Do it from the testimony youre about to give is the truth . Senator flake i will introduce both of you together and we will proceed from there. Of guest is the director Global Securities initiative. She specializes in Cyber Security and defense research. She was a scientist froor lockheed martin. Moore is a Cyber Security at several security at the university of salsa. He focuses on the study of Electronic Crime and development of policies for strengthening security. Re oversees the economic flat answers as the director of ware. Bad you will be asked to summarize your testimony in five minutes or less. You proceed . Winterton im the director of strategy at Arizona StateUniversity Global security initiative. Sthank you for completing this hearing convening this hearing. The bottom line it is possible to be a responsible steward of personal data. Thats not mean it is trivial or easy. That means there are known solutions. Most of these breaches are not exploits. Plex most come down to Miss Management of the basics, and that is often due to underfunded security teams. Beyond the problems in Cyber Security like adequate patching and staffing, there are bigger questions, questions like, how can we build systems that are resilient to hackers, had we create methods of identity management, and how to make security easier for everyone . None of these are easy questions, but necessary if we want to break out of the cycle, and we need to start addressing them now. We need an approach that is revolutionary, not evolutionary. If we are going to protect the Sensitive Data of our citizens and country, a concern of the subcommittee, we could not just iterate on what we had. We need to build networks in a computernot just networks, but networks of computers and people together. How do we stop data breaches . What kind of data contains, how long the data are stored, what value they might have to an adversary can the types of attacks the system is likely to face. We call that a threat service. The mom and pop service has a different threat level. A good security plan should include technologies like twofa ctor dedication and a rapid management patch systems. Another piece of security is to find its weaknesses before the attackers do. We have blind spots. Run systems are the same way. It is important to bring in experts to Test Networks in the same way a real attacker would and provide regulations on how they fix the weaknesses they found. You can call them red team. These people are indefensible indispensable. There has been a lot of discussion in the media about the damage this breach has done, and i do not want to downplay the consequences that consumers will experience. Theres not a concern regarding the largescale breach, and that is at the National Security level. 145 million records is almost half the population of the united states. Although the breached does contain some nonu. S. Data. Would be ans large asset to a foreign adversary. The verdict is still out on that come and analysis will have to be done. But in addition to identity stressed and fraud, think of what else this data could be used for. The Credit Scores and financial histories of 145 Million People paints a picture of our company, allowing an adversary to discover and exploit water villages in our economic system. On the hearing experience breach, you said what may not be sensitive may become sensitive in the aggregate. The data are illuminating, but they are sensitive when combined with information from other largescale breaches. Im thinking of the office of Personnel Management breach in 2015 went over 21 million security files workspace. The data lost when combined with other sets of data can make dangerous roadmaps to the human form abilities in our National Security system. Often times when we talk about several security, comes across as hopeless, but i am an optimist, and why . We have bring people working on these problems. Academic some researchers, government agencies, think tanks, whether in the nittygritty like the Big Questions of travesty, our country has the capacity to make progress. We need to yoke resources together in a meaningful way. What ourk about universities can provide. We have a culture of expiration, we embrace tough challenges have the freedom to take risk, we believe in research and discovery of public value. We appreciate our relationships. The challenges we face are real. We face them together senator franken and we are committed to creating solutions. I would like to thank you for inviting me to purchase of a. This is a start for how we wehink is the insecurity how how we rethink security. good afternoon. Thank you for the opportunity to testify today. The recent breach of 145 million americans information is troubling. It stands out not only for the number affected, the data disclosed, Social Security numbers, addresses. I teach my students that the loss of confidentiality is reversible. Nothing can make a criminal and sees data. Data. Eize is not practicable for those Many Americans to be reissued new Social Security numbers. Thisarm emanating from reach is new credit account fraud, which is pernicious because people do not find out until they are denied credit. Only the tip of the iceberg. The irs has lost billions of dollars to criminals filing fake tax returns. Expect tax filing fraud to spike along with health care and entitlement fraud. The harm goes beyond frauds perpetrated by several criminals. The breach of data includes addresses, they can scan be edopped down stalk down. By connecting the breach data from equifax with the prior breaches, foreign powers can identify people and target them. This affects the will be on equifax. Not only the individuals whose data was compromised scope includes financial institutions, health care organizations, u. S. Government. This is negative externality. When third parties are heard by decisions taken by others, incentive to invest in countermeasures is weakened. This