[House Hearing, 116 Congress]
[From the U.S. Government Publishing Office]





 
                    CYBER CRIMINALS AND FRAUDSTERS:

                     HOW BAD ACTORS ARE EXPLOITING

                      THE FINANCIAL SYSTEM DURING

                         THE COVID-19 PANDEMIC

=======================================================================

                            VIRTUAL HEARING

                               BEFORE THE

                   SUBCOMMITTEE ON NATIONAL SECURITY,
                     INTERNATIONAL DEVELOPMENT AND
                            MONETARY POLICY

                                 OF THE

                    COMMITTEE ON FINANCIAL SERVICES

                     U.S. HOUSE OF REPRESENTATIVES

                     ONE HUNDRED SIXTEENTH CONGRESS

                             SECOND SESSION

                               __________

                             JUNE 16, 2020

                               __________

       Printed for the use of the Committee on Financial Services

                           Serial No. 116-96
                           
                           
                           
                           
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]                       




                         ______                       


             U.S. GOVERNMENT PUBLISHING OFFICE 
42-896 PDF           WASHINGTON : 2021 


                           

                 HOUSE COMMITTEE ON FINANCIAL SERVICES

                 MAXINE WATERS, California, Chairwoman

CAROLYN B. MALONEY, New York         PATRICK McHENRY, North Carolina, 
NYDIA M. VELAZQUEZ, New York             Ranking Member
BRAD SHERMAN, California             ANN WAGNER, Missouri
GREGORY W. MEEKS, New York           FRANK D. LUCAS, Oklahoma
WM. LACY CLAY, Missouri              BILL POSEY, Florida
DAVID SCOTT, Georgia                 BLAINE LUETKEMEYER, Missouri
AL GREEN, Texas                      BILL HUIZENGA, Michigan
EMANUEL CLEAVER, Missouri            STEVE STIVERS, Ohio
ED PERLMUTTER, Colorado              ANDY BARR, Kentucky
JIM A. HIMES, Connecticut            SCOTT TIPTON, Colorado
BILL FOSTER, Illinois                ROGER WILLIAMS, Texas
JOYCE BEATTY, Ohio                   FRENCH HILL, Arkansas
DENNY HECK, Washington               TOM EMMER, Minnesota
JUAN VARGAS, California              LEE M. ZELDIN, New York
JOSH GOTTHEIMER, New Jersey          BARRY LOUDERMILK, Georgia
VICENTE GONZALEZ, Texas              ALEXANDER X. MOONEY, West Virginia
AL LAWSON, Florida                   WARREN DAVIDSON, Ohio
MICHAEL SAN NICOLAS, Guam            TED BUDD, North Carolina
RASHIDA TLAIB, Michigan              DAVID KUSTOFF, Tennessee
KATIE PORTER, California             TREY HOLLINGSWORTH, Indiana
CINDY AXNE, Iowa                     ANTHONY GONZALEZ, Ohio
SEAN CASTEN, Illinois                JOHN ROSE, Tennessee
AYANNA PRESSLEY, Massachusetts       BRYAN STEIL, Wisconsin
BEN McADAMS, Utah                    LANCE GOODEN, Texas
ALEXANDRIA OCASIO-CORTEZ, New York   DENVER RIGGLEMAN, Virginia
JENNIFER WEXTON, Virginia            WILLIAM TIMMONS, South Carolina
STEPHEN F. LYNCH, Massachusetts      VAN TAYLOR, Texas
TULSI GABBARD, Hawaii
ALMA ADAMS, North Carolina
MADELEINE DEAN, Pennsylvania
JESUS ``CHUY'' GARCIA, Illinois
SYLVIA GARCIA, Texas
DEAN PHILLIPS, Minnesota

                   Charla Ouertatani, Staff Director
           Subcommittee on National Security, International 
                    Development and Monetary Policy

                  EMANUEL CLEAVER, Missouri, Chairman

ED PERLMUTTER, Colorado              FRENCH HILL, Arkansas, Ranking 
JIM A. HIMES, Connecticut                Member
DENNY HECK, Washington               FRANK D. LUCAS, Oklahoma
BRAD SHERMAN, California             ROGER WILLIAMS, Texas
JUAN VARGAS, California              TOM EMMER, Minnesota
JOSH GOTTHEIMER, New Jersey          ANTHONY GONZALEZ, Ohio
MICHAEL SAN NICOLAS, Guam            JOHN ROSE, Tennessee
BEN McADAMS, Utah                    DENVER RIGGLEMAN, Virginia, Vice 
JENNIFER WEXTON, Virginia                Ranking Member
STEPHEN F. LYNCH, Massachusetts      WILLIAM TIMMONS, South Carolina
TULSI GABBARD, Hawaii                VAN TAYLOR, Texas
JESUS ``CHUY'' GARCIA, Illinois

