Two subcommittees of the House Science Committee determined to find out in a joint meeting whether there were any clear technology ways to reduce theft or illegal access of personal data by international cyber-criminals.
The Oversight and Research and Technology subcommittees called together a disparate collection of experts in an effort to get guidance for drafting legislation that might help the situation.
Oversight subcommittee chairman Dr. Paul Broun (R-Ga) said that the most pressing question before the joint committees was to explore, "what specifically is being done to secure U.S. IT infrastructure." Members of the joint committees repeatedly expressed their concern over recent cyber-attacks against Target, Neiman Marcus and other retailers, and expressed concern over spying by the Chinese and Russian governments.
Witnesses, ranging from an expert from National Institute of Standards and Technology to the executive director of the Smart Card Alliance, took the opportunity to explain their part of the puzzle. But the most anticipated witness was Steven Chabinsky, senior vice president of legal affairs at Crowdstrike. Chabinsky was formerly deputy assistant director of the FBI's Cyber Division.
Chabinsky noted that cyber-crime seems to stem largely from central and eastern Europe. "Of the FBI’s current Top Ten Cyber Most Wanted, seven have connections either to Russia, Ukraine or Latvia. In some cases, international cyber-criminals are suspected of receiving the protection of local authorities." However, he noted that just because their criminal enterprises are located in those places, cyber-crime spreads much farther. "Regardless, even to the extent cyber-crime ringleaders may aggregate in certain areas of Europe, they typically are part of criminal conspiracies that span the globe."
Chabinsky said that it's critical to remember that not all victims of cyber-crime are large companies with vast resources. Much of it is aimed directly at small and midsize companies. "It is important to consider the victims associated with cyber-crime, and to recognize that many of them do not have the resources to mount a significantly stronger defense than they currently are against computer attacks," he noted.
"It certainly is the case that the cyber-intrusion headlines tend to focus on the Fortune 100 being hacked, but they’re not the only victims. Naturally, since 99.9 percent of all U.S. businesses have less than 500 employees, and few of those retain dedicated information security staff, cyber-criminals find small and medium enterprises (SMEs) to be attractive targets as well."
It was noted by several speakers that the criminals who infiltrated Target's POS (point of sale) and CRM (Customer Relationship Management) systems did so by hacking the account of one of the company's contractors—a company that is a small HVAC contractor that was responsible for monitoring the company's heating and cooling systems.
Chabinsky said that one significant problem is that the government and private industry have only succeeded in making customers fear for their data, rather than making the bad guys fear for the loss of their freedom. The problem, he said, is that resources are focused on vulnerability to the exclusion of everything else.
"We have retained this focus on vulnerability mitigation despite it being well understood that securing networks is a daunting task even for the most experienced." As stated in Verizon’s 2013 Data Breach Investigations Report, “breaches are a multi-faceted problem, and any one-dimensional attempt to describe them fails to adequately capture their complexity."
While the witnesses outlined some of the challenges, they also asked for Congress to pass some limited legislation that would encourage and enable federal involvement in ensuring data security. Rep. Larry Bucshon (R-Ind.) noted that the Science Committee was responsible for two bills, H.R. 756, the Cybersecurity Enhancement Act, and H.R. 967, the Advancing America's Networking and Information Technology Research and Development Act, both of which passed the House overwhelmingly, and have since stalled in the Senate.
The problem facing the House, and the Senate, if it decides to take security seriously, is how to create legislation that would encourage companies to keep data secure, while also not limiting innovation. The ultimate goal would be to create an environment in which security innovation is encouraged, but not restricted to a legal structure that prevented security practitioners from acting to meet new threats.
The problem with legislation in the past has been that it constrained action, making it difficult to change to meet new threats. The witnesses that appeared before the joint subcommittee hearing seemed to believe that there needs to be a new approach, one that allows consequences for those who put personal data at risk, while encouraging those who make determined efforts to protect data. While subtlety has rarely been a hallmark of Congressional legislation, this time the congressmen seemed genuinely interested in a better approach.