House Intel on Cyber Threats to American Businesses
House Permanent Select Committee on Intelligence
“The Growing Cyber Threat and its Impact on American Business”
Thursday, March 19, 2015
Key Topics & Takeaways
- Liability Protection: Rep. Westmoreland (R-Ga.) asked how appropriate protections from liability would motivate financial companies to share. Pawlenty answered that many companies may have information of threats or malware and are willing to share, “but then lawyers step in” and worry whether the information might be subject to FOIA requests, if competitors could steal proprietary information, and other concerns. He said legal safe harbors to protect personal privacy would make sense as a solution.
- Privacy Concerns: Rep. Wenstrup (R-Ohio) said more discussion is needed to help make the public comfortable with information sharing with the government because “trust in the government is down considerably.” Tannenbaum said privacy must be a key priority in legislation and insisted that personal information is almost never needed in protecting against attacks. He said the statute must describe the threat indicators to be shared in a clear way.
- Cyber Standards: Rep. Jackie Speier (D-Calif.) asked if there should be federal standards for cybersecurity practices. Pawlenty said the financial services industry is already subject to a standard, and that government benchmarks might be helpful. He added that the National Institute of Standards and Technology (NIST) framework is a voluntary set of standards that many companies are already benchmarking against. Tannenbaum said he is supportive of the NIST framework rather than a regulatory approach because a “check the box compliance regime” would not keep up with evolving technology.
Speakers
- Tim Pawlenty, Financial Services Roundtable
- John Latimer, Total System Services
- Richard Bejtlich, FireEye
- Andrew Tannenbaum, IBM
Opening Statements
In his opening statement, Chairman Devin Nunes (R-Calif.) said the scope of cyber attacks against American businesses are growing, and called these attacks from nation-states and criminals “intolerable.” Saying the U.S. companies must have assurances that their information is secure, he stated that Congress “urgently” needs to strengthen the security of cyber infrastructure and promote sharing of information.
In his opening statement, Ranking Member Adam Schiff (R-Calif.) said the theft of trade secrets has cost the U.S. economy hundreds of billions of dollars and thousands of jobs, and that threats are only getting worse. He said we are living in a “wild west” of cyber attacks which will continue as long as the attacks are effective and profitable and systems are vulnerable. He stated that one way Congress can help would be to pass cyber information sharing legislation, adding that he looks forward to introducing a bill with Chairman Nunes. Schiff highlighted that the legislation must not be viewed as a surveillance authority of American companies doing business overseas.
Rep. Lynn Westmoreland (R-Ga.) warned that cyber attacks are affecting more and more Americans, and that American business, infrastructure and wellbeing is dependent on a reliable and safe environment.
Rep. James Himes (D-Conn.) argued for a need to update laws to enable information sharing and cooperation between the government and private sector. He stressed that such a bill would have to include safeguards for private information and provide liability protection for companies, as well as ensure that companies are working to improve the safety of their systems.
Testimony
In his testimony, Tim Pawlenty, Financial Services Roundtable said cybersecurity is one of the most pressing issues facing the nation, noting studies that suggest nearly half of all adult Americans have had their personal information exposed in the past year and that 80 percent of companies that are hacked or breached do not know until a third party tells them weeks or months later.
Pawlenty said the financial services sector is viewed as the leading sector in terms of investment and attention paid to cybersecurity issues, saying firms invest heavily in technology and are involved in information sharing activities. However, he said the industry’s efforts are not enough and that information sharing legislation is needed so that the government and private sector can work together. He said the biggest impediment to sharing today is the threat of legal ramifications such as anti-trust lawsuits, criminal charges, or Freedom of Information Act (FOIA) requests.
In his testimony, Andrew Tannenbaum, IBM urged Congress to pass legislations with protections for voluntary information sharing. He identified three vital areas for consideration: 1) protection of privacy and personal information; 2) liability protections and legal clarity for businesses that want to share information; and 3) special rules for sharing with the government that involve strong oversight and privacy protections that make it clear that the goal is to share technical threat indicators, not individuals’ personal information.
In his testimony, John Latimer, Total System Services, warned that the cyber threat environment becomes more dangerous every day. He identified three significant cybersecurity policy issues worthy of consideration in Congress: 1) protection of critical infrastructure, including payments infrastructure; 2) information sharing legislation; and 3) data breach liability.
In his testimony, Richard Bejtlich, FireEye, said thousands of companies face serious breaches, but only about 30 percent of them find the breaches themselves and the average time it takes to discover a breach is about seven months. He said few organizations have the talent and budget to fight against sophisticated crime and nation-states, and supported measures to “go after the threat” such as funding the Federal Bureau of Investigation and supporting efforts to minimize the value of vulnerable information such as encryption.
Question and Answer
Westmoreland asked how appropriate protections from liability would motivate financial companies to share. Pawlenty answered that many companies may have information of threats or malware and are willing to share, “but then lawyers step in” and worry whether the information might be subject to FOIA requests, if competitors could steal proprietary information, and other concerns. He said legal safeharbors that protect personal privacy would make sense.
