Bipartisan Senate Effort Seeks to Bolster Small-Business Defenses Against Hackers

WASHINGTON—Increasingly frequent and costly ransomware attacks by hackers stealing proprietary business intelligence, classified military technology, and valuable personal data from small businesses are prompting something increasingly rare in the Senate: a bipartisan search for solutions.

Such attacks are frequently aided and abetted by Chinese elements, according to Sen. Marco Rubio (R-Fla.), who introduced legislation on March 13 intended to give small businesses the tools they need to safeguard themselves against the growing cybersecurity risks of the 21st century.

The cyber awareness measure directs SBA “to develop a cyber strategy, examine its Information Technology (IT) system components’ country of origin, and report on breaches and threats to the small business committees” in the Senate and House of Representatives.

Sen. Jeanne Shaheen (D-N.H.) is co-sponsoring the cyber training bill with Rubio.

Rubio also chaired a March 13 hearing of the Senate’s subcommittee on small business and entrepreneurship entitled “Cyber Crime: An Existential Threat to Small Business” that focused on SBA and the National Institute for Standards and Technology (NIST).

The SBA and NIST should be, but often are not, key suppliers of effective anti-hacking resources, instead of problems, for small businesses, Rubio said.

“The Small Business Administration Inspector General (IG) has consistently ranked SBA’s IT as one of the most serious challenges facing the agency,” Rubio told the hearing in his opening statement.

Rubio said the agency is making progress, but “often cyber criminals move even faster.” He cited the 2015 hacking of the U.S. Office of Personnel Management (OPM) that compromised the personal and financial information of millions of current and retired federal workers as “what can happen when an agency lets its guard down.”

National security also can be harmed when federal agencies such as SBA don’t adequately protect data and information entrusted to them by small businesses, millions of which provide critically important research and development products and services to the Department of Defense (DOD) and the Department of Homeland Security (DHS).

“Our adversaries are laying the groundwork for cyber espionage by embedding their technology into systems we depend upon,” Rubio said. “Just last week, reports emerged that the Chinese hacking group APT 40 has infiltrated IT systems of at least 27 universities worldwide, including MIT, in an attempt to steal U.S. military information from less secure sources.”

The Chinese government operates multiple hacking units, such as APT 40, that are devoted to stealing U.S. military secrets, Rubio said.

“Small businesses, with their narrow margins and lower capital reserves, are unable to maintain trained cyber security personnel or purchase the most up-to-date tools. So, for most small businesses, a data breach is a fatal blow,” Cardin said.

The Rubio-Cardin bill is designed to hasten SBA’s hardening of its own IT security, while the Rubio-Shaheen measure would enhance SBA’s ability to make needed cyber security resources more affordable and available to small businesses.

The NIST role in combating cyber crime against small businesses concerns the costs of compliance with anti-hacking standards it establishes, which, according to one of the hearing’s witnesses, are excessive and burdensome.

Karen Harper, president of the Cambridge, Massachusetts-based Charles River Analytics research and development company with 180 employees, told the subcommittee that a recent survey by the National Small Business Association found that a third of all small businesses have been victims of hacking.

“Only 14 percent of small business rate their ability to mitigate cyber risk and vulnerabilities as effective,” Harper said. Her firm does work for DOD, DHS, and the U.S. Intelligence Community.

Harper said figuring out the basic meaning of provisions of the major NIST requirements document that covers her firm required “approximately 800 person-hours between April and July of 2017,” including “research and discussions with external consultants to interpret the control requirements.”

She also told the hearing that “the NIST document was written in a manner and voice unfamiliar to us, even though we have been working with the DOD and other federal agencies for more than 35 years.

“Finally, we found that many of our customers, from contracting officers to technical sponsors to senior staff at the Pentagon, seemed equally confused and unable to provide helpful clarification and guidance.”

Harper estimated that future compliance costs will add 30 percent to her firm’s non-labor overhead expenses and require adding three additional staff members devoted exclusively to the effort, as well as expensive external consultants.

Harper noted that unlike most small businesses, her firm specializes in IT skills, meaning the barriers for the others are far higher than for Charles River.

That reality hurts morale among entrepreneurs, she said. “When you see a T.J. Maxx and an OPM being compromised, it’s hard to see yourself being protected,” Harper told the hearing.

Charles Romine, director of NIST’s Information Technology Laboratory, told the hearing his agency “actively collaborates” with SBA and other federal bodies that contribute to the NIST Small Business Cybersecurity Corner website.

Maria Roat, SBA’s chief information officer, noted that her agency had eight CIOs in the decade prior to her assuming the office in 2016.

Roat listed multiple improvements she claimed to have implemented to harden SBA’s IT resources against hackers, including identifying and removing more than 300 web sites that were used as bases for phishing attacks on agency employees’ email.