded by creating versions of their software that
could reside on a central server connected to individual
computers via the Ethernet cables of the law firm network. Now
multiple attorneys and assistants could access the same central
information, bills could be generated automatically and the
vast document databases that made legal work simpler could be
shared, searched and accessed by dozens of people
simultaneously.
This model worked well, but it had one major drawback: it
required the law firm to maintain what amounted to a server
farm on their premises and extensive Information Technology
(IT) staff to take care of the servers and the internal
network. It was also capital intensive because the firm had to
purchase enough servers to run their enterprise software
applications and back all those applications up. And, of
course, they had to buy more resources than they actually
needed to account for potential growth and be able to respond
immediately to problems with an individual server. For a law
firm--as with any other business--downtime would mean lost
revenue. And this brings us to what people call ``the cloud.''
So what is the cloud? At a high level it is the movement of
server-based computing power off the premises and onto servers
that users access in a remote location over a private network
or, in many instances, over the Internet. You already know
about more consumer-focused, cloud-based services than you may
think. Netflix's streaming video service is one. Facebook is
another. Both these applications store vast amounts of
information on remote servers somewhere on the Internet and
deliver that information (and the computing power necessary to
process it) to you on demand.
Why Do SMBs Care About the Cloud?
Understanding the basics of cloud computing is important,
but it is just as important to understand how the businesses in
your home districts use the cloud. A few examples might look
like this:
A seventeen-location Los Angeles furniture company
sending all of its security footage directly to the cloud where
they can store it securely and use server processing power to
review and search it.
A major insurance company with its US headquarters
in Minnetonka moving its IT test environment to Amazon servers
to avoid the capital costs associated with purchasing dozens of
servers it will only need several times a year.
A mid-size law firm with offices in Atlanta,
Charlotte and Louisville moving its billing, time-keeping and
accounting software to Cbeyond servers so that all of its
offices can access the same data at the same time.
A group of orthopedic surgeons in Denver moving
all its patient records to the cloud to avoid the cost of
maintaining the servers necessary to store, search and access
x-rays and to ensure it meets its HIPPA obligations.
Why would these businesses want to move these applications
and information to off-premise servers? There are many reasons,
some of which are embedded in the examples above. First,
getting someone else to manage their servers allows an SMB to
focus on their business rather than their infrastructure.
Lawyers want to practice law, doctors want to practice
medicine, real estate agents want to close deals and architects
want to design buildings. They don't want to spend time taking
care of internal IT resources. Cloud computing allows them to
realize this dream.
Second, cloud computing allows companies to preserve
capital. Rather than buying servers that they then have to pay
to maintain and upgrade, the business can rent only the server
capacity it needs for the time it needs it. There are no
installation cycles and no need for extra square footage or
additional air conditioning or electrical upgrades.
Third, cloud computing is fundamentally more secure in a
variety of ways. It is physically more secure because data
centers--unlike most places of business--are consciously
designed to the highest access security and fire control
standards. Business data is also more secure because a server
operating in a data center is monitored around the clock and
potential failures can often be detected and dealt with before
they occur; this kind of monitoring and response simply cannot
occur in SMB IT environments. Data in the cloud can be backed
up to multiple, geographically diverse locations automatically;
if there is a tornado that destroys a data center in
Indianapolis, a business can seamlessly and without pause
access that data from its duplicate in a Denver data center.
Security patches and operating system updates on cloud-based
servers are installed the instant they become available. And,
finally, servers in a data center are sitting behind the most
sophisticated, well-monitored firewalls available, and their
anti-virus software is constantly updated with no intervention
or action required by the business; it's all part of the
service a business buys when it moves its data to the cloud.
Fourth, cloud computing gives a business IT flexibility in
that they can grow and shrink their computing resources on-
demand, preserving both capital and time. If a business needs
to test major software releases under heavy loads a few times a
year, it can simply spin up cloud servers, run their tests and
then spin them down, saving time, saving money and avoiding the
cost of infrastructure it has only occasional need for.
Finally, the cloud allows businesses to increase IT
velocity. If an innovator has an idea, it can be put to the
test immediately. No more waiting for a server to ship and get
installed. This compresses planning cycles, keeps our
entrepreneurs focused on innovation rather than the
infrastructure of innovation and allows new ideas to launch at
the speed of the idea rather than the speed of FedEx.
