Statement of Chris Jaikaran Analyst in Cybersecurity Policy Before Committee on Banking Housing and Urban Affairs U S Senate Hearing on “Consumer Data Security and the Credit Bureaus” October 17 2017 Congressional Research Service https crsreports congress gov TE10021 Congressional Research Service 1 Introduction Chairman Crapo Ranking Member Brown and Members of the Committee thank you for the opportunity to testify on consumer data security and the credit bureaus My name is Chris Jaikaran and I am an Analyst in Cybersecurity Policy at the Congressional Research Service In this role I research and analyze cybersecurity issues and their policy implications–including issues of data security protection and management My testimony today will include discussion of data security as an element of cybersecurity and risk management analysis and a case study on how data breaches occur a description of cyber incident response and possible options for Congress to address data security and data protection My testimony today is based solely on publicly available information and CRS analysis Cybersecurity and Data Security An increasingly used catch-phrase among industry analysts is that today “all companies are technology companies ” or “all companies are data companies ”1 This concept reflects the role that information technology IT and data play in enabling the modern business practices that allow companies to compete and thrive in the marketplace This reliance on IT and data also creates risk for corporate leadership to manage Adequately controlling that risk is an objective of cybersecurity 2 Data security is an element of cybersecurity At the most basic level cybersecurity is the security of cyberspace which includes not just data but the networks hardware software services and infrastructure that data relies upon It is also important to note that data does not exist by itself but is created manipulated and used by people Consequently cybersecurity is not just the security of data hardware software infrastructure networks and services—but also the human users of cyberspace Computer scientists view data security through three attributes    Confidentiality that the data is only known to authorized parties A data breach is an example of how confidentiality is breached while encryption is a tool used to ensure confidentiality Integrity that the data is known to the authorized parties as intended Data manipulation is an example of how integrity is breached while there are data checking technologies such as blockchain to ensure that one can verify the integrity of data Availability that the data is available to authorized parties when they choose Ransomware attacks availability while backups are a tool that ensures availability of data Nathaniel Fink “Cybersecurity for a New America What’s Next for the Cybersecurity Community ” conference keynote March 20 2017 at https youtu be wfMpUpxNPAg Avi Gesser Gabriel Rosenberg and Matt Kelly “Cybersecurity and Data Management ” webinar Davis Polk Wardwell LLP October 11 2017 2 Risk may be managed by avoiding the risk controlling the risk transferring the risk or accepting the risk DHS Risk Steering Committee “DHS Risk Lexicon ” report September 2010 at https www dhs gov sites default files publications dhs-risklexicon-2010_0 pdf 1 CRS TESTIMONY Prepared for Congress ————————————————————————————————— Congressional Research Service 2 Related to integrity is the concept of authentication an attribute that one can verify that data is from a trusted source The Internet was built using technologies that assumed the trust of its users but as the Internet has grown into a global network anonymity and the manipulation of data have proliferated 3 As an element of cybersecurity data security involves risk management Absolute security is not obtainable so managing the risks which would impair security is generally considered to be the goal In order to evaluate risk managers need to understand the threats the enterprises may face the vulnerabilities the enterprise has and the consequences of an incident 4 Threats are generally considered to be the gamut of potential human attackers Such attackers include nation-state actors criminals and insiders to the network Depending on the data an entity houses and the services it provides the realm of attackers may change from one day to the next sometimes even driven by events in the news Vulnerabilities exist in software the moment it is shipped to users Adding additional software to a growing enterprise creates complexities that can lead to further potential vulnerabilities Some software vulnerabilities are known the day they are shipped and are catalogued in the Common Vulnerabilities and Exposures database with risk assessments enumerated in the National Vulnerabilities Database 5 Others are discovered later Vulnerabilities that are discovered but not disclosed to the vendor so they may be patched are called 0-days zero or “oh” days However 0-day vulnerabilities do not necessarily create a large risk for enterprises In addition to a vulnerability being present on a system it must be exploited to cause some impact The exploitation of a vulnerability may be so difficult that an entity’s risk of falling victim to that 0-day is low Despite 0-days being a threat most cybersecurity incidents occur through attackers exploiting known vulnerabilities for which the entity has not deployed a patch 6 Consequences may vary based on the business of an entity the data that entity houses and the stakeholder community for the entity Consequences are also multi-dimensional The loss of data may inhibit business practices but may also lead to reputational loss enforcement actions