OCR of the Document

View the Document >>

House Committee on Small Business, “Small Business Information Sharing: Combating Foreign Cyber Threats.” January 30, 2018. Unclassified.

SMALL BUSINESS INFORMATION SHARING COMBATING FOREIGN CYBER THREATS HEARING BEFORE THE COMMITTEE ON SMALL BUSINESS UNITED STATES HOUSE OF REPRESENTATIVES ONE HUNDRED FIFTEENTH CONGRESS SECOND SESSION HEARING HELD JANUARY 30 2018 Small Business Committee Document Number 115–053 Available via the GPO Website www fdsys gov U S GOVERNMENT PUBLISHING OFFICE SBREP-219A with DISTILLER VerDate Mar 15 2010 13 14 May 16 2018 Jkt 000000 PO 00000 Frm 00001 Fmt 5011 2018 Sfmt 5011 F DOCS 28359 TXT DEBBIE Congress #13 WASHINGTON 28–359 HOUSE COMMITTEE ON SMALL BUSINESS STEVE CHABOT Ohio Chairman STEVE KING Iowa BLAINE LUETKEMEYER Missouri DAVE BRAT Virginia AUMUA AMATA COLEMAN RADEWAGEN American Samoa STEVE KNIGHT California TRENT KELLY Mississippi ROD BLUM Iowa JAMES COMER Kentucky JENNIFFER GONZÁLEZ-COLÓN Puerto Rico BRIAN FITZPATRICK Pennsylvania ROGER MARSHALL Kansas RALPH NORMAN South Carolina JOHN CURTIS Utah NYDIA VELÁZQUEZ New York Ranking Member DWIGHT EVANS Pennsylvania STEPHANIE MURPHY Florida AL LAWSON JR Florida YVETTE CLARK New York JUDY CHU California ALMA ADAMS North Carolina ADRIANO ESPAILLAT New York BRAD SCHNEIDER Illinois VACANT KEVIN FITZPATRICK Majority Staff Director JAN OLIVER Majority Deputy Staff Director and Chief Counsel ADAM MINEHARDT Staff Director SBREP-219A with DISTILLER II VerDate Mar 15 2010 13 14 May 16 2018 Jkt 000000 PO 00000 Frm 00002 Fmt 5904 Sfmt 5904 F DOCS 28359 TXT DEBBIE CONTENTS OPENING STATEMENTS Page Hon Steve Chabot Hon Nydia Velázquez 1 2 WITNESSES Mr Howard Marshall Deputy Assistant Director Cyber Division Federal Bureau of Investigation Washington DC Mr Richard Driggers Deputy Assistant Secretary Office of Cybersecurity and Communications National Protection and Programs Directorate United States Department of Homeland Security Washington DC 4 6 APPENDIX Prepared Statements Mr Howard Marshall Deputy Assistant Director Cyber Division Federal Bureau of Investigation Washington DC Mr Richard Driggers Deputy Assistant Secretary Office of Cybersecurity and Communications National Protection and Programs Directorate United States Department of Homeland Security Washington DC Questions for the Record None Answers for the Record None Additional Material for the Record None SBREP-219A with DISTILLER III VerDate Mar 15 2010 13 14 May 16 2018 Jkt 000000 PO 00000 Frm 00003 Fmt 5904 Sfmt 0486 F DOCS 28359 TXT DEBBIE 21 29 SBREP-219A with DISTILLER VerDate Mar 15 2010 13 14 May 16 2018 Jkt 000000 PO 00000 Frm 00004 Fmt 5904 Sfmt 0486 F DOCS 28359 TXT DEBBIE SMALL BUSINESS INFORMATION SHARING COMBATING FOREIGN CYBER THREATS TUESDAY JANUARY 30 2018 HOUSE OF REPRESENTATIVES COMMITTEE ON SMALL BUSINESS Washington DC The Committee met pursuant to call at 11 00 a m in Room 2360 Rayburn House Office Building Hon Steve Chabot chairman of the Committee presiding Present Representatives Chabot Radewagen Kelly Blum Comer Fitzpatrick Marshall Norman Velázquez Evans Lawson Chu Espaillat and Schneider Chairman CHABOT Good morning I call this hearing to order We want to thank everyone for being here Over the past few years this Committee has focused its attention on an issue that is become increasingly important for small businesses cybersecurity In past hearings we have learned that a cyber attack on a small business can have serious consequences not only for the business itself but for its customers and employees and business partners alike We have heard from small business owners and cybersecurity experts and government officials and there is no question that improving cybersecurity for America’s small businesses should continue to be a top priority especially for this Committee In today’s global economy small businesses are increasingly turning to foreign technology to remain competitive in the world marketplace However these same products and services also provide new opportunities for foreign cyber criminals to infiltrate small business information technology systems allowing them to access sensitive and valuable information A recent survey found that 81 percent of small businesses are concerned about a cyber attack but only 63 percent have the most basic cybersecurity measures in place to combat such an attack Cyber attacks pose a higher risk for small businesses since most do not have the means to hire specialized employees or pay the average $32 000 in damages should they be hit with a cyber attack And cyber threats for small businesses are on the rise This Committee has also found that the federal government is stepping up its efforts to both prevent and mitigate cyber attacks by coordinating and distributing cybersecurity resources directly to small businesses There is strong bipartisan support from both chambers of Congress and the President to increase American protection from foreign cyber attacks SBREP-219A with DISTILLER 1 VerDate Mar 15 2010 13 14 May 16 2018 Jkt 000000 PO 00000 Frm 00005 Fmt 6633 Sfmt 6633 F DOCS 28359 TXT DEBBIE 2 SBREP-219A with DISTILLER However small businesses are still hesitant to engage with the federal government This is often due to uncertainty surrounding legal liabilities concerns about privacy and data protection and a number of other factors Still federal information sharing is crucial to ensuring that small businesses have every resource possible to combat cyber threats and the confidence they need to engage with the federal agencies tasked with protecting them That is why the Ranking Member and I recently introduced H R 4668 the Small Business Advanced Cybersecurity Enhancements Act of 2017 to increase the defensive measures available for small businesses undergoing or concerned about a cyber attack and to incentivize additional information sharing between the private sector and the federal government This bipartisan legislation seeks to safeguard small business from cyber attacks in a few simple ways First the bill establishes Small Business Development Centers SBDCs as the primary liaison for federal information sharing for small businesses This bill also ensures that small businesses that engage with SBDCs receive the same protections and exemptions provided by the Cybersecurity Information Sharing Act or CISA Further this bill would ensure that any policies or rulemaking adopted by any federal agency as a result of federal information sharing does not unfairly burden small businesses It would also expand liability protections for small businesses and engage with the federal government in good faith Ultimately this legislation removes the barriers many small business owners face when confronted with a cyber threat encouraging them to work with the federal government not fear it As I mentioned before many cyber threats towards small businesses come at the hands of foreign bad actors sometimes foreign governments in an attempt to undermine the United States’ national security and economy In fact the Department of Homeland Security recently published a public notice exposing a vulnerability in a notable security camera company Hikvision one of the top five largest manufacturers of security cameras worldwide is 42 percent owned by the Chinese government and in 2017 the Department of Homeland Security learned that many of its cameras were able to be hacked and remotely controlled While Hikvision has worked with DHS to remedy the flaw the problem remains that many small businesses that do not engage with the government or DHS regularly and that is probably the majority of them may not be even aware of the security flaw Had the problem gone unnoticed many small businesses would not have known that they were vulnerable to attack So we look forward to hearing from our witnesses here today to learn more about how the federal government is working to address these important problems and further what preventative measures small businesses can use to protect themselves from falling victim to cyber attacks And I would now like to yield to the Ranking Member Ms Velázquez for her opening statement Ms VELÁZQUEZ Thank you Mr Chairman Ever since Russia used cyber attacks to influence the outcome of our 2016 elections cybersecurity has been thrust to the forefront VerDate Mar 15 2010 13 14 May 16 2018 