How Does Cbeyond Help SMBs Take Advantage of Cloud
Computing?
If my comments thus far make cloud computing sound like the
answer to many of the problems that SMBs confront as they
launch or grow, good. Because that's an accurate view: cloud
computing helps preserve capital, increases security and makes
launching or growing a business both cheaper and faster. But
SMBs need help to make the best use of cloud computing, help
that can only come from their service providers.
Unlike the large businesses that first began making use of
the cloud, SMBs do not have extensive IT resources. They don't
know how to move the applications that run their business into
the cloud, and they don't know how to migrate the associated
data. In fact, they generally don't even know what cloud
computing resources they actually need to do whatever it is
they want to do.
The large telecommunications and large cloud-only providers
do a great job serving enterprise businesses with big IT staffs
who know exactly what they need. The giant telecom companies
and cable providers also provide high-quality services to the
small businesses that need basic services like Internet
bandwidth, phones and email. But what about the sophisticated
SMB that wants to use the cloud to preserve capital for job
creation and innovation? They are in a tough spot: they don't
have the IT staff to help them with their migration to the
cloud, and the big cloud providers are not set up to help them
get QuickBooks and similar enterprise applications up and
running in their data center. This is where companies like
Cbeyond can help.
Competitive telecommunications providers are the experts in
the technology needs of SMBs because it's all we do. We have
direct sales people who introduce businesses to the power of
the cloud and personnel whose only job is to help businesses
choose exactly the resources they need for the job at hand. We
innovate to serve our small business customers by creating
cloud offerings tailored specifically to their needs, building
applications specifically designed to migrate their data and
providing the kind of personalized support they need to succeed
and to learn how to protect their business-critical data and
applications.
What Cyber-Security Threats Face SMBs That Move Computing
Resources to the Cloud?
While the move to the cloud can be of tremendous benefit to
SMBs from a variety of perspectives, many are concerned about
security. And they should be: cyber-security must be a primary
concern for any Internet-connected business. The first point
that needs to be made there is that the nature of the cyber-
threats facing SMBs as they move into the cloud are not much
different from the threats they have always faced if they have
a network that is connected to the Internet. They still need to
protect their internal networks, protect their data as it is
transmitted from one network to another and protect their
network endpoints--their individual PCs--from compromise.
Most digital attacks on SMBs enter the business through a
network connection to the Internet, and the fist line of
defense is having systems in place to block these threats from
crossing into their private networks from the public Internet.
Many SMBs, particularly those with more than one location, have
multiple internal networks, and they must also ensure that
their data is safe as it moves from one secure network to
another. To understand these threats more completely, a good--
if somewhat hackneyed--analogy is to a medieval castle.
If you think of an SMB's internal network as its castle, a
good firewall and content filter is like its drawbridge and
moat, controlling access to the castle and ensuring that only
authorized people (packets) are admitted. Firewalls filter data
at the protocol level to ensure it is authorized, and content
filters search inside the data itself to see if there is any
spam or malware hidden inside so that it can be stopped before
it penetrates the internal network.
But medieval kings were not only concerned about the wrong
people sneaking into their castles; they also had to be
concerned with threats from afar, and--like guards stationed
along the walls and towers of the castle--this is where
intrusion detection systems (IDSs) and distributed denial of
service (DDoS) defenses come into play. In network security
parlance, an intrusion happens when a cyber-criminal breaks
into a network without causing any visible damage and then
silently extracts information from the network, information
like social security and credit card numbers. IDSs are designed
to watch for and flag intrusions.
A DDoS attacks is designed to make a network unavailable to
its intended users by overloading web-connected servers. DDoS
attacks are hard to defend against, but they often begin with
multiple firewall contacts. Appropriate intrusion detection
software can warn an SMB of an impeding attack so steps can be
taken to deflect the attack and keep the network running.
But what about information that needs to leave the castle
securely and travel across open country? This is where a
Virtual Private Network (VPN) comes into play. Like the
security detail a king might use to surround private
communications being sent to another castle, a VPN creates a
secure, encrypted link between one private network connected to
the Internet and another, ensuring that data traversing the
public Internet is safe from compromise. The VPN encapsulates,
encrypts and authenticates the data on both ends of the
communication so it cannot be intercepted, modified or stolen.
