I must be allergic to this panel. If youll stand to be sworn in. Do you confirm that the testimony before the committee will be the truth, the whole truth and nothing but the truth . Thank you. Ill go ahead and introduce both of you together and then well proceed from there. Ms. Jamie winterton is director of strategy for asu Global Security initiative. Glad youre representing the state so well. Specializes in Cyber Security and defense research. Prioring to joining asu she was a scientist for Lockheed Martin where she developed projects in Electro Optical and radar processing. Mr. Tyler moore teaches Cyber Security and information at the tandy school of Computer Science at the university of tulsa. His research focuses on economics of information security, the study of electronic crime, and the development of policy for strengthseni strengthen security. He also oversees the Economics Lab and serves as the director of stop bad ware. Your written statements will be entered into the record asking you to summarize your testimony in five minutes or less. Ms. Winterton, would you please proceed. Thank you. Thank you, chairman. Im the director of strategy at Arizona State university. Id like to thank you for convening the hearing on this critical issue and inviting me to participate. I learned working with the dp of defense and that its best to put the bottom lineup front. It is possible to be a responsible steward of personal data. That doesnt mean its trivial or easy. That just means there are known solutions to a lot of the problems that we see. Most of these big data breaches arent due to complex sophisticated exploits. Most of them come down to mismanagement of the basics and often due to undervalued security teams. Bei beyond the operational problems, there are bigger questions looming. Questions like how can we build systems that are resilient to hackers, not just resistant. How do we create new methods of identity management. How do we make security easier for everyone . None of these are easy questions. But theyre all necessary if we want to break out of the data breach cycle. We need to start addressing them now to ensure the future security of our citizens. To borrow a line from the advanced research agency, we need an approach thats revolutioner. We cant just it rat on what we have. Well need to Start Building networks in a whole new way. Not just Computer Networks but networks of computers and people together. The definition of security depends on the system youre trying to secure. What kind of data it contains, how long those data are scored, what value they might have to a potential adversary and the types of attacks the system is likely to face. The mom and spop shop on the corner has a different set of threats than a government organization. For either of them a good security plan should include technologies like two factor authentication, encrypting data and a rapid responsesive patch Management System. Another critical piece of securing a system is to find its weaknesses before the attackers do. We all have blind spots to our own faults. The people who built Computer Systems are the same way. Its important to bring in experts from outside to Test Networks in the same way a real attacker would without doing damage of course then how to fix the recommendations. You these people are indes pen sabl in finding and fixing problems. I want to change topics for a moment. Theres been a lot of discussion in the media and hearing this week about the damage this breach has done at the individual level. I in no way want to downplay the lifeti life consequences that consumers will experience. Theres another concern regarding that breach and thats at the National Security level. 145 million records is almost half the population of the united states. Although the breach does contain some nonu. S. Data. A data set this large would be an incredible asset to a foreign adversary. We dont know who has it and i think the verdict is out on that and an analysis will have to be done before we can get an answer. In addition to Identity Theft and credit card fraud, think of what else this data could be used for. The Credit Scores and financial histories of 145 Million People start to paint a pretty detailed picture of our economy. Potentially allowing an adversary to discover and exploit vulnerabilities in our economic systems in society. Chairman, at your hearing on the breach, you said what may not be sensitive as one item may become sensitive in the aggregate. The equifax are ill luminating. Im thinking of the office of personal management breach in 2015 when over 21 million security files were exposed. The data lost in the Equifax Breach when combined any other sets of data could make dangerous road maps in our security system. Oftentimes when we talk about Cyber Security it comes off as really hopeless but im actually an optimist. And why is that . We have some brilliant people working on these problems. Corporate r and d groups, independent researchers, academics, Government Agencies and think tanks, whether its in the nitty gritty like malware reversal, our country does have the capacity to make progress on these problems. We just need to yolk our resources together in a meaningful way. I can talk about what our countrys universities can provide. We have a culture of exploration. We embrace tough challenges and have the free om dom to take ri. The challenges we face in Cyber Security are real. We face them together and were committed to creating solutions. So id like it thank you, chairman, for inviting me to participate today. This is a promising start for how we rethink privacy and security and end the age of large data breaches. Im looking forward to our discussion. Thank you. Good afternoon. Chairman