Jkt 000000 PO 00000 Frm 00006 Fmt 6633 Sfmt 6633 F DOCS 28359 TXT DEBBIE 3 SBREP-219A with DISTILLER of national discussions In today’s world everything from editorial integrity to national security to private sector trade secrets are at risk of cyber exploitation In recent years cybercriminals have increasingly targeted small businesses Forty percent of all cyber attacks are focused on companies with less than 500 employees This may be because only 14 percent of small businesses reported having in place a plan for keeping their company cyber secure Among the most prolific users of cyber attacks are Chinese and Russian companies In particular a Chinese company has been documented to target American small businesses in order to obtain backdoor access to trade secrets and national security information As hackers and other bad actors including foreign agents continue to evolve their cyber attacks strengthening the federal government’s engagement with small firms is crucial The agencies we will hear from today are on the forefront of that fight The FBI which is testifying today has worked with the Small Business Administration to develop InfoGard a collaborative effort to conduct regional workshops to counsel small firms on cybersecurity The Department of Homeland Security which is also represented in our panel has created a new effort requiring private companies pursuing government contracts to be held to the same standards as the awarding agency to strengthen cybersecurity While the goal of this effort is laudable we must ensure that small firms have the resources to meet new cybersecurity requirements To this end I am proud to join the Chairman on H R 4668 the Small Business Advanced Cybersecurity Enhancements Act of 2017 This bill will establish a central small business cybersecurity assistance unit coordinated by SBA and federal agencies including DHS Furthermore the act will create a regional small business cybersecurity assistance unit within each Small Business Development Center or SBDC This will help to bring much needed handson cybersecurity training to small firms across the country Today’s hearing is an opportunity to learn more about the government efforts specifically DHS and the FBI to assist small businesses in the protection of themselves and the government’s national security So let me thank all of our witnesses for testifying today I would like to especially acknowledge the men and women serving in all divisions of the FBI We know that you do extraordinary work under challenging circumstances and that your agency unfortunately sometimes comes under political fire Now more than ever we need skilled impartial professionals serving in the Bureau and so we thank you for the work that you and your colleagues do With that let me thank all witnesses for being here today I look forward to today’s hearing and I yield back the balance of my time Chairman CHABOT Thank you very much The gentlelady yields back Now I would like to explain very briefly relative to our timing and things and I would also say that if Committee members have opening statements they can please submit them for the record And we operate under the 5-minute rule here Basically each of you gets 5 minutes to testify and then we get 5 minutes to ask questions back and forth Republican Democrat VerDate Mar 15 2010 13 14 May 16 2018 Jkt 000000 PO 00000 Frm 00007 Fmt 6633 Sfmt 6633 F DOCS 28359 TXT DEBBIE 4 There is a lighting system The green light will be on for 4 minutes The yellow light will be on for a minute to let you know it is getting time to wrap up and then the red light will come on and we would hope you could stay within those parameters We will give you a little leeway And I would now like to introduce our distinguished panel here small but very distinguished Our first witness today is Mr Howard Marshall He has served as Deputy Assistant Director of the Cyber Intelligence Outreach and Support Branch at the FBI since August 2016 In this role Mr Marshall works to identify and defeat cyber threats targeting the United States through strategic partnerships and intelligence coordination Mr Marshall began his career with the FBI in 1997 and has held a variety of positions both inside and outside of the Cyber Division And we thank you for being here today And our second witness will be Mr Richard Driggers Mr Driggers serves as the National Protection and Programs Directorate Deputy Assistant Secretary for the Office of Cybersecurity and Communications at the Department of Homeland Security And if that is not the longest title we have had in this Committee ever it is pretty close And he is responsible for developing and implementing operational programs to strengthen the security of the nation’s critical infrastructure Mr Driggers joined DHS in 2003 and most recently was the Principal Deputy Director for Operations for the National Cybersecurity and Communications Integration Center He is also a former United States Air Force combat controller We thank you very much for your service and for being here today both you gentlemen We appreciate it And Mr Marshall you are recognized for 5 minutes STATEMENTS OF HOWARD MARSHALL DEPUTY ASSISTANT DIRECTOR CYBER DIVISION FEDERAL BUREAU OF INVESTIGATION RICHARD DIGGERS DEPUTY ASSISTANT SECRETARY OFFICE OF CYBERSECURITY AND COMMUNICATIONS NATIONAL PROTECTION AND PROGRAMS DIRECTORATE UNITED STATES DEPARTMENT OF HOMELAND SECURITY STATEMENT OF HOWARD MARSHALL SBREP-219A with DISTILLER Mr MARSHALL Chairman Chabot Ranking Member Velázquez and members of the Committee Chairman CHABOT And if you would not mind just pulling the mic a little closer Mr MARSHALL Sure Chairman CHABOT Make it easier for the folks out there to hear Thank you Mr MARSHALL Thank you for the invitation to provide remarks on the FBI’s role in helping small businesses defend against cyber threats We consider engagement with the private sector to be a significant factor in our mission to identify pursue and defeat nefarious cybercriminals and enemies of the United States As the Committee is well aware the growing number and sophistication of cyber threats poses a critical risk to U S businesses and VerDate Mar 15 2010 13 14 May 16 2018 Jkt 000000 PO 00000 Frm 00008 Fmt 6633 Sfmt 6633 F DOCS 28359 TXT DEBBIE 5 SBREP-219A with DISTILLER the impact of a successful attack can be devastating to small businesses in particular We continue to see an increase in the scale and scope of reporting on malicious cyber activity that can be measured by the amount of corporate data stolen or deleted personally identifiable information compromised or remediation costs incurred by U S victims Some of the more prevalent arising cyber threats to small businesses from both domestic and foreign cyber actors include business email compromise ransomware the criminal targeting of data including customer data financial data or intellectual property and the growing risk posed by vulnerabilities of IOT devices Internet of Things In light of these and other cyber threats to U S businesses the FBI has made private sector engagement a key component of our strategy for combatting cyber threats Recognizing the ever-changing threat landscape the FBI is enhancing the way it communicates with private industry Traditionally the Bureau has used information developed through its investigations shared by intelligence community partners or provided by other law enforcement agencies to understand the threat posed by nation states and criminal actors However we are now also looking to integrate private industry information into our intelligence cycle to enhance our ability to identify prioritize and respond to both emerging and ongoing threats Private industry has unique insight into their own networks and may have information as to why their company or their sector may be an attractive target for malicious cyber activity Companies may also be able to share intelligence on the types of attempted attacks they experience We believe it is important the FBI integrate this type of data into its own intelligence cycle This type of information sharing enables us to provide more specific actionable and timely information to our industry partners so they can protect their systems in a proactive manner The FBI disseminates information regarding specific threats to the private sector through