A good VPN protects the transmitted data so well that criminals
looking for it don't even see it pass by on the Internet.
Unfortunately, no matter how well an SMB takes care of
network security issues, there remains the possibility that its
security can be compromised by issues with its network
endpoints, its individual PCs. New species of virus can sneak
through even the most sophisticated content monitoring systems,
and laptops are often taken home where unwary Internet usage or
just bad luck can result in infection. The Verizon 2010 Data
Breach Investigations Report (which contained information from
both Verizon and the United States Secret Service) indicated
that 46% of all verified security breaches came from inside a
business firewall. And these intrusions can be quite serious,
as key-loggers steal network passwords or viruses introduced by
angry employees destroy data.
To combat the threat of attack from inside the firewall,
SMBs can use antivirus, anti-spam and anti-spyware software
which--when properly maintained and updated--can catch
infections on network endpoints before they do any damage. They
can also implement malicious web-site protections that prevent
their employees from accidentally visiting sites that are known
to cause infections or phishing sites that are designed to fool
users into providing confidential information. Most
importantly, businesses can make sure that the operating
systems on their individual computers are updated regularly so
that patches designed to close security holes are installed the
instant they become available.
Finally, what about the cloud? One of the tremendous
virtues of the cloud is that it allows an SMB to access cloud-
based applications and computing resources from anywhere in the
world. But its access-from-anywhere convenience also presents a
security threat if non-secure passwords are used. There are
simple measures a business can take to ensure that its
employees each have their own password and that those passwords
are secure, meaning that they are at least twelve digits long
and contain both lower case and upper case letters as well as
numbers. Further, SMBs can ensure that they encrypt all
sensitive data on their employee laptops and have the ability
to remotely wipe smart phones and other devices that are easily
stolen.
How does Cbeyond Help SMBs with the Cyber-Security Threat?
Cbeyond was built from the ground-up to deliver technology
services only to SMBs, and we strive to serve as their
technology ally. An October, 2012 study of SMB security
practices by the National Cyber Security Alliance and Symantec
interviewed more than one thousand businesses with less than
250 employees and found that:
90% do not have an internal IT manager focused on
technology-related issues;
87% do not have a formal written Internet security
policy;
68% do not provide any cyber-security training to
their employees; and
83% do not have an automated systems that requires
employees to periodically change their passwords.
Given these statistics, we view helping our customers with
their cyber-security needs to be a key part of our role as
their technology ally, and we do this in two ways: through our
products and through education.
From an education perspective, we maintain a blog at
www.cbeyond.com that regularly addresses security issues faced
by SMBs and provides links to in-depth information contained in
industry whitepapers. We also draft our own whitepapers on
security issues and distribute them to customers and partners.
Finally, we educate our vendors and partners at live events on
emerging security threats and how to address them with their
customers.
From a product perspective, we do everything we can to
provide cyber-security protection to our customers so they can
focus on running their business rather than focusing on
security. Our security products for customer networks include
the most advanced managed firewall protection available via our
TotalCloud Data Center and--most importantly--a private network
that extends a customer's Local Area Network (LAN) into our SOC
2 and SOC 3 compliant data center so that their business-
critical data never traverses the public Internet at all. For
our multi-location customers and customers who need to be able
to access their cloud resources remotely, we offer VPN services
to protect data that must transit the public Internet.
Our products aimed at protecting customer endpoints include
Secure Desktop which is constantly updated without customer
intervention and stops viruses and spyware before they can
infect a customer computer. Our customers can check the
security status of every PC they own via an online portal. We
also offer network security assessments on customer request,
and--if they have a problem with a virus or other malware--we
will visit their business to take care of the issue.
Cyber-security is one of the most critical issues facing
Internet-connected SMBs today, and the role that the
Subcommittee can play in educating them about the threat and
the ways to mitigate it cannot be underestimated. Mr. Chairman
and members of the Subcommittee, I appreciate the Committee's
interest in this important topic and thank you for the
opportunity to provide this statement for the record.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
STATEMENT OF DR. PHYLLIS SCHNECK, VICE PRESIDENT AND CHIEF
TECHNOLOGY OFFICER, GLOBAL PUBLIC SECTOR
McAFEE, Inc.