Westmoreland asked how to address concerns of privacy advocates who are hesitant about sharing with the government. Bejtlich stressed that technical threat indicators would be shared, and not personal information. He said he does not “see their concerns in real life.”
Rep. Brad Wenstrup (R-Ohio) said more discussion is needed to help make the public comfortable with information sharing with the government because “trust in the government is down considerably.” Tannenbaum said privacy must be a key priority in legislation and insisted that personal information is almost never needed in protecting against attacks. He said the statute must describe the threat indicators to be shared in a clear way. Pawlenty agreed that it is important to distinguish between threat indicator information and personal information.
Rep. Mike Conaway (R-Texas) asked if privacy must be sacrificed for security. Bejtlich said a cyber intrusion is the worst threat to privacy.
Rep. Mike Quigley (D-Ill.) said public trust in the government is not very high, and asked how to present legislation in a way that would garner public support. Tannenbaum said the legislation must make clear that the intent is not to collect personal information, but rather to gives companies faster access to threat data. Pawlenty accepted that people are concerned about their privacy, but said that “under the current status quo, privacy is massively violated every day.”
Innovation and Technology Standards
Himes lamented not seeing more progress on technological fixes to cyber challenges in the U.S., including chip and pin technology for credit cards. He asked what could be done to encourage innovation. Pawlenty said encouraging innovation would be good, but that Congress should be cautious about mandating any specific technology because technology advances very quickly.
Rep. Jackie Speier (D-Calif.) asked if there should be federal standards for cybersecurity practices. Pawlenty said the financial services industry is already subject to a standard, and that government benchmarks might be helpful. He added that the National Institute of Standards and Technology (NIST) framework is a voluntary set of standards that many companies are already benchmarking against. Tannenbaum said he is supportive of the NIST framework rather than a regulatory approach because a “check the box compliance regime” would not keep up with evolving technology.
Economic Impact
Rep. Peter King (R-N.Y.) asked about the impact of cyber attacks on the economy, saying this could help convince the American people of the importance of legislation. Bejtlich said some estimates suggest that cyber attacks cost the economy $200-250 billion a year. Pawlenty said a recent study suggested that up to 15 percent of the internet economy was “drained off” by fraud, theft, and other bad behavior.
Rep. Patrick Murphy (D-Fla.) asked what the most significant concerns are about sharing information with the government. Pawlenty answered that the main stumbling block is concern about legal liability. Latimer agreed, saying the government must tell businesses what they can legally share.
For more information on this hearing, please click here.
,Blog Tags:,Blog Categories:,Blog TrackBack:,Blog Pingback:No,Hearing Summaries Issues:Technology/High Frequency Trading,Hearing Summaries Agency:Special Event,Publish Year:2015
House Permanent Select Committee on Intelligence
“The Growing Cyber Threat and its Impact on American Business”
Thursday, March 19, 2015
Key Topics & Takeaways
- Liability Protection: Rep. Westmoreland (R-Ga.) asked how appropriate protections from liability would motivate financial companies to share. Pawlenty answered that many companies may have information of threats or malware and are willing to share, “but then lawyers step in” and worry whether the information might be subject to FOIA requests, if competitors could steal proprietary information, and other concerns. He said legal safe harbors to protect personal privacy would make sense as a solution.
- Privacy Concerns: Rep. Wenstrup (R-Ohio) said more discussion is needed to help make the public comfortable with information sharing with the government because “trust in the government is down considerably.” Tannenbaum said privacy must be a key priority in legislation and insisted that personal information is almost never needed in protecting against attacks. He said the statute must describe the threat indicators to be shared in a clear way.
- Cyber Standards: Rep. Jackie Speier (D-Calif.) asked if there should be federal standards for cybersecurity practices. Pawlenty said the financial services industry is already subject to a standard, and that government benchmarks might be helpful. He added that the National Institute of Standards and Technology (NIST) framework is a voluntary set of standards that many companies are already benchmarking against. Tannenbaum said he is supportive of the NIST framework rather than a regulatory approach because a “check the box compliance regime” would not keep up with evolving technology.
Speakers
- Tim Pawlenty, Financial Services Roundtable
- John Latimer, Total System Services
- Richard Bejtlich, FireEye
- Andrew Tannenbaum, IBM
Opening Statements
In his opening statement, Chairman Devin Nunes (R-Calif.) said the scope of cyber attacks against American businesses are growing, and called these attacks from nation-states and criminals “intolerable.” Saying the U.S. companies must have assurances that their information is secure, he stated that Congress “urgently” needs to strengthen the security of cyber infrastructure and promote sharing of information.
In his opening statement, Ranking Member Adam Schiff (R-Calif.) said the theft of trade secrets has cost the U.S. economy hundreds of billions of dollars and thousands of jobs, and that threats are only getting worse. He said we are living in a “wild west” of cyber attacks which will continue as long as the attacks are effective and profitable and systems are vulnerable. He stated that one way Congress can help would be to pass cyber information sharing legislation, adding that he looks forward to introducing a bill with Chairman Nunes. Schiff highlighted that the legislation must not be viewed as a surveillance authority of American companies doing business overseas.