various reporting mechanisms Public service announcements published by the Internet Crime Complaint Center provide timely and practical information to U S businesses and individuals on the latest threats of scams Private industry notifications PINs offer contextual information about ongoing or emerging cyber threats and FBI liaison alert system reports provide technical indicators gleaned through investigations or intelligence These communication methods facilitate the sharing of information with a broad audience or specific sector and are intended to provide recipients with actionable intelligence to aid in victim notifications threat neutralization and other investigative efforts The FBI also believes it is critical to maintain strong relationships with our private sector partners to allow for successful responses to cyber attacks One example of an effective public-private relationship is the National Cyber Forensic and Training Alliance a nonprofit 501 c 3 corporation focused on identifying mitigating and neutralizing cybercrime threats globally Working hand-inhand with private industry law enforcement and academia the NCFTA’s mission is to provide a neutral trusted environment that enable two-way information sharing collaboration and training VerDate Mar 15 2010 13 14 May 16 2018 Jkt 000000 PO 00000 Frm 00009 Fmt 6633 Sfmt 6633 F DOCS 28359 TXT DEBBIE 6 The NCFTA works directly with 136 member organizations from the banking retail critical infrastructure healthcare and government sectors Their analysts have real-time access to FBI agents analysts and the actionable intelligence they collect The FBI Cyber Division regularly coordinates initiatives for engagement with private sector partners to prevent threats and ultimately close intel gaps In recent years we have launched public awareness campaigns or open houses to educate businesses on serious cyber threats In 2016 the FBI collaborated with DHS U S Secret Service Department of Health and Human Services and the National Council on Information Sharing and Analysis Centers to host conferences and workshops at FBI and Secret Service field offices across the country to educate businesses on the ransomware threat The FBI and Secret Service jointly hosted these workshops in 14 key cities targeting small medium and large organizations Over 5 700 individuals were briefed during this campaign Similarly in 2017 the FBI collaborated with DHS Secret Service and NCISACs to host workshops across the country on business email compromise The Cyber Division engages directly with businesses in other ways as well We host or participate in briefings conferences workshops and other meetings providing strategic level information to key executives throughout industry These briefings include both classified and unclassified discussions regarding cyber threats Over the past 5 years the FBI Cyber Division has completed nearly 2 800 such engagements not counting the many informal contacts and interactions we have with businesses in our field offices on a regular basis When a small business has been victimized by a cybercrime and reaches out to the FBI for assistance we coordinate with the individual business to determine the best course of action to address the incident The FBI’s approach in working with potential actual victims of cyber intrusions or attacks is to first and foremost and to the best of our ability use our processes to protect the victim from being revictimized We at the FBI appreciate the Committee’s efforts in making cyber threats to small businesses a focus and to committing to improving how we can work together to better defend U S businesses from cyber adversaries We thank you for the opportunity to speak about our cyber outreach efforts We look forward to discussing these issues in greater detail and answering any questions you may have Chairman CHABOT Thank you very much Mr Driggers you are recognized for 5 minutes STATEMENT OF RICHARD DRIGGERS SBREP-219A with DISTILLER Mr DRIGGERS Chairman Chabot Ranking Member Velázquez and members of the Committee thank you for the opportunity to discuss the ongoing efforts to enhance the cybersecurity of America’s small businesses The Department of Homeland Security serves a critical role in safeguarding and securing cyberspace which is a core Homeland Security mission At DHS we assist with protecting civilian federal government networks share information related to cybersecurity risks in an incident and provide technical assistance to federal VerDate Mar 15 2010 13 14 May 16 2018 Jkt 000000 PO 00000 Frm 00010 Fmt 6633 Sfmt 6633 F DOCS 28359 TXT DEBBIE 7 SBREP-219A with DISTILLER agencies as well as State and local governments international partners and the private sector The Department of Homeland Security the federal Bureau of Investigation the Small Business Administration and other interagency partners play a crucial role in helping small businesses identify and mitigate cybersecurity risks Cyber threats remain one of the most significant strategic risks for the United States threatening the national security economic prosperity and public health and safety Global cyber events or incidents such as the WannaCry ransomware incident last May and the NotPetya malware incident in June are examples of malicious actors leveraging cyberspace to create disruptive effects and cause economic loss We have also seen advanced persistent threat actors target small businesses to leverage their infrastructure and their relationships with larger businesses to gain access to networks of major and high-value assets that operate components of the Nation’s critical infrastructure DHS has confidence that these threat actors are actively pursuing their ultimate long-term campaign goals and DHS and the FBI remain ever-vigilant and active with incident response and have published multiple joint technical alerts to enable network defenders to identify and take action to reduce exposure to malicious activity These incidents remind us that small businesses play a key role in ensuring the security reliability and resilience of the Nation’s critical infrastructure and that small businesses can be easy targets across a complex attack surface This is especially evident when analyzing cyber risk to many of our Nation’s supply chains Critical infrastructure assets can be small businesses themselves or may be dependent on small businesses to provide essential services or materials It is essential that small businesses implement common cybersecurity standards and practices to protect themselves and their customers Small businesses face the same threats as large businesses but do not necessarily have access to the same resources DHS is working with our interagency partners to close this gap for cybersecurity information sharing training as well as resources As the Committee knows DHS and the U S Small Business Administration have partnered to develop a strategy to help smalland medium-size businesses enhance their cybersecurity planning and risk management efforts Small businesses are diverse in size and complexity with varying needs for improving their cybersecurity posture Because of this it is imperative that we work with Small Business Development Centers across the country as well as other information-sharing organizations The federal government offers a suite of services and capabilities that can help small businesses improve their cybersecurity For some it may be simple training on cybersecurity beset practices or the implementation of basic cyber hygiene For others it may be performing complex vulnerability assessments to understand appropriate mitigation steps based on their specific risk profile DHS offers a range of services to meet these needs and continues to pursue new opportunities to provide assistance In developing the small business cybersecurity strategy with the Small Business Administration we have identified over 40 federal programs or initiatives that are helpful in assisting small busi- VerDate Mar 15 2010 13 14 May 16 2018 Jkt 000000 PO 00000 Frm 00011 Fmt 6633 Sfmt 6633 F DOCS 28359 TXT DEBBIE 8 SBREP-219A with DISTILLER nesses raise awareness of their cybersecurity posture Some programs were created specifically for small businesses while others provide assistance across a broader business community As our Nation continues to evolve and new