BEFORE:
UNITED STATES HOUSE OF REPRESENTATIVES
COMMITTEE ON SMALL BUSINESS
SUBCOMMITTEE ON HEALTH AND TECHNOLOGY
``PROTECTING SMALL BUSINESS AGAINST COMPLEX AND EMERGING CYBER-
THREATS''
MARCH 21, 2013
Good morning Chairman Collins, Ranking Member Hahn, and
other members of the Subcommittee. I am Phyllis Schneck, Vice
President and Chief Technology Officer, Global Public Sector
for McAfee, Inc. We appreciate the Subcommittee's interest in
cyber security as it affects small business, and I'm pleased to
be addressing the Subcommittee once again.
My testimony will focus on the following areas:
The threat landscape and its implications
for small business
Recommended best practices for small
businesses to protect themselves
What the private sector can do to help small
business
What government can do to help small
business
First I would like to provide some background on my
experience and on McAfee.
I have dedicated my entire professional career to the
security and infrastructure protection community. My technical
background is in high performance computing and cryptography.
In addition to my role with McAfee, I serve as Chairman of the
Board of Directors of the National Cyber Forensics and Training
Alliance (NCFTA), a partnership between government, law
enforcement, and the private sector for information analytics
that has been used to prosecute over 400 cyber criminals
worldwide. Earlier, I worked as Vice President of Threat
Intelligence at McAfee and was responsible for the design and
application of McAfee'sTM Internet reputation
intelligence. I am the Vice Chair of the Information Security
and Privacy Advisory Board (ISPAB) and have also served as a
commissioner and working group co-chair on the public-private
partnership for the Center for Strategic and International
Studies (CSIS) Commission to Advise the 44th President on Cyber
Security.
Additionally, I served for eight years as chairman of the
National Board of Directors of the FBI's InfraGardTM
program and as founding president of InfraGard Atlanta, growing
the InfraGard program from 2000 to over 33,000 members
nationwide. Prior to joining McAfee, I was Vice President of
Research Integration at Secure Computing. I hold a Ph.D. in
Computer Science from Georgia Tech, where I pioneered the field
of information security and security-based high-performance
computing.
McAfee's Role in Cyber Security
McAfee, Inc. protects businesses, consumers and the public
sector from cyber-attacks, viruses, and a wide range of online
security threats. Headquartered in Santa Clara, California, and
Plano, Texas, McAfee is the world's largest dedicated security
technology company and is a proven force in combating the
world's toughest security challenges. McAfee is a wholly owned
subsidiary of Intel Corporation.
McAfee delivers proactive and proven solutions, services,
and global threat intelligence that help secure systems and
networks around the world, allowing users to safely connect to
the Internet and browse and shop the web more securely. Fueled
by an award-winning research team, McAfee creates innovative
products that empower home users, businesses, the public
sector, and service providers by enabling them to prove
compliance with regulations, protect data, prevent disruptions,
identify vulnerabilities, and continuously monitor and improve
their security.
To help organizations take full advantage of their security
infrastructure, McAfee launched the Security Innovation
Alliance, which allows organizations to benefit from the most
innovative security technologies from thousands of developers,
who can now snap into our extensible management platform.
Today, more than 160 technology partners--large and small
businesses all committed to continuous innovation in security--
have joined the alliance, with more to be announced soon.
The Threat Landscape and its Implications for Small
Business
Since I last testified before the Subcommittee the cyber
threat has only intensified. I want to focus on two areas where
information technology is helping small business be more
efficient but where caution is also necessary. These are the
areas of mobile communications and the cloud.
Mobile Threats
It should come as no surprise that cyber criminals follow
the latest technology trends because that's where the targets
are the most promising. The growth in mobile communications is
staggering, and the U.S. leads the world in mobility. Globally,
mobile data traffic grew 70% in 2012, and by the end of this
year the number of mobile-connected devices is expected to
exceed the world's population, according to the Cisco Visual
Networking Index.
Small businesses, as others, are relying more on mobile
devices not only for communication but also for business
processes, and there's every reason to believe this trend will
continue. When I last appeared before the subcommittee, in
December of 2011, mobile threats had begun to appear on the
radar screen. Now they are front and center.