payments to stakeholders or other impacts An entity may be able to better predict consequences through understanding the data in its possession Using a data model or framework can help an entity identify attributes of its data Such attributes include where data is acquired what other data the entity generates from acquired data what types both descriptively and by file type of data is acquired or generated how the entity will use and access data how the data will be shared with other parties where data is stored accessed and transmitted and what policies exist for data retention and data disposal Such a data model is essentially an architecture of the entity’s data similar to the network architecture of their IT systems or the blueprints for their building The National Institute of Standards and Technology NIST Framework for Improving Critical Infrastructure Cybersecurity Framework provides functions activities and categories in a common format to assist entities in thinking through cybersecurity issues and identifying resources to assist in completing activities 7 Some of these activities include asset management data security and detection processes However the Cybersecurity Framework is not the only reference for organizations to consider 3 CRS In Focus IF10559 Cybersecurity An Introduction by Chris Jaikaran Davis Hake “Threat Vulnerability Consequence ” interview with The Cipher Brief December 15 2015 at https www thecipherbrief com threat-vulnerability-consequence 5 https cve mitre org https nvd nist gov 6 Jory Heckman “Hackers Not Yet Pulling Out Big Guns for Data Breaches NSA Official Warns ” Federal News Radio article October 18 2016 at https federalnewsradio com technology 2016 10 hackers-not-yet-pulling-big-guns-data-breaches-nsaofficial-warns 7 NIST “Cybersecurity Framework ” webpage at https www nist gov cyberframework 4 CRS TESTIMONY Prepared for Congress ————————————————————————————————— Congressional Research Service 3 using or a document which they can only use exclusively The Center for Internet Security the International Standards Organization and ISACA also publish cybersecurity frameworks which an entity may use in conjunction with or in replacement of the NIST Cybersecurity Framework 8 The Anatomy of a Breach The recent breach of Equifax provides a timely case study on how breaches occur 9 While a single command may be executed at a speed fast enough for the computer to process it full attacks are done by humans and as such occur at human speed Breaches can be understood through an attack framework 10 First an attacker examines the target Through this examination the attacker learns about the target system This examination is both online and off Business cards provide the naming convention for user accounts on the system in the form of email addresses while digital tools can provide information on services running on Internet-facing services In the case of Equifax scans of their credit report dispute website may discover that Apache Struts was an available service and that it was running under a vulnerable version 11 Second an attacker exploits a vulnerability This initial exploitation provides the entryway for an attacker into the system or network As stated earlier vulnerabilities themselves do not necessarily create a significant risk scenario for an enterprise but an exploitation of that vulnerability may In some cases a single vulnerability is required to gain access while in others multiple vulnerabilities may be used to create an effective exploit In the case of Equifax a vulnerability in an earlier version of Apache Struts allowed for remote code execution 12 NIST deemed this type of vulnerability as critical and the Apache Foundation patched it and provided an additional work around 13 At the time it was patched it was also added to penetration testing software so that system administrators could test to see if they were still vulnerable to exploitation 14 Third after the initial exploitation attackers entrench into the system By entrenching into a system attackers are discovering more about the network they have penetrated In this phase they gain access to additional systems in that network escalate their privileges so that they have further access and acquire additional credentials In the case of Equifax how attackers entrenched into the system is publicly 8 Cybersecurity frameworks from these organizations can be found at https www cisecurity org controls https www iso org standard 54533 html and http www isaca org cobit pages default aspx ISACA was previously known as the Information Systems Audit and Control Association but now goes by its acronym only 9 Information on the Equifax breach is derived from testimony provided by former CEO Richard Smith before the U S Senate Committee on Banking Housing and Urban Affairs Richard Smith “Prepared Testimony of Richard Smith ” testimony October 4 2017 at https www banking senate gov public _cache files da2d3277-d6f4-493a-ad88c809781f7011 F143CC8431E6CD31C86ADB64041FB31B smith-testimony-10-4-17 pdf 10 The framework presented in this testimony is based on previous analysis by CRS Further case studies are available via CRS Recorded Event WRE00157 Cybersecurity Anatomy of a Breach by Chris Jaikaran 11 Apache Struts is a developer framework which allows for common programming languages such as Java to be used to develop user facing web applications It is open source software maintained by the Apache Software Foundation https struts apache org 12 CVE “CVE-2017-5638 ” data base entry at https cve mitre org cgi-bin cvename cgi name CVE-2017-5638 13 NIST “CVE-201705638 Detail ” webpage March 10 2017 at https nvd nist gov vuln detail CVE-2017-5638 