flake, rafrnking membe thank you for the opportunity to testify today. The recent breach of 145 million American Consumers personal information is deeply troubling it stand it is out not only for the number of americans affected but also for the da ta disclosed, social numbers, addresses and credit histories. I teach my student a loss of confidentiality is so damaging because it is irreversible. Nothing can make a cyber criminal unsee stolen date ta. Their information has been compromised now and forever. Unlike prior breaches, its simply not practical for 145 million americans to be reissued new Social Security numbers let alone change the home address on their mortgages. Most straightforward potential harm emma nating is new credit account fraud because people dont find out they were victimized due to fraudulently opened accounts. This is only the tip of the iceberg n. Recent years the irs has lost millions of dollars filing fake tax returns. Expect tax filing fraud to spike in the coming years along with health care and sbiegentitlemen fraud. The harm goes far beyond fraud be perpetrated by cyber criminals. Because the breach data includes criminal could be tracked down by assailant. Last t lastly theres a National Security threat if it was obtained by foreign governments. For instance with the prior breach at opm foreign powers could identify federal workers. Note that many of these harms just discuss affect people and organizations well beyond equifax thc equifax. This includes Financial Institutions, health care organizations, the u. S. Government and taxpayers. This is an example of a market failure called the negative externality. When third parties are harmed by security this in turn can lead to mismanagement of risk by organizations that are responsible for protecting data confidentiality. Another lurking market failure is the information that exists about the true taeextent and co of harms. We dont know how much new fraud has occurred or will be enabled how many consumers Credit Scores will be wrongly downgraded as a result of fraud. How much harassment takes place or how Many National secrets are compromised. Without an accurate assessment of these costs and who is affected, its difficult to device a rational response that encourages more secure outcomes. We should also be mindful of the indirect costed associated. If people reduce their online participation or their engagement with the Financial System because of an eerosion, the economy thus far the main defense available to consumers is to freeze their credit. This is a good start but it falls far short because the most harms weve talked about today would not be stopped by placing a freeze. In a world where bad actors know almost everyones name, Social Security number and address, we cannot continue with the system based solely on information that has already been compromised. The process of unfreezing should be made as frictionless as possible. The lightest touch possible intervention would be require access to credit files be frozen by default. This would insen ti viez Credit Bureaus to secure more by promoting transparency about the true prevalence and cost of the realized harms from breaches, we could correct the information. Companies should be required to disclose not only the breaches of confidential information but also the occurrence and cost of fraud and complaints of unauthorized access. By gathering this information firms gain greater insight into the true cost of Cyber Security there by encouraging more investment when its needed. Which can inform policy interventions if necessary. Over the longer term, we must move to a more secure way of authenticating people and Social Security numbers. Now that all this data has been disclosed, theres no going back. We should look to the private sector for theyre made to significanting role for ghft supporting that effort. Finally we must also work to improve resilience to cyber attacks. We can take steps to limit the damage and to recover more quickly and more completely from the harms. When breaches do occur, a robust response can help prevent a damaging loss of consumer confidence. Thank you. Thank you both. Appreciate it. I mentioned at the end of my questioning of mr. Smith that it seems that when you have a data broker, a big data broker, Companies Like this that have very what . 10 of their business is consumer facing. The rest just data stored, marketed to companies. That they seem less insen i that a problem in your view . Yes, i agree with you. When you asked mr. Smith about whether or not equifax had a culture of Cyber Security, he answered in the affirmative but nothing seems to back that up. Whether its the putting a hold patch Management System on an individual and having a lot of that rest on that person. The persons name is gus. Yes. Poor gus. Lets think of him. Whether its about gus or whether its about how you take care of people and how you are considering them, i dont remember who it was on the subcommittee mentioned that the people were a product in this case and not considered customers. Ranking member franken. Thank you. I see that as a big problem. I would just have one particular thing. I think its clear that it dulls their incentive for investment. I would also say that it gives me pause and concern about the proposed unlock lock feature because if that were to be widely deployed, thats something that would need to go to consumers. And for a company who collects data on consumers but does not have direct relationships with consumers, im not sure how effective the verification and authentication mechanisms could be in that case. What does for companies that do this right, this privacy right, what does it look like . Can you kind of give a sketch of a company like