According to McAfee Labs, the growth in mobile malware
almost doubled in each of the last two quarters of 2012. At the
beginning of this year, the total number of samples in our
mobile malware ``zoo'' reached almost 37,000--with 95% of those
having arrived in 2012. To put this in perspective, in all of
2011 we gathered only 792 samples. The Android platform is the
lead target of mobile malware, with 97% of last quarter's (4th
Q 2012) being directed there.
One of the most volatile and worrisome areas of threats
today is some new functionality in malware. A scam known as
Android/MarketPay is a Trojan horse program that buys apps from
an app store without a user's permission. We're likely to see
crooks take this malware's app-buying payload and add it to a
mobile worm. With such a mobile worm, attackers will no longer
need victims to install a piece of malware. And if user
interaction isn't needed, there will be nothing to prevent a
mobile worm from going on a shopping spree.
Another developing area for mobile threats is in phones or
other devices with near-field communications (NFC), which are
becoming more common. As users are able to make ``tap and pay''
purchases in more locations, they'll carry their digital
wallets everywhere. That flexibility will, unfortunately, also
be a boon to thieves. Attackers will create mobile worms with
NFC capabilities to propagate (via the ``bump and infect''
method) and to steal money. Malware writers will thrive in
areas with dense populations (airports, malls, theme parks,
etc.). An NFC-enable worm would run rampant through a large
crowd, infecting victims and potentially stealing from their
wallet accounts.
Attackers love it when users install malicious apps that
let the bad guys gain complete control of victims' phones; it's
no wonder that mobile backdoors remain popular with attackers.
Android/FakeLookout.A is a mobile backdoor that pretends to be
an update to antivirus software. In reality it hands control of
a phone to an attacker. It's designed to steal and upload text
messages and other files to the attacker's server. Another one
of these is Android/GinMaster.A, a mobile backdoor that uses a
root exploit to gain further access to a user's phone. It posts
a number of pieces of identifying information to the attacker's
server and accepts commands from the attacker.
As you can see, innovation is thriving in mobile malware
development and needs to thrive even more strongly in our small
businesses. Faced with the challenges of ``Bring your own
device,'' sometimes known as ``BYOD,'' many small businesses
will struggle with maintaining security and management control
over a wide spectrum of devices that consumers increasingly
want to use for their work.
Migration to the Cloud
Another IT trend that serves small business particularly
well is migration to the cloud. Small businesses, in
particular, can find real efficiencies in outsourcing their IT
and communications systems to the cloud. They can reduce costs,
improve offerings, eliminate complexity and have less need for
onsite IT staff. These are great objectives--as long as
security is not sacrificed.
I won't go into detail here, but not surprisingly, we are
seeing bad actors target cloud providers. Most cloud providers
do not offer a forensics capability as part of their base
offering. This means that if a company's data stored in the
cloud is breached, it will cost the company extra to provide
forensic data to either law enforcement or a security firm so
that the breach can be traced and remediated. Small business
owners should address this need up front with cloud providers
so they are not surprised if a breach occurs.
This is especially important at this time, when companies
of all sizes are being encouraged to report breaches or
suspected events to 1) protect victims, and 2) use the behavior
intelligence and forensics around the event to help protect
others. There has never been a more important time for a
security provider--cloud or otherwise--to enable easy, sound,
connected intelligence and behavioral analysis at a price point
that is a worthy investment. This helps small businesses
individually and collectively.
What Can Small Businesses Do to Protect Themselves?
Mobility and the cloud are here to stay, and it makes sense
for small business to embrace these trends. They shouldn't do
so without protections, however; this, too, makes good business
sense.
Here are some recommendations for small businesses to
protect themselves:
In General
At McAfee, we believe in ``Security Connected,'' from the
chip to the cloud. As a part of the Intel Corporation, we
explore behaviors from hardware to software and specialize in
recognizing malicious intent before it can cause irrevocable
harm. The keys are ensuring that cyber security is a boardroom
issue of risk--even in the smallest of companies--and enabling
companies to implement a connected, holistic approach that
considers their networks an ecosystem of traditional, mobile
and cloud devices and services.