Apache Foundation “S2-045 ” webpage at https struts apache org docs s2-045 html 14 The exploitation of CVE-2017-5638 was added to the Metasploit Framework https github com rapid7 metasploitframework issues 8064 CRS TESTIMONY Prepared for Congress ————————————————————————————————— Congressional Research Service 4 unknown However many instances of Apache Struts run on web servers with default administrative credentials which may have provided the next step for an attacker to entrench into the system 15 While he was the Chief of the National Security Agency’s Tailored Access Operations unit current White House Cybersecurity Coordinator Rob Joyce said that “you know the things you intend to have in your network we look for the things that are actually in your network ”16 This summarizes the relationship between defenders and attackers Defenders know what they acquired deployed and intend to have on their network while attackers know the vulnerabilities and what else is running on that network Exploiting vulnerabilities and entrenching into systems takes advantage of this asymmetric knowledge Fourth after gaining access attackers can then execute steps to achieve their objectives These objectives could be to compromise the confidentiality of the data by stealing it Confidentiality is not only compromised by theft but also by access This distinction is referred to as exposure versus exfiltration Data is exposed when an unauthorized party may access it on an entity’s network but it is exfiltrated when they take it off that network This relationship is akin to perusing books in a library but only checking out one All the books are exposed to a patron but only the borrowed book is exfiltrated The integrity of data may be compromised by altering the data in a system Alternatively the availability of the data may be compromised by deleting it or otherwise making it unavailable e g through encrypting data in a ransomware attack In the case of Equifax it appears that over 145 million people had their data exposed while some had their dispute documents which contain personally identifiable information and credit card information exfiltrated Finally the attackers would exit on their terms After achieving their objectives the attackers would seek to leave the system so that they may have access again at a later date or to cover evidence of their activities Deleting log files adding connections to network whitelists and creating credentials are examples of activities an attacker would undergo to exit the compromised system on their terms In the case of Equifax it is unknown from publicly available sources what attackers did in this phase By understanding how attacks occur through such a framework system defenders could develop defensein-depth strategies to mitigate breaches Defense-in-depth is an approach which uses layered countermeasures to defend against cybersecurity risks throughout a network 17 Countermeasures could be layered to address each phase of an attack so that defenders are quickly alerted to attacks and can take actions to prevent further damage to their enterprise Cybersecurity Incident Response Cybersecurity incident response describes when system administrators seek to confirm the attack discover information about it and mitigate against it The response as described below is from the breached entity’s perspective and does not discuss government response options Incident response is not limited to the time immediately following an attack however Before an attack response planning training and exercising can occur Response planning helps an organization think though its risks and how it will respond to those risks train its personnel on how to respond to attacks Hector Monsegur “How to Fight Hackers with Former Black-Hat Hacker Hector Monsegur ” podcast October 2 2017 at https lifehacker com how-to-protect-yourself-from-hackers-with-hector-monse-1819075906 16 Rob Joyce “USENIX Enigma 2016 – NSA TAO Chief on Disrupting Nation State Hackers ” conference talk January 28 2016 at https www youtube com watch v bDJb8WOJYdA 17 Industrial Control Systems Cyber Emergency Response Team “Recommended Practice Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies ” report September 2016 at https ics-cert uscert gov sites default files recommended_practices NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C pdf 15 CRS TESTIMONY Prepared for Congress ————————————————————————————————— Congressional Research Service 5 and practice its response to build confidence in staff and management as to the organization’s capability and capacity to manage incidents For incident response staff is not limited to just IT personnel Response planning should also include among others communications staff that are able to craft messages to both internal and external stakeholders legal teams who can help with reporting and compliance requirements and management and corporate boards who are accountable for the operations of a corporation There will be a delay between the discovery of an attack and public notification of that attack because analysis of what transpired will need to be conducted This analysis will inform the entity of how they were breached and what data or systems were compromised This type of analysis may be conducted by the entity itself a business partner of the entity government response teams and law enforcement With a variety of potential forensic investigators determining how they will coordinate in their response and how they will share information among one another is a factor that can be determined during the planning and training phase With information on how the breach happened and the extent of the breach the entity can