can lead to Miss Management of risk. Another looking market failure is the information asymmetry that exists about the extent and cost of harm sprint at this hast we no security been breach, but we do not know how much will be enabled, how many scores will be downgraded as result of fraud. How much harassment takes place and holy National Secrets are compromised. Without an accurate assessment, it is difficult to invite a response that encourages more secure outcomes. We should be mindful of the indirect costs associated with this breach. The total drag on the economy could exceed the cost. What should we do . The main defense is to freeze their credit. It is a good start but it falls short because most times we talk about today would not be stopped by placing a freeze. In a world of bad actors who knows almost everybodys names them we cannot continue with a system that controls access to credit reports. The process of unfreezing should ss asde restrictionle possible. Policy interventions would be to require access to credit files he frozen by default. This would incentive by bureaus and brokers to design more secure and use were authentication procedures. Promoting transparency about the prevalence and cost of the harms from breaches, we could correct information asymmetry. Companies should disclose not owe the breaches a confidential information, the occurrence and cost of fraud. By getting this information, firms would gain greater insight to the true cost of cyber insecurity, encouraging investment when needed. Housing makers would get the benefits of the true magnitude of the negative externalities in play which could inform policy interventions. Over the longer term, we must move to a more secure way of authenticating band Social Security numbers. There is no going back. We should look to the private sector to take the lead to identify mechanisms, but there remains a significant role for government. We must work to improve resilience to cyber attacks. Security is not possible, but we can take steps to recover completely from the harm straight when breaches occur, a robust response can restore consumer confidence. Senator flake thank you, both. I mentioned at the end of my questioning of mr. Smith that it seems that when you have a data broker, a big data broker broker, Companies Like this that have 10 of their business is consumer facing. The rest is data stored, marketed to companies, that they seem less incentivized to protect consumers because they do not face them that much. Is that a problem in your view . Yes, i agree with you. Mr. Smith about whether or not equifax had a culture of Cyber Security, he answered in the affirmative, but nothing seems to back that up, whether it is putting a whole patch Management System on an individual and having a lot of that rest on a person senator flake the persons name is gus. Orwhether it is about gus how you take care of people and how you are considering them, i do not member who it was on the subcommittee mentioned that people were a product in this case and not considered customers. Ranking member franken, thank you. I see that as a big problem. It builds it is clear our essential of for investment t and he gives the composite concern about the proposed unlock feature because if that were to be widely deployed, that is something that would need to go to consumers. Different comedy who collects data on consumers but this not have direct relationships with consumers, i am not sure how effective the verification mechanisms could be in that case. For companies that do this right, this privacy right, what does a look like . A companysketch of like this, like the ones were talking about, these data brokers, what would proper security measures look like . It comes into this culture that you mentioned, when companies build security into the design of their products, so they are thinking about security as they are making new products, they do not expected old it on t ithe end expect to bol on at the end. Senator flake so after the breach . A little hasty. Senator flake so those should be put in place. Sure, or right wing people enough so that it is not just one person to do patching or encrypting data. Senator flake on that same line, mr. Moore, when they found what should they have found when gus failed mr. Moore by the patch, you say it was human failure followed by technical failure. What would proper security look like . What you would see is that a step of a vindication of the assets you have, if you looked at the new framework, the very first that is identified. The organization should be able to identify robustly the configuration of all of their systems, with a Software Configurations are, and be able to react to the announcements of disclosure of vulnerability disclosures quickly to fix the problem. So i think step one is to do a better job of identification, but it carries through to whenever a breach occurs to be prepared for the response so that you are ready in the event it first happens. Senator flake at least additional protocols should be put in place to follow on after a human failure with another human check, perhaps, or are there industry standards that have been adopted or best practices that other use others use that should be instructive . Mr. Moore i should start with the framework for principles about how to approach risks to an organization. That is where i would begin. Senator flake thank you. My time is expired. Thank you forn submitting your testimony. We have these votes, and i got stuck down there for conversation about puerto rico, so it is an informed thing. Senator franken this is important, too. Is no matter how much is nvested in security even if up like two guys linbehind gus the no guarantee that there isnt going to be some unforeseeable data bases as large as equifax. Although this was not an it is eeable threat something they screwed up. Both of you for discussions do we rethink this . Ow do we rethink this industry