This ecosystem concept is well described in the white paper
from the National Protection and Programs Directorate within
the Department of Homeland Security. Done correctly, networks
can detect behaviors over time and begin to recognize, almost
biologically, threats before those threats can overtake network
functionality. Maturity models have shown that for any size
organization, a wise design up-front leads to increasing
security and decreasing cost over time. A connected, behavior-
based approach enables network components such as phones,
laptops and servers to communication observed behavior amongst
each other. Security can thus be managed in real-time based on
policy that adapts to current threats and provides resilience:
the ability to run while under attack.
These intelligent systems are the result of innovation, and
we need to help small business make wise--not expensive--
choices to create a connected security foundation. As I
mentioned in my prior testimony to this Committee, small
business comprises over 95% of the U.S. business fabric. Small
businesses have personal information stored, operational
requirements and valuable intellectual property, and they need
strong cyber security as much as large enterprises. Budget
constraints in smaller businesses accentuate the need for a
connected, ecosystem-based strategy in planning in security
investment.
For Mobility
Like laptop and desktop PCs, today's mobile devices are
complex platforms with multiple modes of communication,
significant processing power and large storage capabilities.
This by itself would make today's mobile devices subject to the
same risks as business laptops; however, mobile devices have
certain characteristics that make them even more vulnerable
than PCs. Thus we recommend contracting with reputable service
providers who take security seriously.
There are also precautions that small business owners can
take to make sure their employees' devices are secure. Here's a
partial list:
Track and adaptively manage the devices that
access your corporate network
Educate employees on their role in
protecting the organization, its data, and brand
against theft, loss or malicious use
Use passwords
Encrypt on-device data and email, and ensure
mobile device data and email remote ``wipe''
capabilities
Have policy controls over memory card usage
and encrypt that data.
Implement Bluetooth controls, such as
installing firewalls and pairing with only known,
trusted devices
Protect against Trojans with blacklisting
and whitelisting applications
Have policy controls over web browser use
and website access
Install a firewall on the mobile device to
restrict inbound connections and prevent use of the
mobile device as a bridge
The best security providers offer both targeted and
comprehensive protections for the leading mobile device
platforms. As mentioned earlier, Android devices are attacked
much more than others. As an example of emerging mobile
security software, McAfee last week announced an embedded
control solution that is the industry's first to reside in the
Android kernel. The control is embedded in the operating system
rather than sitting at the user level, which is what makes it
unique. As businesses depend more on mobile devices, security
vendors will continue to innovate in the mobile space.
For the Cloud
Nine out of 10 businesses cite security as the top obstacle
to cloud adoption, according to International Data Corporation
(IDC). Yet small businesses can take advantage of cloud
computing safely with some precautions upfront. These include
making sure they are outsourcing to a cloud provider that can
ensure robust security. We recommend that cloud providers
contract with a third-party security vendor, offering the most
up-to-date protections for the most recent--and emerging--
threats.
But there are steps small business owners can take before
even getting data to the cloud provider. You can think of these
practices as building a secure bridge to the cloud. Here are a
few recommendations:
Discover and classify data in the organization before it
even leaves to go to the cloud
Before even beginning to consider what type of data should
or should not be moved to the cloud, a business must first
understand what data it has, where it resides--and more
importantly--the value or sensitivity of the data. Only when
there is a complete inventory of the data can an organization
begin to classify the data to build the appropriate policies to
protect it and then enforce policies while data travels both
within and outside the organization.
These policies can be kept simple, but they should be in
place to enable cyber security to be managed as a risk
mitigation tool and business enabler for small business.
Secure the primary channels of traffic that move data to
and from the cloud
These channels include email traffic, web traffic
(including mobile), and authentication traffic (making sure
users are who they say they are, and that they are authorized
to access the data).
McAfee and other comprehensive security vendors offer cloud
security platforms that are very effective at managing these
tasks.
It's also possible for small businesses to get their
security virtually--whether or not they are outsourcing their
IT. Again, we and other security vendors offer security via a
third party, or ``the cloud,'' and this can be a cost-effective
way for small businesses to get optimum security without having
to manage everything themselves.
What the Private Sector Can Do to Help Small Businesses
In addition to providing security for mobility and the
cloud, the security and IT industries need to keep their focus
on innovation in order to help small business and other
organizations. At McAfee we feel strongly that the path forward
is for security to be integrated into products at the
beginning, for disparate islands of security to be connected,
and for security vendors to offer real-time situational
awareness of threats.