threats emerge we must not only develop more effective methods to protect our information systems but also find more cost-effective and efficient ways to increase public awareness and access to cybersecurity resources The Cybersecurity Act of 2015 established DHS as the federal government’s central hub for the automated sharing of cyber threat indicators and defensive measures Automated indicator sharing is part of the Department’s efforts to create an ecosystem in which as soon as a company or federal agency observes malicious activity the indicator associated with that activity can be shared in realtime at machine speed with all of our partners that are leveraging DHS’s automated indicator-sharing service This real-time sharing capability can limit the scalability of many attacks and thereby increasing the cost for the adversaries as well as reducing the impact of malicious cyber activity The automated indicator-sharing service is a relatively new capability and we expect the volume of threat indicators shared through this system to substantially increase as technical standards software and hardware supporting the system continues to be refined and more businesses sign up This approach to collective defense helps ensure that small- and medium-size businesses are protected using the best cyber defense available information Thank you for the opportunity to testify and I look forward to your questions Chairman CHABOT Thank you very much And I will now recognize myself to open the questions And Mr Driggers I will start with you And I would like to begin with the Hikvision matter and first of all it is my understanding that the Chinese government owned at least 40 percent of the company and maybe up to 42 is the figure we have been getting Is that correct Mr DRIGGERS Yeah that is what I have been seeing in reporting as well sir Chairman CHABOT Okay thank you And as I mentioned in my opening statement there is a real concern regarding vulnerabilities in some of Hikvision’s security cameras I understand that the weakness made cameras remotely exploitable and I also understand that when DHS became aware of the security exposure there was an advisory notice from DHS’s cyber emergency response team and that Hikvision worked with DHS to fix the problem My question is this is it likely that some small businesses could still be susceptible to this cybersecurity flaw And how is DHS working to inform small businesses that they could be exposed to this risk Mr DRIGGERS So we publish our alerts on the US-CERT website so that is open to the web so anybody can access those With access to this particular flaw we did work with a research community We discovered the vulnerability We worked with the company and they put out a software update that mitigated the impacts of this particular exploitation That is kind of standard practice that we do at the Department of Homeland Security across VerDate Mar 15 2010 13 14 May 16 2018 Jkt 000000 PO 00000 Frm 00012 Fmt 6633 Sfmt 6633 F DOCS 28359 TXT DEBBIE 9 SBREP-219A with DISTILLER many different companies’ devices and software working to understand what vulnerabilities exist and working with the companies to publish updates to their software so that we can close down and mitigate vulnerabilities Certainly if there are small businesses that are using devices and they are not patching those system or updating the software they could be exposed to the vulnerability if they have not covered down on that particular update Chairman CHABOT Okay thank you Mr Marshall how do you determine whether a cyber attack on a small business warrants FBI intervention Is there a monetary loss threshold or some other indicator to assess an appropriate level of response and or dedication of resources from the FBI Mr MARSHALL There is no hard-and-fast rule Mr Chairman Generally there are a number of variables we will look at It depends on the field office that has jurisdiction over the particular attack It depends on the prosecutorial discretion of the U S Attorney’s Office Certainly we are not going to dedicate resources to something that may not be prosecuted The loss amount is certainly one of those things we would consider and it is a variable in terms of say a $100 000 loss in New York City may not draw our attention or resources it may not get prosecuted but a $100 000 loss in Louisville Kentucky likely will So there are a number of different factors We would also look at the attack vector and if there was any interest we still maintain our counterintelligence authorities and interest We may look at it even though the loss amount is low and maybe it is not going to get prosecuted as a crime but there are a number of different variables that would lead someone to make that determination Chairman CHABOT Okay thank you Mr Driggers let me go back to you Does the Department of Homeland Security or the FBI for that matter leverage the Small Business Development Centers to assist small businesses in identifying and mitigating cybersecurity risks And how effective has that partnership been if you do do that Mr DRIGGERS So we certainly work with many different information-sharing organizations the Small Business Development Centers being one of those Whether or not the Small Business Development Center itself has the technical acumen and the subject matter expertise to actually assist us with the particular support that we are providing a small business that depends but we certainly—I do not want to say 100 percent of the time we work through the Small Business Development Center but if the small business is engaged with a Small Business Development Center and that is the way they want to engage the government we would certainly go that route Chairman CHABOT Okay Thank you And I have time for about one more question so I will go back to you Mr Marshall What steps are being taken by the FBI and also by DHS to guarantee that small businesses’ personal information and IT data is protected Are there any efforts to ensure that their information cannot be used against them in the future by some bad actors Mr MARSHALL Well certainly we would treat any information that we would come across through the course of investigation as VerDate Mar 15 2010 13 14 May 16 2018 Jkt 000000 PO 00000 Frm 00013 Fmt 6633 Sfmt 6633 F DOCS 28359 TXT DEBBIE 10 SBREP-219A with DISTILLER evidence And so it would absolutely get that protection from us Our first and foremost responsibility when we respond to a scene is to pursue a criminal investigation So we are not interested in collaborating necessarily with any regulatory agency Certainly we do not disseminate it to anyone else not directly involved in the investigation Chairman CHABOT Okay My time is expired but let me just go real quick I assume DHS has policies in place to make sure that their personal information that they have is protected so it is not getting in the wrong hands Is that correct Mr Driggers Mr DRIGGERS That is correct We have a couple different information sharing handling caveats that we use or handling processes that we use We use a traffic light protocol which is an international standard for safeguarding information And we also use our liability coverage protections that we got with the Cybersecurity Information Sharing Act of 2015 Chairman CHABOT Okay I thank both of you My time is expired The Ranking Member is recognized for 5 minutes Ms VELÁZQUEZ Thank you Mr Chairman I would like to address this question to both of you Based on your knowledge of and interaction with small firms what is your opinion of the general state of small business cybersecurity And is the federal government doing enough to help them and your agencies to improve it Mr MARSHALL I would tell you that they are underprepared Even in the biggest firms cybersecurity is oftentimes considered a cost center and the general thought process is that it is not necessarily the cost of doing business So even in your bigger firms cybersecurity is usually not something that is being considered So as you go down the pecking order in terms of size when it comes to business ventures when you get down to small businesses I would tell you they are underprepared Ms VELÁZQUEZ Thank you Yes sir Mr DRIGGERS I would agree with Mr Marshall I would also say that each individual business needs to take a look at their risk profile