more broadly . Not terribly whose ive to the paoeeople information was breached because not the product, customer. In is the incentive we put place for them to act more in this ly circumstance . You cant are saying datedo Social Security and of birth and what was the other . Address. Do you do . It is time that we put a chip in that is important r born . Fivemonthold at he might object. He is already born. Im talking about your next child. I think we start with brother accounting of alarms that take place. At the cybersecurity industry at large there are but there ich occur are limits to what companies have to disclose. When they lose personal to say ion they have something because 47 states have an obligation that is put on the companies. Whenever there is actually an actual identity theft, measurable re are arms that affect petearties thy can go unreported. We need a more transparent and when te accounting of things go wrong so that we can act authorize hould internalize the externality. Progress is one we have a hard time with in cybersecurity. No way to say a system we haveecurity or steps taken what effect does it have and how does it translate economically. We dont get the Economic Cost of breaches. I remember when it was target home depot we were talking about some of the speculation ith data breaches was that the punitive measures would come through stock price or customer seen y but we have not evidence of that. One of the first things is doing understanding of what these breaches mean and what they cost. Hat do they cost individuals and the economy and what are the National Security implications. Did we have a good discussion about what the would be. Ons senator leahy brought up is the Consumer Privacy act. Ection is that right . It is amazeing that i remember that. I was a sponsor but i cant ever those things. Do you know that piece of legislation . That be helpful . I think as i understand it, nationwide data breach notification requirement at the it. Rt of i think that is the useful start. State level we have data breach notifications. We know so much about breaches of information. Is e we can improve efforts by being more specific about the we want e harms reporting on. E could consider spapdzing report reportal events to financial victims, for ng example. And other harms i alluded to. I think who would know about the financial fraud that happens to somebody . Financial institutions would eventually learn. The consumers would eventually it. Erience so would the credit bureaus. It would be interesting to look at a model with consumers opt in and out. Use my prefer they not data. A lot of people feel that same way. At the model where people can say i want my credit by seven ken care of agencies and not others that could be an incentive because cant do the hey analyti analytics. I could jump on with that, i think that one of the things i testimony i my place hat if we were to bureaus to n the freeze by default i think this ly incentivize y companies to come up with ways of tronger authentication. What does that mean freeze by default . What it would mean is a put a freeze in place. Right now consumers may be given the option to do that but you to take the initiative to go and freeze your credit. So i have my credit frozen but i three weapbsites and fill out information. That is not by default. By default it is still wide open. Way it exists today for 145 million americans if a criminal wants new credit they can go do if you have a default in place where it is locked down, prevented ould be from doing so and unless the can be authenticated nd say no, i want to unlock my report. Do they know the 145 Million People are . How did they come up with that number . Do they know who they are . They should know, yes. They have a very large data base tell that what i can has peoples information that have they proactively said tyler moore of wherever you live nd you dont have to say that right now that would be out there. Who knows what could happen. That is not a threat. Why couldnt they contact everybody that was breached . Well, they certainly can. They certainly have tried to notifications in seven states where it is required to is my understanding. Sending a letter is not the same your ting a freeze on credit. Putting a freeze on your credit works in the he Current Business model. I have a question about do they know. When i wrote my initial million. It was 143 then i had to revise that to 145. 5 million. Breach. St revised their they know who has been breached full ey may not know the extent of the breach and that is concerning to me. This ce we cant get information from them. 90 or what we kept asking you had the same experience which frankly to me i think, bad, some notion of bad actor there. Im not erstanding an expert of their particular , but they want want to issue new redit cards would pull and query the credit files or Telecommunications Companies you contract on the cell phone they would do a credit pull. My understanding is that would more business to Business Credit ship because the bureau would have a relationship with say the telecommunications company. Do analytics for advertisi that data . With im sure they have the capacity. Im not sure if they do. I guess we will never know. It is unknowable evidently. Could they have given these who tics to the russians could have in the ads targeted . Oward michigan and wisconsin can we blame mr. Smith on the whole russian thing . I will let you decide if you want to blame mr. Smith on the russian thing. Data you ont protect dont have control over who uses it. If you are going to leave data unprotected you dont get say. They have a business using the data they have. Could they have purposefully used it . Thats what im saying. They are steps away from the for an under decrees selling data for people late on their mortgages. As part ofe had that their business in the past. That seems like a financial to business thing, but im talking about we have