this, like the ones were talking about, these data brokers, what would property security measures look like . It comes into this culture that you mentioned. When companies build security into the design and development of their products, so theyre thinking about security as theyre making new products, they dont expect to just bolt it on at the end. Bolt on security never works very well. So some of these measures that they offered in the end after the breach were a little hasty. So those should be put in place or have more of those in place beforehand . Sure. Sure. Or valuing people and supporting them enough so its not one person that has to deal with patching or encrypting data. On that same line, mr. Moore, when they found or they should have what should they have found when gus failed to provide the patch . I mean, he was saying it was human failure followed by technical failure. What would proper security look like . Well, i think what you would see is a step of sort of identification of the assets you have. If you look at the cyber ku Security Framework the step is identify. An organization who has their house in order should be able to identify the configuration of all of their systems, what the Software Configurations are. Then from there be able to react to the announcements of disclosure of vulnerability disclosure very quickly to apply patches to fix the problem. I think step one is to do a better job of identification. But it carries through to whenever a breach occurs to be prepared for the response so that youre ready in the event that an adverse event happens. At least additional protocols should be put in place to follow on after human failure with another human check perhaps . Are there industry standards that have been adopted or best practices that others use that should be instructive here or not . I would start with the necessary Security Framework as a guiding set of principles for how to approach Cyber Security risks within an organization. Thats where i would begin. Thank you. My times expired. Thank you. Im sorry i missed your testimony, ms. Winterton. We have these votes and i got stuck down there for conversation about puerto rico. Its an important thing. Its all right. But this is really important too. I heard your testimony at the end there. Blae basically what youre saying is no matter how much is invested in security, even if you have, like, two guys behind gus that theres no guarantee that there isnt going to be some unforeseeable threat to databases as large as equifax. And although this was not an unforeseeable threat, this is something they just screwed up. For discussion sake, how do we rethink this . How do we rethink this industry more broadly . Equifax is not terribly responsive to the people whose information was breached because they arent theyre the product, not the consumer. What is the incentive we put in place for them to act more responsibly in the circumstance . If youre saying we cant just do Social Security and date of birth, what was the other . Address. Address. Okay. What do you do . I mean, its time that we just put a chip in every baby thats born . I have a 5 month old at home, so he might object to that. Hes already born. Im talking about your next child. Fair enough. So i think we start with a better accounting of the harms that take place. I think if you look at the Cyber Security industry at large, we have there are breaches which occur. But there are limits to what companies have to disclose. Whenever they lose your personal information, they have to Say Something because 47 states now have an obligation that thats put on these companies. But whenever theres actually Identity Theft, whenever there are measurable harms that affect other parties, these still can go unreported. And so i think we need a much more transparent and complete accounting of when things go wrong so that we can identify which actor should internalize the externality and come up with a way to measure progress against events as they unfold. If i can bounce off of that, measuring progress is one thing we have a really hard time with. Theres no way to say that system is 85 secure or even maybe a security step that weve taken, what effect does that have and how does that translate economically. We dont really get the Economic Cost of breaches. I remember when it was target and home depot that we were talking about, some of the speculation with these big data breaches was that the punitive measures would come through stock price or customer loyalty. But we havent seen any evidence of that. So i think one of the first things is really doing an a understanding of what these breaches mean, what they cost, what do they cost individuals, what do they cost our economy. Only then can we really have a good discussion about what the remunerations would be. Well, i mean, senator leahy brought up his piece of legislation. The Consumer Privacy protection act. Do i have that right . Its amazing that i remember that. Anyway, im a cosponsor but i can never remember the names of things. Would that be helpful, do you think . I think as i understand it, its a data breach nationwide data breach notification requirement is the heart of it and i think that is a a useful start. I think that we have state level data breach notification, so this is why we now know so much about breaches of personal information. I think where we can improve efforts like that is by being more specific about the kinds of harms that we want reporting on. So we should consider expanding report events beyond just a breach of personal information to financial fraud affecting victims, for example. On the other harms that alluded to. So i think if we who would know about the financial fraud that happens to somebody . Well,