Not all businesses need the same cybersecurity posture Cybersecurity mitigation and systems can be extremely costly so you know depending on what type of small business you are the type of data you are holding the services whether you belong to a critical supply chain you need to look at all of those factors in determining what types of security cybersecurity mitigation steps you need to put in place Ms VELÁZQUEZ Thank you Mr Marshall information sharing between the government and the private sector is critical to reducing national security breaches and cybercrime against Americans Can you tell us how preventive information sharing is more effective for small firms from solely a cost perspective and how it assists the FBI in its role fighting cyber attacks Mr MARSHALL So to Mr Driggers’ point not everybody has the same set of concerns Not everybody is established or created VerDate Mar 15 2010 13 14 May 16 2018 Jkt 000000 PO 00000 Frm 00014 Fmt 6633 Sfmt 6633 F DOCS 28359 TXT DEBBIE 11 SBREP-219A with DISTILLER a security posture that is forward leaning enough So the hope is that the information we provide to them whether it is indicators of compromise or a general awareness message about good cyber hygiene the hope is that they can drill down and focus and spend whatever resources they are willing to commit to cybersecurity on those things If we can provide them with IP addresses that they can block at their firewall that is certainly more than what they would have had had we not provided information of that nature We think it is absolutely critical to get the message out as far and wide as possible on the prevention side Certainly the fewer of these we have to investigate the better obviously but the more information we can provide the better And we do tend to try to over communicate Certainly there are things that cannot be released because they are classified either because of the way they were collected or what they are telling us about the adversary but to the degree that we can declassify and push that information out we do and we do it as quickly as possible Ms VELÁZQUEZ So Mr Driggers we have 28 million small businesses in our country and knowledge is power So if they are not aware of the threats in terms of cybersecurity attacks they will not take any preventive measures How can the federal government work in a way that raises awareness especially for those small contractors that are doing business within the federal marketplace Mr DRIGGERS So I think that information sharing really underpins all the services and capabilities that we have at DHS with our cybersecurity programs It is foundational to getting as much information out as we can whether that is highly technical data and providing some context around that or whether it is threat information or things like that getting stuff declassified as much as we possibly can or whether that is sharing machine-to-machine or just putting stuff out on our website or working with the FBI or these other information-sharing organizations such as the ISACs or the ISAOs Small Business Development Centers We also obviously work very closely under the National Infrastructure Protection Partnership model with the Sector Coordinating Councils And so I think it is important to raise the awareness We certainly need to do that We need to use all available resources to do that and to get the information out as much as we possibly can Those organizations or those small businesses that are part of the supply chain we are certainly sharing information with those individuals Awareness is an issue One of the objectives that you will see when we publish the small business strategy is a consolidation of resources and dedicated resources to do this outreach to the small business community to make sure that they understand what programs are available to assist them with their cybersecurity posture Ms VELÁZQUEZ Thank you Mr Chairman Chairman CHABOT The gentlelady’s time is expired The gentleman from Kentucky Mr Comer is recognized for 5 minutes Mr COMER Thank you Mr Chairman My first question for either witness can you all walk me through your agency’s protocol for responding to cyber threat indicators or VerDate Mar 15 2010 13 14 May 16 2018 Jkt 000000 PO 00000 Frm 00015 Fmt 6633 Sfmt 6633 F DOCS 28359 TXT DEBBIE 12 SBREP-219A with DISTILLER reports of a cyber attack from a small business In other words what information do you need and how do you get the information Mr MARSHALL Sure So we would get the information to our field offices one of two ways Hopefully there is an ongoing established relationship with the victim either they are a member of InfoGard or some other group that has allowed us to create that relationship If not they tend to go through IC3 and report it there and then it is pushed to the appropriate field office We would then have probably the cyber program coordinator in that field office make an assessment of what was written and then make contact depending again depending upon the size of the breach what was reported initially If it is big enough there would be probably coordination at the federal level here in Washington D C but with field offices in 56 different locations that would generically be how it would come to us Then we would make an assessment probably through a phone call with the victim or somebody representing the victim whether or not to send resources and actually start opening investigation and start that process Mr COMER Many small businesses do not have preventive procedures in place to thwart a cyber attack before it happens What do you suggest small businesses do to safeguard themselves against potential threats Mr MARSHALL Well there are a number of things they can do and I would suspect the best thing they could do is elevate the necessity for cybersecurity within their own organizations Hire capable competent people to help protect data Create a culture within the organization that promotes security It has got to be something you do every day It cannot be done after the fact So that would be my advice is they need to be thinking about it on the front end Mr DRIGGERS I think there are some basic things that really all businesses can do And some of these basic things individuals can do at home as well You know the bottom line is that an adversary is going to use the least cost tactic to get into a network and so any time you can raise your security posture by doing simple basic things they are going to bypass you and move on to the next target that may be more available so that they do not have to spend as many resources Certainly backing up critical data is important for small businesses particularly those that are holding a lot of sensitive personal information about their customers’ protecting their mobile devices making sure that there is the ability to track lock as well as wipe any device that could be stolen or lost protecting your organization against malware by making sure that you have a good patching schedule for software updates A lot of companies that produce software and produce devices on a regular basis also produce security updates or software updates to those and so it is important that you take advantage of that and you update your software as well as protecting your data with passwords two-factor authentication changing default passwords on devices These default passwords are available on the web so it is important when you buy a new device that you change the default passwords on those And I think some simple training for your employees about phishing attacks and the fact that those exist That is a very lowtech easy way for adversaries to get into networks So doing that VerDate Mar 15 2010 13 14 May 16 2018 Jkt 000000 PO 00000 Frm 00016 Fmt 6633 Sfmt 6633 F DOCS 28359 TXT DEBBIE 13 SBREP-219A with DISTILLER training for your employees is pretty low cost and I think there is training available on the web for that Mr COMER Thank you Mr Chairman I yield back Chairman CHABOT The gentleman yields back The gentleman from South Carolina Mr Norman is recognized for 5 minutes Mr NORMAN Thank you Mr Chairman I live in a rural district A lot of small businesses What would you say that the FBI DHS could do to I guess avert the threat that they have And secondly to get people to talk about it A lot of these firms will not talk about