Security features are not as effective when they are glued
onto systems as an afterthought. Rather, cyber security must be
integrated into equipment, systems and networks at the very
start of the design process. Security must be embedded in a
product or network element so that it becomes an integral part
of the product's or element's functioning. Products must also
be built to communicate with each other--exchanging information
in real-time about what each product is seeing on the network
to create the behavioural knowledge throughout the network
ecosystem. This design-level approach is not only more
effective; it is less cumbersome and less expensive than trying
to lock down systems that are inherently insecure. This
approach also provides tremendous cost savings for small
businesses, because the products and services that enable the
business have more native security and lead to a safer
infrastructure with less need for additional expenditures.
McAfee and Intel create and support these Security by
Design and Security Connected approaches. Today's attackers now
can be stopped below the machine's applications layer--and even
below the operating system. McAfee and Intel are working
together to change the security paradigm to dynamically and
adaptively protect systems against attacks at the core of
computing, and to provide proactive defenses in real-time,
making networks intelligent enough to prevent malicious
instructions from reaching their targets--instead of requiring
those targets to be vaccinated using signatures.
We also believe that as a security industry we must unify,
simplify, and strengthen the way we provide security. We need
to provide a framework for integrating potentially disparate
technologies--building bridges between security islands to
close coverage and technology gaps. This is the rationale for
McAfee's Security Connected platform. With cyber security
integration, security companies and their small business
customers will be able to quickly and comprehensively detect
and deter threats.
And having real-time visibility into emerging threats and a
comprehensive view across the threat landscape is a powerful
means of defeating cyber incursions. One robust technology that
enables this real-time global visibility is called Global
Threat Intelligence. With Global Threat Intelligence, millions
of sensors scan the Internet across the globe and feed back
real-time data on threats. This data is instantaneously
correlated and fed back into security products, delivering
real-time protection to customers, as we identify and block
malicious files, Internet protocols and web addresses. With
even more threat data from more security organizations fed into
this network, customers would get even more comprehensive
visibility into the quickly changing patterns of infestations
and could take immediate steps to counter them.
What Government Can Do to Help Small Business: Enable
Information Sharing
It's hard to overstate the importance of being able to
share threat information between the private sector and the
government. There are several initiatives that can facilitate
this process, and I'll discuss two of them: an information
sharing bill and an information sharing mechanism available to
large business known as ISACs, or Information Sharing and
Analysis Centers.
An Information Sharing Bill - Rogers/Ruppersberger
During the last Congress and again this year, House
Intelligence Chairman Mike Rogers (R-Michigan) and Ranking
Member Dutch Ruppersberger (D-Maryland) introduced the Cyber
Intelligence Sharing and Protection Act, also known as CISPA.
The bill would facilitate the sharing of cyber intelligence
between the government and the private sector. Significantly,
the bill would offer liability protections for private entities
sharing cyber threat information in good faith. Ensuring that
sufficient privacy protections are baked into this bill will
help cement the broad consensus necessary to make this proposal
a legal reality.
An Information Sharing Construct - ISACs
While we definitely need legislation for robust information
sharing, the government has endorsed and the private sector has
put in place several Information Sharing and Analysis Centers,
or ISACS. These ISACS, which are organized by sector, provide a
specific mechanism for sharing cyber threat data.
Small businesses have neither the budgets nor the cyber
experts to participate in a traditional ISAC. Indeed this
Committee might consider the merits of conducting a study or
holding a hearing on this matter to develop policy proposals to
enable deeper small business community participation in the
ISAC community. As we know, small businesses represent 99.7% of
all employer firms and employ about half of all private sector
employees, according to the Small Business Administration. We
need to find a way to include small business in our nation's
security paradigm--and that includes information sharing.
The National Cyber Forensics and Training Alliance (NCFTA)
is one example of successful information sharing. Small
businesses need the intelligence that such collaborations
provide, and perhaps the small business community could
leverage the information sharing agreements in the NCFTA so
that collectively they could better protect the U.S. small
business fabric, and thus our economy.
Thank you for the opportunity to address the subcommittee.
I will be happy to answer any questions.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
