The FBI does not currently have a hard-and-fast threshold or indicators to determine the appropriate response when America’s small businesses face cyber attacks, according to testimony before a House panel on Tuesday.
The House Small Business Committee convened a hearing to probe the federal government’s role in protecting the nation’s 29 million small businesses from cyber attacks, and in responding to attacks when they occur.
The committee heard testimony from Howard Marshall, deputy assistant director of the FBI’s Cyber Division, and Richard Driggers, deputy assistant secretary of the Department of Homeland Security Office of Cybersecurity and Communications, National Protection and Programs Directorate.
“In today’s global economy, small business are increasingly turning to foreign technology to remain competitive in the world marketplace,” U.S. Rep. Steve Chabot (R-OH), chairman of the committee, said. “However, these same products and services also provide new opportunities for foreign cyber criminals to infiltrate small business information technology systems, allowing them access to sensitive and valuable information.”
During the hearing, Chabot asked Marshall how the FBI determines an appropriate response to cyber attacks against small businesses. Marshall responded that “there is no hard and fast rule.”
“Generally, there are a number of variables we’ll look at,” Marshall continued. “It depends on the field office that has jurisdiction over the particular attack. We continue to see an increase in the scale and scope of reporting on malicious cyber activity that can be measured by the amount of corporate data stolen or deleted, personally identifiable information compromised, or remediation costs incurred by U.S. victims. In light of these and other cyber threats to U.S. businesses, the FBI has made private sector engagement a key component of our strategy for combating cyber threats.”
Driggers confirmed that the government, federal contractors, subcontractors, and suppliers are under “constant attack.”
“In some cases, advanced threat actors target small businesses deep in the government’s supply chain to gain a foothold and then pivot to sensitive information and intellectual property,” Driggers said. “Over the last several years, many federal contractors have significantly improved their cybersecurity posture, making it more difficult for threat actors to launch successful attacks on their enterprises. However, this has caused increased targeting of small businesses connected to the federal supply chain that may not have the resources or awareness to adequately address such threats.”
Chabot said he would schedule additional hearings to probe how companies owned by foreign governments could be using their products to engage in malicious online activity.