proceed to mitigate its affects These two phases need not occur in succession but may be able to occur concurrently Finally the organization can improve their data security and response planning by learning from their efforts and applying insights gained Potential Options for Congress Three options for Congress are presented below to generate discussion They are not recommendations from CRS Given time constraints these options are provided with limited policy discussion and are not exhaustive Authorize a Federal Agency to Examine for Information Security Congress can authorize a federal agency to engage in supervisory examinations of the credit reporting agencies CRAs for compliance with the safeguards rule 18 As an example the Consumer Financial Protection Board CFPB has broad authority to bring enforcement cases against corporations for unfair and deceptive business practices CRS research could not identify an enforcement case or issued guidance where CFPB sought to address information security This may be because CFPB has an express prohibition against issuing rules concerning information security and bringing enforcement actions against an entity concerning information security Instead the authority to issue a standard for the protection of nonpublic personal information and enforce that standard is retained by the Federal Trade Commission FTC 19 The FTC issued the safeguards rule in 2002 pursuant to the authority referenced above and is currently seeking public comment on an update 20 Instead of engaging with CRAs after a cybersecurity incident CFPB has the authority to supervise CRAs prior to an incident occurring 21 Congress could explicitly authorize CFPB to examine CRAs for their adherence to the safeguards rule as promulgated by the FTC The dialogue created by CFPB and a CRA could lead to greater understanding of the cybersecurity risk faced by the CRAs and allow CRAs with deficiencies to correct their data security measures prior to referral to FTC for enforcement action As this 18 16 C F R §314 15 U S C §6801 §6804 §6805 20 16 C F R §314 https www ftc gov enforcement rules rulemaking-regulatory-reform-proceedings safeguards-rule 21 12 U S C §5514 19 CRS TESTIMONY Prepared for Congress ————————————————————————————————— Congressional Research Service 6 is not an activity CFPB currently engages in during an examination a new program may need to be established in the CFPB to recruit the talent to manage such a technical examination 22 Regulate Personal Data Collection and Use Congress could regulate the collection use and retention of data regardless of the type of entity housing that data The European Union has such a regulation known as the General Data Protection Regulation GDPR and Canada is in the process of updating their Personal Information Protection and Electronics Document Act PIPEDA 23 In proactively regulating data Congress can establish data use requirements Some of those requirements may include what data may be collected how data must be stored e g encryption location etc the consumer’s rights to collection and use of data about them and under which circumstances data may be shared with other parties While the United States does not have an overarching law governing data use U S agencies have promulgated guidance on data protection 24 Require Data Transparency Congress could require CRAs or any entity that profits from consumer data to identify and disclose their data model to consumers Disclosure of all elements of the model may not be necessary i e where data is stored However some elements such as where data is acquired how it is used and what other data the entity generates about the consumer may provide consumers with additional information and affect their decisions in the marketplace For example if a consumer knew that a CRA acquired data from a company they have a business relationship with they may choose to limit their interactions with that company or seek out an opt-out opt-in form from that business to limit how their data may be shared Conclusion Thank you for the opportunity to testify today I look forward to your questions If you require further analysis of these options or other policy issues before Congress my colleagues and I at the CRS stand ready to assist you 22 Current CFPB examination procedures may be found online at https www consumerfinance gov policycompliance guidance supervision-examinations 23 http www eugdpr org https www priv gc ca en privacy-topics privacy-laws-in-canada the-personal-informationprotection-and-electronic-documents-act-pipeda 24 FTC “Protecting Personal Information ” guide October 2016 at https www ftc gov system files documents plainlanguage pdf-0136_proteting-personal-information pdf CRS TESTIMONY Prepared for Congress ————————————————————————————————— Congressional Research Service Disclaimer This document was prepared by the Congressional Research Service CRS CRS serves as nonpartisan shared staff to congressional committees and Members of Congress It operates solely at the behest of and under the direction of Congress Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has been provided by CRS to Members of Congress in connection with CRS’s institutional role CRS Reports as a work of the United States Government are not subject to copyright protection in the United States Any CRS Report may be reproduced and distributed in its entirety without permission from CRS However as a CRS Report may include copyrighted images or material from a third party you may need to obtain the permission of the copyright holder if you wish to copy or otherwise use copyrighted material CRS TESTIMONY Prepared for Congress ————————————————————————————————— TE10021 7