Earlier this week, the United States House Committee on Small Business hosted a hearing titled, "Small Business Information Sharing: Combating Foreign Cyber Threats" that discussed H.R. 4668, the Small Business Advanced Cybersecurity Enhancements Act of 2017. Congressmen and agency officials from the FBI and DHS examined how federal agencies are facilitating greater information sharing with small businesses that find themselves vulnerable to foreign-backed cyber attacks.
Small businesses across the country are finding that they have suddenly emerged as potential targets of both nefarious solo hackers looking to steal personal information or engage in ransomware scenarios, as well as foreign-backed agents bent on stealing proprietary company information, disrupting supply chain logistics and weakening national security.
As small businesses increasingly rely on foreign technology products and services, they face an even greater threat from cyber attacks. Many small business owners are underequipped to protect themselves from cyber attacks and face significant hurdles in guarding against foreign state-backed cyber actors. As the hearing stressed throughout, a key component in combating these cybersecurity vulnerabilities is strengthening the federal government’s engagement with the private sector and it is through H.R. 4668 the Congress feels it has laid a foundation for strengthening these protections.
“As the committee is well aware, the growing number and sophistication of cyber threats pose a critical risk to U.S. businesses and the impact of a successful attack can be devastating to small business in particular. We continue to see an increase in the scale and scope of reporting on malicious cyber activity that can be measured by the amount of corporate data stolen or deleted, personally identifiable information compromised, or remediation costs incurred by U.S. victims,” said Deputy Assistant Director of the FBI’s Cyber Division Howard Marshall.
In his opening statement to the committee, Richard Driggers, who is the Deputy Assistant Secretary for Cybersecurity and Communications for National Protection and Programs Directorate at the U.S. Department of Homeland Security, stated that the National Protection and Programs Directorate (NPPD) is responsible for protecting civilian Federal Government networks; sharing information related to cybersecurity risks and incidents and providing technical assistance to federal agencies, as well as state, local, tribal, and territorial (SLTT) governments, international partners and the private sector; and coordinating certain aspects of the federal government’s incident response activities to defend against cyber threats. The mission is to enhance cyber threat information-sharing across the globe to stop cyber incidents before they start and help businesses and government agencies to protect their networks and quickly recover should such a cyber incident occur.
“By bringing together all levels of government, the private sector, international partners, and the public, we are taking action to protect against cybersecurity risks, improve our whole-of-government incident response capabilities, enhance information sharing on best practices and cyber threats, and to strengthen resilience,” said Driggers, who added that there are over 30 million small businesses in the U.S. employing over 47 percent of the nation’s population and comprising over 97 percent of total businesses in North America.
“As small businesses become increasingly reliant on information technology, so do the cybersecurity risks they face. Malicious cyber activity can severely harm small business operations and reduce consumer confidence. The Department of Homeland Security, Department of Justice, Small Business Administration, and other interagency partners play a crucial role in helping small businesses identify and mitigate these risks,” said Driggers.
Before Ohio Congressman and committee chairman Steve Chabot (R-Ohio) opened the floor for questioning by other House committee members, he set the tone for the hearing’s examination of network vulnerabilities by citing a 2014 incident attributed to Chinese camera manufacturers Hikvision and Dahua.
Late in 2014, technology researchers detected three major buffer overflow vulnerabilities in Hikvision DVRs; this after finding that those same DVRs contained bitcoin mining malware in April 2014. That same year, researchers found Dahua cameras and DVRs contained backdoors. Both companies were quick to address these issues.
Chabot is confident that the legislation his committee oversees will remove the barriers many small business owners face when they encounter a cyber threat, hoping it will encourage these owners to work with the federal government, not fear it.
