Additional Cybersecurity Help for Small Businesses Needed, Senate Commerce Hears
Additional cybersecurity personnel, research and help for small businesses are needed to address cybersecurity challenges, witnesses told Senate Commerce Committee Chairman John Thune, R-S.D., during a full committee field hearing Thursday at Dakota State University in Madison, South Dakota. "Federal agencies need help, especially when it comes to improving their own cybersecurity practices,” Thune said in his opening statement. Techniques used by state-sponsored hackers and criminal groups to attack the federal government are also being used to steal intellectual property from businesses and critical infrastructure, to disrupt and deny access to online services, and to steal identifies and personal information for fraudulent purposes, Thune said.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
“The Senate plans to consider legislation, the Cybersecurity Information Sharing Act of 2015,” to address this issue, Thune said. “Another bill that I believe will help address cybersecurity challenges is the Cybersecurity Enhancement Act of 2014, which I co[-]sponsored.” Witnesses were National Science Foundation Secure and Trustworthy Cyberspace Lead Program Director Jeremy Epstein; Dakota State University cybersecurity professor Josh Pauli; Eide Bailly Risk Advisory Services Director Eric Pulse; SDN Communications CEO Mark Shlanta; Dakota State University Cyber Operations and Security Department Chairman Kevin Streff; and National Institute of Standards and Technology Security Outreach and Integration Group Manager Kevin Stine.
“I believe the United States would lose a cyber conflict between nation states if it took place today,” Pauli said in testimony. Concern is not just on data breaches, but military, intelligence and business competitiveness, he said. Part of the concern is a lack of cybersecurity personnel, he said. The U.S. "must continue to invest in long-term, fundamental, and game-changing research if our cyber systems are to remain trustworthy in the future,” Epstein testified.
“Most small and medium-sized business[es] lack the requisite skills and resources to combat these cyber threats,” Streff testified. “Technology advances faster than [small and medium-sized financial institutions’] ability to respond with appropriate mitigating security controls,” Streff said. “Organized cyber-gangs are increasingly preying on small and medium-sized companies in the U.S., setting off a multi-million-dollar online crime wave and grave concerns that critical infrastructure government and business depends upon each day may become compromised.” The Internet wasn't "built for the purpose it carries out today,” and was “not conceived to become the backbone for commerce,” Streff said. The IoT, promise of smart cities and smart cars, and digital currency are changing the way society works, but since “we cannot manage the Internet environment of today,” adding more Internet-connected devices “doesn’t scale well,” he said.
Four areas that Pulse said need “increased attention in order to combat cybersecurity challenges,” in testimony are: a culture of security, the lack of skilled resources, a common framework, threat intelligence and the education, implementation and collaboration thereof. Shlanta encouraged the committee to “maintain your support for a voluntary, flexible, and scalable approach to cybersecurity risk management.”
Thune, the only committee member present, allowed Dakota State University students at the hearing to ask the witnesses questions. The hearing was still in progress at our deadline.