it because it is for whatever reason it is embarrassing Either Mr Driggers or Mr Marshall how would you respond to that Mr DRIGGERS Well I think with regard to talking about it I mean that is an issue Talking about it publicly could be an issue for a particular company But what we want them to do is call the FBI or call the Department of Homeland Security the National Cybersecurity and Communications Integration Center so that we can take the steps necessary to help mitigate whatever incident happened so that we can provide assistance to the impacted victim and I think even more importantly learn what happened develop analysis and develop indicators so that we can share that more broadly so that other cyber network defenders can take advantage of the information That said when we do that we anonymize the information We protect the identity of the victim through those information-sharing protocols that I talked about earlier Mr MARSHALL I would further that by saying maybe a better understanding of the fact that when you are a victim we are going to continue to treat you as a victim This is not a ‘‘gotcha game ’’ This is not a hey we are going to run and tell a regulator or a State regulator that you were not properly prepared or defensed against these type of attacks I understand the stigma to a degree because who wants to do business with someone that cannot protect their data And you see that in small firms and you see it in big firms too But what it will take to get over that stigma I am not entirely sure We push the message repeatedly that to Mr Driggers’ point please call us We certainly cannot do anything if we are not aware of it But beyond that pushing the message of better cybersecurity is probably all we can do Mr NORMAN What is your opinion DHS oversees the National Cybersecurity and Communications Integration Center which basically encourages the public and private sectors to swap information Is this reliable Is it worth the money What is your take on that Mr DRIGGERS So it is absolutely reliable and it has allowed us to quite frankly thwart many attacks to the analysis that we have done and the indicator sharing that we have pushed out either through our Automated Indicator Sharing System which is as I said in my opening statement is a machine-to-machine near real-time as well as just publishing technical alerts with the technical information in there so that cyber network defenders can also take advantage of that that are not necessarily leveraging that VerDate Mar 15 2010 13 14 May 16 2018 Jkt 000000 PO 00000 Frm 00017 Fmt 6633 Sfmt 6633 F DOCS 28359 TXT DEBBIE 14 SBREP-219A with DISTILLER automated system A lot of these technical alerts the analysis is done at the National Cybersecurity and Communications Integration Center but it is representative of whole government So there is a lot of different interagency partners that are there to include the intelligence community as well as the FBI Mr NORMAN I yield back Mr Chairman Chairman CHABOT The gentleman yields back The gentleman from Florida Mr Lawson who is the Ranking Member of the Subcommittee on Health and Technology is recognized for 5 minutes Mr LAWSON Thank you very much Mr Chairman And welcome to the Committee And you all may already be aware of H R 4668 introduced by the chair here Can you describe what challenges exist in the cybersecurity sphere as it relates to small business How this bill may help to alleviate those challenges Mr DRIGGERS I certainly think the focus on small businesses and quite frankly I appreciate the Committee and the Chairman’s focus on small businesses particularly with regard to their cybersecurity I think that putting more focus making sure that we are attentive to the small business community and make sure that they are aware that there are resources that exist in the federal government that can help them and assist them with their cybersecurity activities and posture that there are organizations like the 56 field offices that Mr Marshall talked about as well as the National Cybersecurity Communications Integration Center that those organizations exist to provide assistance to protect your information to protect your identity But the bottom line is we exist to support your efforts That said we also want to work with the various different information-sharing organizations that are existing The private sector has self-organized to create information-sharing and analysis centers information-sharing and analysis organizations the Small Business Development Centers And we want to certainly work with them and through them to make sure that we are raising awareness about the various different programs that the federal government has to offer Mr LAWSON Okay Mr Marshall do you want to comment Mr MARSHALL Anything that promotes cybersecurity would be beneficial I referenced the NCFTA in my opening remarks The original was opened in Pittsburgh Pennsylvania several years ago It was wildly successful It includes some smaller businesses but we are expanding into New York We are expanding into Los Angeles And that model is one that we think is very effective Mr LAWSON Okay When the question was asked earlier about small businesses in rural areas how can these really small businesses—you know I have a lot of rural areas back in my district What incentives can you give to these ‘‘mom-and-pop’’ operations to really share cybersecurity data and what do they get What kind of cybersecurity will they inherit You know they are just a smalltime operation Mr MARSHALL Hopefully what they get and we touched on this a little bit earlier what they get are indicators of compromise and things that they can do quickly cheaply and effectively to try VerDate Mar 15 2010 13 14 May 16 2018 Jkt 000000 PO 00000 Frm 00018 Fmt 6633 Sfmt 6633 F DOCS 28359 TXT DEBBIE 15 SBREP-219A with DISTILLER to stop some of the potential attacks against them I do not know that they give up much more than their time to participate in things like InfraGard or even the business email compromise open houses or the ransomware open houses What they get is a better understanding of how the threat impacts them A lot of these small businesses do not even know what business email compromise is They probably do not know what phishing is They probably do not know what ransomware is So just the hour that it would take to attend a meeting in an FBI field office or Secret Service field office to better understand the threat and get those things as Mr Driggers referred to those things that will help them focus what they can invest on cybersecurity They can really drill down and make sure that they are doing that very well It will not stop everything but to the point made earlier if it makes you a less attractive target then it is worth its investment in time Mr LAWSON The incentives to you Mr Driggers that you might use is that they will grasp anything that they think is going to be harmful to their business operations so how do you approach them Mr DRIGGERS Well we approach them with the protections that we afford them that we were given the authority for to offer liability protection for information that they share with us And I will tell you that just from a cultural perspective within DHS particularly within the National Cybersecurity and Communications Integration Center that we call the NCCIC protecting the identity of a victim underpins all the services and programs and the Information Sharing Protocols that we have So you can rest assured if you are going to share information with the NCCIC that we are going to protect the identity of you So there is a protection there as well as a liability protection But to Mr Marshall’s point just raising awareness understanding that these types of threats are out there or these types of risk are out there and doing some of the basic very low-cost things that I kind of laid out before with regard to patching your networks training your staff on email or on phishing attacks You know making sure that you have a simple policy in place that you know if there is a network email password that one employee has one password that type of a thing so you do not share passwords Mr LAWSON Okay Thank you Mr Chairman I yield back Chairman CHABOT Thank you The gentleman’s time is expired The gentlelady from American Samoa Mrs Radewagen who is the Chairman