Rep. Lynn Westmoreland (R-Ga.) warned that cyber attacks are affecting more and more Americans, and that American business, infrastructure and wellbeing is dependent on a reliable and safe environment.
Rep. James Himes (D-Conn.) argued for a need to update laws to enable information sharing and cooperation between the government and private sector. He stressed that such a bill would have to include safeguards for private information and provide liability protection for companies, as well as ensure that companies are working to improve the safety of their systems.
Testimony
In his testimony, Tim Pawlenty, Financial Services Roundtable said cybersecurity is one of the most pressing issues facing the nation, noting studies that suggest nearly half of all adult Americans have had their personal information exposed in the past year and that 80 percent of companies that are hacked or breached do not know until a third party tells them weeks or months later.
Pawlenty said the financial services sector is viewed as the leading sector in terms of investment and attention paid to cybersecurity issues, saying firms invest heavily in technology and are involved in information sharing activities. However, he said the industry’s efforts are not enough and that information sharing legislation is needed so that the government and private sector can work together. He said the biggest impediment to sharing today is the threat of legal ramifications such as anti-trust lawsuits, criminal charges, or Freedom of Information Act (FOIA) requests.
In his testimony, Andrew Tannenbaum, IBM urged Congress to pass legislations with protections for voluntary information sharing. He identified three vital areas for consideration: 1) protection of privacy and personal information; 2) liability protections and legal clarity for businesses that want to share information; and 3) special rules for sharing with the government that involve strong oversight and privacy protections that make it clear that the goal is to share technical threat indicators, not individuals’ personal information.
In his testimony, John Latimer, Total System Services, warned that the cyber threat environment becomes more dangerous every day. He identified three significant cybersecurity policy issues worthy of consideration in Congress: 1) protection of critical infrastructure, including payments infrastructure; 2) information sharing legislation; and 3) data breach liability.
In his testimony, Richard Bejtlich, FireEye, said thousands of companies face serious breaches, but only about 30 percent of them find the breaches themselves and the average time it takes to discover a breach is about seven months. He said few organizations have the talent and budget to fight against sophisticated crime and nation-states, and supported measures to “go after the threat” such as funding the Federal Bureau of Investigation and supporting efforts to minimize the value of vulnerable information such as encryption.
Question and Answer
Westmoreland asked how appropriate protections from liability would motivate financial companies to share. Pawlenty answered that many companies may have information of threats or malware and are willing to share, “but then lawyers step in” and worry whether the information might be subject to FOIA requests, if competitors could steal proprietary information, and other concerns. He said legal safeharbors that protect personal privacy would make sense.
Westmoreland asked how to address concerns of privacy advocates who are hesitant about sharing with the government. Bejtlich stressed that technical threat indicators would be shared, and not personal information. He said he does not “see their concerns in real life.”
Rep. Brad Wenstrup (R-Ohio) said more discussion is needed to help make the public comfortable with information sharing with the government because “trust in the government is down considerably.” Tannenbaum said privacy must be a key priority in legislation and insisted that personal information is almost never needed in protecting against attacks. He said the statute must describe the threat indicators to be shared in a clear way. Pawlenty agreed that it is important to distinguish between threat indicator information and personal information.
Rep. Mike Conaway (R-Texas) asked if privacy must be sacrificed for security. Bejtlich said a cyber intrusion is the worst threat to privacy.
Rep. Mike Quigley (D-Ill.) said public trust in the government is not very high, and asked how to present legislation in a way that would garner public support. Tannenbaum said the legislation must make clear that the intent is not to collect personal information, but rather to gives companies faster access to threat data. Pawlenty accepted that people are concerned about their privacy, but said that “under the current status quo, privacy is massively violated every day.”
Innovation and Technology Standards
Himes lamented not seeing more progress on technological fixes to cyber challenges in the U.S., including chip and pin technology for credit cards. He asked what could be done to encourage innovation. Pawlenty said encouraging innovation would be good, but that Congress should be cautious about mandating any specific technology because technology advances very quickly.
Rep. Jackie Speier (D-Calif.) asked if there should be federal standards for cybersecurity practices. Pawlenty said the financial services industry is already subject to a standard, and that government benchmarks might be helpful. He added that the National Institute of Standards and Technology (NIST) framework is a voluntary set of standards that many companies are already benchmarking against. Tannenbaum said he is supportive of the NIST framework rather than a regulatory approach because a “check the box compliance regime” would not keep up with evolving technology.
Economic Impact
Rep. Peter King (R-N.Y.) asked about the impact of cyber attacks on the economy, saying this could help convince the American people of the importance of legislation. Bejtlich said some estimates suggest that cyber attacks cost the economy $200-250 billion a year. Pawlenty said a recent study suggested that up to 15 percent of the internet economy was “drained off” by fraud, theft, and other bad behavior.
Rep. Patrick Murphy (D-Fla.) asked what the most significant concerns are about sharing information with the government. Pawlenty answered that the main stumbling block is concern about legal liability. Latimer agreed, saying the government must tell businesses what they can legally share.
For more information on this hearing, please click here.