“As I have mentioned before, many cyber threats towards small businesses come at the hands of bad actors, sometimes foreign governments in an attempt to undermine the country’s national security and economy. In fact, the Department of Homeland Security recently published a public notice exposing vulnerability in a notable security camera company. Hikvision, one of the top five largest manufacturers of security cameras worldwide, is 42 percent owned by the Chinese government and in 2017 the Department of Homeland Security learned that many of its cameras were able to be hacked and remotely controlled,” commented Chapot in his Congressional testimony. “While Hikvision has worked with DHS to remedy the flaw, the problem remains that many small businesses that don’t engage with the government or DHS regularly, and that is probably a majority of them, may not even be aware of the security flaw. Had the problem gone unnoticed, many small businesses would not have known they were vulnerable to attack.”
Jeffrey He, president of Hikvision USA Inc. and Hikvision Canada, Inc., although not part of this hearing, reacted to Chabot’s comments by saying: “As a part of our continued commitment to the safety and security of our customers and partners, Hikvision supports and adheres to internationally recognized cybersecurity standards and best practices, integrating cybersecurity systems into the complete life cycle of our products. We readily coordinate and partner with government and law enforcement agencies, as well as industry peers, to prevent cyber threats and quickly combat them whenever and wherever they arise. As noted in the hearing, Hikvision has taken a proactive stance to addressing cybersecurity issues in the past. We will continue to work with DHS and others to ensure such issues and concerns are fully addressed."
Chuck Davis, director of cybersecurity for Hikvision North America added: “To put this in a broader context, finding vulnerabilities is not a reflection of the company’s commitment to security—fixing them is, which is why we worked with DHS throughout the process and issued the firmware update in March 2017—two months before the DHS issued its ICS-CERT. DHS acknowledged that the firmware update that has been readily available on our website since mid-March resolves the vulnerability.”
“The real issue here is cybersecurity hygiene (which we addressed in our public statement): encouraging customers to install security patches and updates, use strong passwords and change them regularly, not use the default port for their cameras, and so forth. Security cameras are no different than other connected devices that are only as safe as the security steps users take,” Davis concluded.
Driggers, when asked about the Hikvision vulnerability, said that once it was detected the DHS Cybersecurity Emergency Response Team deployed an advisory and worked with Hikvision to remedy the problem. Chabot continued his questioning by asking Driggers if he felt small businesses were still susceptible to security flaws like those experienced with Chinese video products and if so what steps is his agency taking to inform businesses of the risk.
Driggers said that DHS posts regular cybersecurity alerts on its website that is open to the public. “With this particular incident, we did work with the research community and discovered the vulnerability and then worked with the company who put out a software update that mitigated the impact of this particular exploitation. That is standard practice at DHS across many different companies’ devices and software working to understand what types of vulnerabilities exist and then working with those companies to publish updates to their software so we can close down and mitigate vulnerabilities. Certainly, if there are small businesses that are using devices and not patching those systems or updating the software they could be exposed to that vulnerability,” warned Driggers.
Congresswoman Nydia Velázquez of Puerto Rico asked Marshall how prepared are small businesses at meeting the challenges of possible cyber incursions.
“I would say they are underprepared. Even in the biggest firms, cybersecurity is oftentimes considered a cost center and the general thought process is that is not necessarily consistent with the cost of doing business. So as you go down the pecking order in terms of size, when you get down to the small businesses, they are seldom prepared,” said Marshall.
Driggers agreed, saying that each individual business should take a look at its risk profile realizing that all businesses don’t need the same security posture.
“These mitigation systems and processes can be extremely costly, so the business needs to assess the level of risk based on sensitive data and proprietary information on their networks and their relationship, if any, with any critical infrastructure partners down the supply chain,” instructed Driggers. “All these factors go into the profile of what type of cyber risk mitigation steps your business should implement.”
When Velázquez asked Marshall how bad is the problem, he responded in no uncertain terms.
“It is bad and getting worse. Based on the number of cases referred to us for investigation or the number of known attacks that have been prevented, the numbers are on the rise; we are talking about a growth of 40 to 50 percent over the last couple of years,” he said.
About the Author:
Steve Lasky is the Editorial Director of SouthComm Security Media, which includes print publications Security Technology Executive, Security Dealer & Integrator, Locksmith Ledger Int’l and the world’s most trafficked security web portal SecurityInfoWatch.com. He is a 30-year veteran of the security industry and a 27-year member of ASIS.