of the Subcommittee on Health and Technology is recognized for 5 minutes Mrs RADEWAGEN Talofa and good morning And I want to thank the Chairman for holding this hearing on this important issue As the Chairman of the Health and Technology Subcommittee cybersecurity is something I care about deeply and I want to thank you Mr Marshall and Mr Driggers for testifying before us today Now you gentlemen have already answered my first question and I thank you for that VerDate Mar 15 2010 13 14 May 16 2018 Jkt 000000 PO 00000 Frm 00019 Fmt 6633 Sfmt 6633 F DOCS 28359 TXT DEBBIE 16 SBREP-219A with DISTILLER My second issue is with foreign cyber threats especially Chinese are out in our neck of the woods The Chinese are making massive inroads with my neighbors in the South Pacific And Mr Marshall what steps is the FBI taking to safeguard against sophisticated state-backed cyber attackers Furthermore and this may be outside of the scope of this hearing is there any technical assistance the United States may be able to provide for my neighbors who do not have the ability to counter these threats Mr MARSHALL I am not quite sure exactly which neighbors you are referring to We get a tremendous amount of assistance from the NSA from the agency We certainly partner regularly with DHS But we have a tremendous amount of technical assistance that helps us identify those threats and assess their intelligence value and then come up with a comprehensive strategy to either mitigate them or monitor them Mrs RADEWAGEN My home district is American Samoa as you may know and so my neighbors are the Independent Nation of Samoa Fiji Tonga and that part of the Pacific Mr MARSHALL We have a very good friend not that far away in Australia and we do a lot of collaborative work with our Five Eye partners of which they are one Mrs RADEWAGEN Thank you very much I yield back the balance of my time Mr Chairman Chairman CHABOT Thank you very much The gentlelady yields back The gentleman from Iowa Mr Blum who is Chairman of the Subcommittee on Agriculture Energy and Trade is recognized for 5 minutes Mr BLUM Thank you Chairman Chabot And thank you to our panelists today for being here First question kind of broad I know but how bad is this problem I am a small businessman I go back to my district and I talk to small business people every week and you know I can say oh you know hey cyber hacking it is a big problem It is a big deal I do not think they really believe me I mean how bad is this problem How can we quantify this Is it getting better Getting worse Mr MARSHALL Well it is definitely getting worse Mr BLUM As evidenced by what Mr MARSHALL It is bad and getting worse The number of cases that are referred for investigation The number of attacks that are thwarted that we know that have been prevented All of these numbers indicate a rise Mr BLUM A rise is a 2 percent rise It has doubled What kind of increase are we talking about Mr MARSHALL So if you wanted to narrow the question just a little bit further to look at something like business email compromise or ransomware we are talking about in the neighborhood of 40 to 50 percent growth year over year I do not have the exact numbers in front of me Now our hope is certainly that we can begin to do things as technology evolves and gives us other investigative opportunities that maybe we can figure out what the private sector had or maybe tamp some of these down Indeed I think that is happening Mr BLUM Is organized crime involved in this at all VerDate Mar 15 2010 13 14 May 16 2018 Jkt 000000 PO 00000 Frm 00020 Fmt 6633 Sfmt 6633 F DOCS 28359 TXT DEBBIE 17 SBREP-219A with DISTILLER Mr MARSHALL Certainly they are involved in it I would say there are organized criminals around the world that have figured out how to branch into the cyberspace Mr BLUM I guess I do not mean organized criminals I mean organized crime as in the Mafia and drug cartels and organizations like that Mr MARSHALL Yes And you would be surprised at the areas in which they are looking You mentioned drug cartels If you were able to penetrate someone’s air traffic system to determine or identify U S surveillance planes would you be better or worse off Things of that nature Places where you would not normally expect to see Mr BLUM You bring that up I fly 130 times a year so I do care I assume our air traffic control system is unbelievably secure Not that it could not happen but Mr MARSHALL It is but it is not the only technology out there that helps monitor what is in the sky And I use that just as an example Can you monitor activity along the border—this may be a question better for you than for me—through introducing on somebody’s network Yes you probably can Would that be information that a drug cartel would be interested in Sure it would So the answer to your question is yes Mr BLUM I assume some of these operations are relatively sophisticated Mr MARSHALL Yes Mr BLUM And maybe this would be a question for you Mr Driggers Homeland Security Are more of the cyber hackers domestic or are they foreign And are they individuals or are they countries Mr DRIGGERS So I do not have the specific details as to whether they are foreign or domestic or whether they are individuals or they are nation states Certainly we can make the assumption that all of those categories of adversary are working hard every day They are certainly getting more sophisticated and they are getting more persistent and we have seen that over the past at least 3 or 4 years But I also want to preference particularly with the small business it does not take sophistication to exploit a vulnerability in a small business And I think all small businesses need to assume that they have some type of vulnerability that exists within their networks or the devices that they are using And so it is really important that because a lot of small businesses do not have the resources to really put in place very sophisticated cyber defense mechanisms but they do have the resources to do the low-cost things that I talked about and I think that that should be the focus and the awareness that we are talking about We need to make sure that they are doing the basics with regard to cybersecurity hygiene training their staff and that they know who to call if there is a particular issue Mr BLUM I have often heard that warfare of the future will not be about bullets and bombs it will be about bits and bytes So this is a war Are we winning the war or are we losing the war Mr MARSHALL As it pertains to the general public becoming more cybersecurity aware I would say we are losing Again secu- VerDate Mar 15 2010 13 14 May 16 2018 Jkt 000000 PO 00000 Frm 00021 Fmt 6633 Sfmt 6633 F DOCS 28359 TXT DEBBIE 18 SBREP-219A with DISTILLER rity is one of the last things people consider Whether you are a small businessman or whether you are pulling a laptop out of its box for the first time when you set it up at home these are just not things that we have been trained to think about So in that regard I would say we are probably losing Mr BLUM Mr Driggers are we winning the war or are we losing the war Mr DRIGGERS So I will answer the same way Mr Marshall did I think if we look at the large businesses particularly those that are designated as nationally critical infrastructure and those from a risk profile that the Department of Homeland Security you know on a day-to-day basis interacts with I think that they have certainly raised their game But I think that there is a huge chasm between those individual businesses and the ones that are medium and small size Mr BLUM Thank you gentlemen and I yield back the time I do not have Thank you Chairman CHABOT Okay The gentleman yields back And I just have one final question When we have been discussing malware just for those that may be watching at home or may see the transcript of this or whatever we are essentially talking about your computer your files photographs documents being seized by some criminal element or blackmailer or something that says I have got them now I am not releasing this I am not going to let you have access to your own computer unless you pay me X amount of money within a certain amount of time And I guess that can happen to individuals on their home computer or this is a Small Business Committee so we are obviously most directly trying to help small businesses