Washington, D.C. -- U.S. Senator Marco Rubio (R-FL), Chairman of the Senate Committee on Small Business and Entrepreneurship, has convened a hearing titled “Cyber Crime: An Existential Threat to Small Business.” Earlier today, he introduced two bills to protect America’s small businesses from the threats that cyber crime pose to America’s small businesses.
The hearing is live streamed on the committee’s website here.
Chairman Rubio’s opening remarks as prepared can be found below:
Rubio: “Today’s hearing of the Senate Committee on Small Business and Entrepreneurship will come to order. I want to thank you all for being here, and say welcome to our witnesses. This hearing will discuss one of the most challenging issues facing small businesses today: cybersecurity.
“It’s hard enough for small businesses to get up and running with changing markets, regulatory hurdles, and the cost of starting a business. But cyber attacks can bring a quick end to all of that hard work.
“Foreign hackers and other cyber criminals are increasingly targeting small businesses to steal IP, trade secrets, and valuable information; or to hold hostage small businesses’ operational and customer data in order to get a ransom payment.
“Small businesses bear the brunt of cyber crime, falling victim to approximately 43 percent of all attacks. While ransomware attacks on individuals have fallen, attacks targeting businesses rose 12 percent in the last year. And these attacks are not rare occurrences. Almost 55 percent of small businesses were victim to phishing attacks in 2017 – up 30 percent from 2015.
“The risk of cyber crime is greater to small businesses, which lack the dedicated IT staff and sophisticated equipment that larger companies have in order to stay safe. Cyber criminals know small businesses are unprepared for attacks, which is why small businesses are twice as likely to be targeted by a phishing attack.
“The consequences of cyber crime are also greater for small businesses, which operate on a smaller profit margin and are not always able to bounce back after a costly cyber attack. The Department of Justice’s Internet Crime Complaint Center recorded more than 300,000 cybersecurity complaints in 2017, which added up to more than $1.4 billion in loss.
“And we know that cyber attacks on small businesses are significantly underreported, because they don’t know who to call, or they don’t want their customers to know that they were compromised.
“Because the risks to small businesses are so high, this week I introduced The Small Business Cyber Training Act with Senator Shaheen to create a cyber strategy training program for the counselors at the small business development centers across the country.
“This bill will prepare SBDC counselors to provide important advice on cybersecurity to entrepreneurs when it matters most: at the beginning of the business life cycle. And perhaps most importantly, counselors can make small businesses more aware of the very real cyber threats that they face.
“In addition to internal controls and protections for their own operations, businesses that want to work with the federal government are required to meet an extra level of cybersecurity protection under NIST contracting requirements.
“It is important for the government to maintain a high level of security with its contractors, but the inability to meet certain cybersecurity criteria can begin to disqualify smaller companies, who cannot afford to build up the cyber capability necessary to service the government.
“In fact, many times small businesses cannot even understand what the government requires of its contractors. We hope that NIST, the SBA, and other government agencies will work together to educate and train small business contractors so that they are equipped to take on business with the government.
“Federal agencies face very real cyber threats, including the SBA. It may be a small government agency, but for many small businesses, the SBA is an important gateway to loans, disaster relief, and business training. That is why it is especially important that the IT systems at the SBA be secure enough to protect the sensitive data that small businesses and lenders entrust to the agency.
“The SBA Office of Inspector General has consistently ranked SBA’s IT as one of the most serious challenges facing the agency. Specifically, the IG has recommended that the SBA continue to improve IT controls to address operational risks, such as cyber attacks.
“The SBA is moving quickly to modernize its systems, but we know that criminals often move even faster. In recent years, we have seen what happens when government agencies let their guard down, as was the case with OPM in 2015 when personnel data of more than 4 million current and former Federal government employees was stolen.
“The risk of cyber attacks for small businesses also compromises data that could harm U.S. national security. Our adversaries are laying the groundwork for cyber espionage by embedding their technology into the systems we depend on to do business – be it small business or government business. Just last week reports emerged showing that the Chinese hacking group APT40 has infiltrated IT systems of at least 27 universities world-wide, like MIT, in an attempt to steal U.S. military information from less secure sources.
“These cyber criminals operate with the full backing of the Chinese Communist Party. And we must take proactive steps to deny the Chinese government and others access to our networks and to the personal information of small businesses.
“This is why I introduced the SBA Cyber Awareness Act this week with Ranking Member Cardin. This bill would require the SBA to develop a cyber strategy and to examine where the components in its IT system are manufactured. This bill would also require the SBA to report to this Committee about the cyber breaches and threats it faces so that we can give the SBA the tools that it needs to defend against future attacks.
“I look forward to talking with our witnesses about ways to protect small business information from cyber criminals, while helping them understand cyber guidelines and requirements that allow them to participate in the market.”