Washington, D.C. - U.S. Senator Marco Rubio (R-FL), Chairman of the Senate Committee on Small Business and Entrepreneurship, today held a hearing titled “Cyber Crime: An Existential Threat to Small Business.” Ahead of the hearing, Rubio introduced both the SBA Cyber Awareness Act and the Small Business Cyber Training Act, legislation to protect small businesses from cybersecurity threats.
A video of the hearing can be found here. A broadcast quality version of his opening remarks can be found here.
Key excerpts of the hearing are highlighted below:
Chairman Rubio: “About two years ago, according to an account that was shared with me, a small-mid-sized company in South Florida shared with me that they got to work on a Monday morning and found that their entire system had been locked. And they had gotten, somehow, a notification, I believe they said by email, but basically all of their financial and proprietary business records had been stolen. And that in the message they basically said to them, “we want you to send us $500,00 in Bitcoin, we know you can afford it because we have your financials, we are not asking for a million, we’re asking for $500,000.” They contacted law enforcement and were basically told ‘well, if you want your information back, you’re going to have to pay it.’ This was a company that, I wouldn’t say they’re tiny, they’re certainly profitable and a growing business, but certainly not a large company. They had bars on the window and alarm system in their office, but they were wholly unaware that anybody even knew they existed, much less that a foreign actor for North Korea or somewhere else would target them. What do you assess, writ large, is the awareness that exists today among the millions of small and mid-sized businesses in America that they can be targeted this way and what are we doing to create more awareness that this could happen to them?”
Dr. Charles Romine: “Thank you Mr. Chairman for the question. It’s certainly the case that businesses of all sizes are susceptible to cybersecurity risk. And I think we’re seeing increasingly that, that’s manifested through attacks on organizations of all sizes so I understand the concern. From our perspective, from the NIST perspective, the way that we manage that is by trying to manage more effectively to small and medium businesses, that the size of your organization does not make you immune to potential for cyber risk and that you have a responsibility in the same way that every organization manages financial risk and reputational risk and H.R. risk and all other types of risk, you have a responsibility as an organization to also manage your cyber security risk. Now stating that after the fact, after someone has been attacked, I’m not trying to blame the victim here. I’m just saying that the goal for NIST is to try to raise that awareness across all sectors of the economy and at all scales that there is a responsibility to manage that risk, and that we have resources available that can help you do that.”
Chairman Rubio: “What is your sense of the general awareness? I know that is not directly your department, but just interacting with this issue?”
Ms. Maria Roat: “So with the SBA, I think, you know, the Small Business Development Center is working with the Office of the Entrepreneurial Development, working with those small businesses. Many times it’s not that the tools aren’t there and the tool kits aren’t there, but I think there needs to be more engagement and more communication with the small businesses to get out in front of that and facilitation and getting that information sharing out there. You can tell a small business, you know, ‘protect your environment,’ but how do you do it? What is that checklist? So I think there needs to be more engagement on that,adding on to what Dr. Romine said.”
Chairman Rubio: “Just as a follow up to both of you, last February we heard from the Director of the FBI for the Senate Intelligence Committee, at an open hearing. And he discussed how smart phones made by Chinese government owned companies and backed companies like ZTE and Huawei, and this is a quote from him, ‘Have the capacity to maliciously modify or steal information.’ And then in the 2019 NDAA, the National Defense Authorization Act, it restricted the federal government use of products manufactured by Chinese based technology firms for substantial or critical components of any systems or as critical technology. Can you discuss a little bit about what the federal government is doing to ensure that not are we using these products but that we’re also cautious against white labeling, which is basically the buying of technology parts from one of these companies where they're just not labeled as manufactured by one of these companies, they put a generic label on it, sometimes even their own label. And we’re concerned because sensitive government work and essential government work in America we rely heavily on the private sector, and so if they’re compromised with the existence of this technology be it in routers or hand held devices, or what have you, you have a potential liability for the whole system. What are you doing to address that particular component?”
Dr. Charles Romine: “Thank you Mr. Chairman, I’m happy to address that question. Although, NIST has no role in specifying a specific nation-state or other threat that is directly coming from a specific country, we do have an active program, an ongoing program, in supply chain risk management, this is the kind of guidance that we put out in consultation and collaboration with other federal agencies on principles and practices that organizations can use to try to ensure that the equipment that they purchase has the integrity that they expect it to have by ensuring, to the extent practicable, the supply chain of that product or service.”
Chairman Rubio: “I am curious about CAMI (Cyber Association of Maryland, Inc.) and its role in representing so many small businesses that are afraid to come forward and discuss vulnerabilities, obviously it has business impacts. On the one hand, obviously, there is a breach of some sort we want people to know about it. On the other hand, many businesses that are small, mid-sized businesses would struggle with public disclosure that could theoretically, reputationally wipe them out. So, how is CAMI handling that, what is it doing? First, to sort of highlight the number and severity of the attacks that are on small business and in particular, helping small businesses that are afraid to come forward and discuss their vulnerabilities because, frankly, from those attacks, is how we can improve our method of responding and preventing them.”
Ms. Stacey Smith: “One of the things that we’re implementing, and it will come out in our revised website in April, is case studies, which allows our members to talk about businesses that have been breached and what they did to remedy the situation, and the cost involved, and the steps that they took, and things that they might have been able to do ahead of time to prevent that. So I think illustrating it through ‘this is a manufacturer, this was a small retail organization,” so they can say ‘okay, that’s me,’ just to know that someone else has gone through it, and contacting us, one of the things that we do is anonymously put out a plea to our members if anybody is available to handle this situation, so the business’ contact information or name isn’t out there to then connect them with resources to the business that’s looking for that. They can also directly contact the businesses through our website. But that fear factor is certainly there, but that’s also after they’ve been breached. If we can get to them before they’ve been breached and say to them ‘put these protections in place,” many of them wouldn’t suffer those breaches or attacks.”
Chairman Rubio: “But the existence of the case studies, without outing a company, is very helpful to a small company that sees them self reflected in the case study and understands that someone like them could also be hit by this.”
Ms. Stacey Smith: “Absolutely, and one of the things that we find all the time in what we do is-- and even our organization when we were first created it-- we expected businesses to come to our programs and hear a talk on cyber security and how to be cyber secure. They don’t do that. Our local SBA rep said the same thing. That they’ve tried to do programs for the small businesses and they don’t come. They know they have to be secure, they’re too busy, or it doesn’t apply to them, whatever. But going to organizations that are already doing things and making it a piece of their conference, or put the information on their website, in addition to the SBA website. Things like that, small things like that can be done, taking the message out to the business and marketing. We deal with our local government, they don’t want to spend money on marketing and getting the word out, but you’ve got these great programs, how do you get the word out? And there’s got to be some kind of method for telling the message and promoting what resources are available.”
Chairman Rubio: “Well I want to thank all three of you for being patient and being with us today. We’ve had a great hearing, and your input as you saw from the questions and comments from some of our members I think has elicited thinking about number one, things people may want to take back to their own states, but holistically some of the challenges we face as we move forward on what SBA can do and what the federal government can do to empower small business to confront this very real 21st century challenge.”