across the country It can happen to anybody but that is what we are talking about Correct I see you are both nodding If that should happen to a citizen or a small business what should he or she do at that point And either one of you or both of you if you would like to Mr MARSHALL So the Bureau does not have an official position What you are referring to is ransomware The Bureau does not have an official position as to whether or not a victim of ransomware should in fact pay the ransom in order to get their data back We have discussed a couple times that the important thing is to back up your data consistently so when this happens you can just ignore the request for ransom One of the things we would ask victims to consider is the fact that one they are being attacked by a criminal so the promise of returning your data after payment should be considered by the person making the demand The other thing is a lot of the malware variants now are locking data permanently And you can pay a ransom you can pay 100 times the ransom there is no technical way to unlock our data So there is no formal advice Different companies big and small have different types of responses to this but we would ask that people consider the fact that a criminal is the one that is making the demand Chairman CHABOT And I misspoke I meant to say ransomware when I said malware but it is a form of that VerDate Mar 15 2010 13 14 May 16 2018 Jkt 000000 PO 00000 Frm 00022 Fmt 6633 Sfmt 6633 F DOCS 28359 TXT DEBBIE 19 SBREP-219A with DISTILLER Mr Driggers anything Mr DRIGGERS I would agree with Mr Marshall We do not necessarily have an official position The individual business needs to make their own risk determination as to whether or not what action they take in terms of responses to some type of ransomware attack Chairman CHABOT Thank you very much The gentleman from New York Mr Espaillat is recognized for 5 minutes Mr ESPAILLAT Thank you Chairman Mr Marshall the FBI’s Cyber Division addresses a wide variety of issues including nontraditional forms of cybercrimes What is the most common form of cyber attack your division encounters Is it different from small business complaints that you process on a regular basis Are businesses coming forward as well Mr MARSHALL Sure I would tell you the most frequent attack vector is spear phishing It happens repeatedly over and over and over again and we have talked about the amount of money it costs to have good cybersecurity and cyber hygiene The bottom line is if somebody can send out 10 million emails it just takes one employee not paying attention to click on it to thwart your multimillion investment in cybersecurity I will not go down the laundry list of breaches that we have had in the last year but I think a lot of them have that component in common And I do not have an exact number for you but a vast majority of them are through a spear phish campaign Mr ESPAILLAT Okay And Mr Driggers the Obama administration made efforts to increase cybersecurity by creating a federal privacy panel and creating sanctions to block those that pose a significant threat How are these efforts beneficial to small businesses And what more remains to be done in this particular area Mr DRIGGERS Well Congressman I do not have a lot of details on the panel I can certainly take that back and get the information and respond to you Mr ESPAILLAT And finally I will ask both of you I have had several discussions with experts regarding cybersecurity in general and they have told me that basically if somebody wants to hack you if they are really intent on doing this there is basically very little we can do about it They can penetrate eventually at some point or another Is that the case Are we at the mercy of these hackers And is there anything we can do to prevent it I mean America should not be at the mercy of folks that may have an intent to do something and cannot be stopped Is there anything that we can do to stop this Mr MARSHALL If the question is is there a magic bullet or a silver bullet that will put an end to this the answer is no There are things that you can do an escalating series of things you can do to try to avoid becoming a victim everything from simple awareness and then a ‘‘Do not click this email’’ campaign all the way up to the most sophisticated technical advanced technical protections and defenses that include encryption and routine backups It depends upon what kind of money you are willing to spend but I do not believe that there is a magic bullet that will just make this problem go away VerDate Mar 15 2010 13 14 May 16 2018 Jkt 000000 PO 00000 Frm 00023 Fmt 6633 Sfmt 6633 F DOCS 28359 TXT DEBBIE 20 SBREP-219A with DISTILLER Mr ESPAILLAT Thank you Mr Chairman I yield my time Chairman CHABOT Thank you The gentleman yields back As the hearing comes to a close we want to again thank our witnesses here this morning for and now right after this afternoon as well for being here and going over one of the topics that this Committee considers to be one of the chief challenges that small businesses face across the country And we appreciate the information that you have given us We also appreciate the chair appreciates working with the Ranking Member on legislation H R 4668 as it moves forward I would ask unanimous consent that members have 5 legislative days to submit statements and supporting materials for the record Without objection so ordered And if there is no further business to come before the Committee we are adjourned Thank you very much Whereupon at 12 04 p m the Committee was adjourned VerDate Mar 15 2010 13 14 May 16 2018 Jkt 000000 PO 00000 Frm 00024 Fmt 6633 Sfmt 6633 F DOCS 28359 TXT DEBBIE 21 VerDate Mar 15 2010 13 14 May 16 2018 Jkt 000000 PO 00000 Frm 00025 Fmt 6602 Sfmt 6602 F DOCS 28359 TXT DEBBIE Insert offset folio 21 here 28359 001 SBREP-219A with DISTILLER APPENDIX VerDate Mar 15 2010 13 14 May 16 2018 Jkt 000000 PO 00000 Frm 00026 Fmt 6602 Sfmt 6602 F DOCS 28359 TXT DEBBIE Insert offset folio 22 here 28359 002 SBREP-219A with DISTILLER 22 VerDate Mar 15 2010 13 14 May 16 2018 Jkt 000000 PO 00000 Frm 00027 Fmt 6602 Sfmt 6602 F DOCS 28359 TXT DEBBIE Insert offset folio 23 here 28359 003 SBREP-219A with DISTILLER 23 VerDate Mar 15 2010 13 14 May 16 2018 Jkt 000000 PO 00000 Frm 00028 Fmt 6602 Sfmt 6602 F DOCS 28359 TXT DEBBIE Insert offset folio 24 here 28359 004 SBREP-219A with DISTILLER 24 VerDate Mar 15 2010 13 14 May 16 2018 Jkt 000000 PO 00000 Frm 00029 Fmt 6602 Sfmt 6602 F DOCS 28359 TXT DEBBIE Insert offset folio 25 here 28359 005 SBREP-219A with DISTILLER 25 VerDate Mar 15 2010 13 14 May 16 2018 Jkt 000000 PO 00000 Frm 00030 Fmt 6602 Sfmt 6602 F DOCS 28359 TXT DEBBIE Insert offset folio 26 here 28359 006 SBREP-219A with DISTILLER 26 VerDate Mar 15 2010 13 14 May 16 2018 Jkt 000000 PO 00000 Frm 00031 Fmt 6602 Sfmt 6602 F DOCS 28359 TXT DEBBIE Insert offset folio 27 here 28359 007 SBREP-219A with DISTILLER 27 VerDate Mar 15 2010 13 14 May 16 2018 Jkt 000000 PO 00000 Frm 00032 Fmt 6602 Sfmt 6602 F DOCS 28359 TXT DEBBIE Insert offset folio 28 here 28359 008 SBREP-219A with DISTILLER 28 VerDate Mar 15 2010 13 14 May 16 2018 Jkt 000000 PO 00000 Frm 00033 Fmt 6602 Sfmt 6602 F DOCS 28359 TXT DEBBIE Insert offset folio 29 here 28359 009 SBREP-219A with DISTILLER 29 VerDate Mar 15 2010 13 14 May 16 2018 Jkt 000000 PO 00000 Frm 00034 Fmt 6602 Sfmt 6602 F DOCS 28359 TXT DEBBIE Insert offset folio 30 here 28359 010 SBREP-219A with DISTILLER 30 VerDate Mar 15 2010 13 14 May 16 2018 Jkt 000000 PO 00000 Frm 00035 Fmt 6602 Sfmt 6602 F DOCS 28359 TXT DEBBIE Insert offset folio 31 here 28359 011 SBREP-219A with DISTILLER 31 VerDate Mar 15 2010 13 14 May 16 2018 Jkt 000000 PO 00000 Frm 00036 Fmt 6602 Sfmt 6602 F DOCS 28359 TXT DEBBIE Insert offset folio 32 here 28359 012 SBREP-219A with DISTILLER 32 VerDate Mar 15 2010 13 14 May 16 2018 Jkt 000000 PO 00000 Frm 00037 Fmt 6602 Sfmt 6602 F DOCS 28359 TXT DEBBIE Insert offset folio 33 here 28359 013 SBREP-219A with DISTILLER 33 VerDate Mar 15 2010 13 14 May 16 2018 Jkt 000000 PO 00000 Frm 00038 Fmt 6602 Sfmt 6602 F DOCS 28359 TXT DEBBIE Insert offset folio 34 here 28359 014 SBREP-219A with DISTILLER 34 35 VerDate Mar 15 2010 13 14 May 16 2018 Jkt 000000 PO 00000 Frm 00039 Fmt 6602 Sfmt 6011 F DOCS 28359 TXT DEBBIE Insert offset folio 35 here 28359 015 SBREP-219A with DISTILLER Æ