                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on:
    June 16, 2020................................................     1
Appendix:
    June 16, 2020................................................    35

                               WITNESSES
                         Tuesday, June 16, 2020

Coleman, Kelvin, Executive Director, National Cyber Security 
  Alliance.......................................................     9
Jaffer, Jamil N., Founder and Executive Director, National 
  Security Institute, and Assistant Professor of Law and 
  Director, National Security Law & Policy Program, Antonin 
  Scalia Law School, George Mason University.....................    10
Kellermann, Tom, Head, Cybersecurity Strategy, VMware, Inc.......     5
Senn, Amanda, Chief Deputy Director, Alabama Securities 
  Commission, and Chair, Cybersecurity Committee, North American 
  Securities Administrators Association (NASAA), on behalf of 
  NASAA..........................................................     7

                                APPENDIX

Prepared statements:
    Coleman, Kelvin..............................................    36
    Jaffer, Jamil N..............................................    41
    Kellermann, Tom..............................................    53
    Senn, Amanda.................................................    57

              Additional Material Submitted for the Record

Cleaver, Hon. Emanuel:
    Written statement of Americans for Financial Reform..........    68
    Written statement of NAFCU...................................    69
    Written statement of Third Way...............................    71
Gottheimer, Hon. Josh:
    Letters of support from various organizations for the Senior 
      Investor Pandemic and Fraud Protection Act.................   116
Hill, Hon. French:
    Written statement of the American Securities Association.....   134
    Written statement of the Consumer First Coalition............   140
Jaffer, Jamil:
    Written responses to questions for the record from 
      Representative Hill........................................   142
Kellermann, Tom:
    Written responses to questions for the record from 
      Representatives Perlmutter and Hill........................   145


                    CYBER CRIMINALS AND FRAUDSTERS:

                    HOW BAD ACTORS ARE EXPLOITING

                      THE FINANCIAL SYSTEM DURING

                         THE COVID-19 PANDEMIC

                              ----------                              


                         Tuesday, June 16, 2020

             U.S. House of Representatives,
                 Subcommittee on National Security,
                          International Development
                               and Monetary Policy,
                           Committee on Financial Services,
                                                   Washington, D.C.
    The subcommittee met, pursuant to notice, at 12:01 p.m., 
via Webex, Hon. Emanuel Cleaver [chairman of the subcommittee] 
presiding.
    Members present: Representatives Cleaver, Perlmutter, 
Himes, Heck, Sherman, Vargas, Gottheimer, Wexton, Lynch, Garcia 
of Illinois; Hill, Lucas, Williams, Emmer, Gonzalez of Ohio, 
Rose, Timmons, and Taylor.
    Ex officio present: Representative Waters.
    Chairman Cleaver. The Subcommittee on National Security, 
International Development and Monetary Policy will come to 
order.
    Without objection, the Chair is authorized to declare a 
recess of the subcommittee at any time.
    Also, without objection, members of the full Financial 
Services Committee who are not members of this subcommittee are 
authorized to participate in today's hearing.
    Members are reminded to keep their video function on at all 
times, even when they are not being recognized by the Chair. 
Members are also reminded that they are responsible for muting 
and unmuting themselves, and to mute themselves after they have 
finished speaking.
    Consistent with the regulations accompanying H. Res. 965, 
staff will only mute Members and witnesses as appropriate when 
not recognized to avoid inadvertent background noise. Members 
are reminded that all House rules relating to order and decorum 
apply to this remote hearing.
    Today's hearing is entitled, ``Cyber Criminals and 
Fraudsters: How Bad Actors Are Exploiting the Financial System 
During the COVID-19 Pandemic.''
    I now recognize myself for 4 minutes for an opening 
statement.
    Let me, first of all, thank Lisa and the rest of the 
committee staff who have worked so hard to make this and all of 
our committee hearings possible.
    As the pandemic continues to move through our communities 
and our country, and to devastate the physical health of our 
citizens, it has managed to also infect the economic health of 
our nation.
    Congress, through a bipartisan effort, passed the CARES 
Act, which unlocked unprecedented relief to families and small 
businesses, relief that, according to the Federal Reserve, may 
not be enough to prevent a long and protracted economic 
downturn. Nevertheless, significant investments were made to 
rescue millions of working citizens.
    In this time of suffering and hardship for so many, we are 
seeing criminal actors here at home and around the world 
redoubling their efforts to target families, financial 
institutions, and even arteries of government.
    Poverty and exploitation are indivisible evils. They have 
been long-time sidekicks. Just last month, the FBI unsealed a 
criminal indictment of what looks to be the first case of 
COVID-19-related money laundering and fraud brought by the 
Department of Justice. The criminal charge relates to a 
healthcare provider claiming to offer free COVID tests, but 
billions of Medicare dollars are being wasted.
    According to the Federal Trade Commission, there are nearly 
1,000 reports of COVID-19-related fraud totaling over $0.5 
million in my home State of Missouri. This is a fraction of the 
nearly 100,000 fraud reports nationwide totaling $60 million 
reported by the Commission. I would like to highlight that 
these reports do not even fully capture the full landscape of 
COVID-19-related fraud.
    The FBI's Criminal Investigative Division notes that there 
has been potentially $126 million in Paycheck Protection 
Program (PPP) fraud. We are seeing a 75-percent spike in daily 
cybercrimes reported by the FBI since the start of the 
pandemic. The Financial Crimes Enforcement Network (FinCEN) is 
doing what it can by putting out advisories warning consumers 
and financial institutions of the proliferation of criminal 
schemes.
    Last month, FinCEN released warnings of COVID-related 
medical schemes in what would be the first of several 
advisories that FinCEN intends to issue concerning financial 
crimes relating to the COVID-19 pandemic. However, it is 
abundantly clear that our financial security systems are being 
taxed right now.
    The FBI, in their testimony before the Senate Judiciary 
Committee last week, noted that the sheer volume of complaints 
that the Internet Crime Complaint Center is receiving is 
presenting a challenge for the FBI's criminal program. In 
response, the FBI started a PPP Fraud Working Group with the 
Department of Justice and the Small Business Administration's 
Inspector General to triage the overwhelming caseload.
    The thieves and fraudsters that are targeting consumers are 
not just at home, but they are indeed everywhere. International 
law enforcement coordinating agencies, Interpol and Europol, 
have highlighted their efforts to target cross-border 
criminals.
    There is some positive news. We have done something to help 
address this as a committee and as a Chamber. Last year, we 
unanimously passed through the House the COUNTER Act. The bill 
closed a number of loopholes that have allowed financial crimes 
to be committed, and pulls us into the 21st Century by 
positioning the U.S. to face tomorrow's challenges.
    I look forward to hearing from all of you on these 
important issues.
    The Chair now recognizes the ranking member of the 
subcommittee, the gentleman from Arkansas, Mr. Hill, for 4 
minutes for an opening statement.
    Mr. Hill. I thank the chairman. I appreciate you convening 
this virtual hearing. And I appreciate the witnesses being with 
us today to share their expertise.
    Mr. Chairman, I have a letter from the American Securities 
Association that I would like to enter into the record. Thank 
you very much.
    Chairman Cleaver. Without objection, it is so ordered.
    Mr. Hill. Thank you. I appreciate our ability to innovate. 
My thanks, too, to the staff for providing this foundation for 
our virtual hearings.
    We had a roundtable a few days ago on this topic, and I 
thank the chairman for holding this formal hearing and 
returning to this topic. It is an important dialogue as it 
relates to our constituents: national security. And featuring 
it in a hearing means that our discussion will be cataloged in 
our official records.
    As we continue our essential work, I do hope that in the 
coming months, we are able to hold bipartisan hearings on the 
following topics that I think are important before our 
committee.
    First of all, the Committee on Foreign Investment in the 
United States (CFIUS). We are required annually to conduct 
oversight on CFIUS, and we made significant reforms in the last 
Congress, and I hope we can have a hearing on that.
    Also, monetary policy. We will be having Federal Reserve 
Chair Jay Powell before the Full Committee this week, but I 
think it is important for us to look at monetary policy in the 
face of the unprecedented actions taken by the Fed to expand 
its balance sheet.
    And finally, the international financial institutions and 
how they are responding to COVID-19 across the world, 
particularly in our emerging markets.
    I thank the chairman for the opportunity to work on these 
issues for future hearings.
    Cybersecurity and the need for strong cyber protocols has 
long been a topic of discussion in this committee, and the 
virus has only underscored the need and showcased the 
vulnerabilities that we have in certain aspects of our 
financial ecosystem.
    According to the FBI Internet Crime Complaint Center (IC3), 
the number of cybersecurity complaints to the IC3 in the last 4 
months has spiked from typically 1,000 daily before the 
pandemic to as many as 4,000 incidents a day.
    Furthermore, a survey conducted last month by VMware Carbon 
Black, one of our witnesses today, found that 80 percent of 
surveyed banks reported year-on-year increases in cyber attacks 
within the financial services sector. This year, those attacks 
have surged 238 percent from February to April.
    As many businesses and financial institutions are adapting 
to the new teleworking policies and the challenges that come 
from working remotely, it is imperative that they have the 
right infrastructure in place to handle new security protocols 
and sensitivities.
    Just last week, the FBI announced that bad actors are 
seeking to exploit customers through mobile banking, and 
recommended that consumers take proper precautions.
    These attacks can take various shapes and infiltrate in a 
variety of ways, even here in Arkansas. I noted in the 
roundtable a few weeks ago that we had a PPP program that was a 
fraud attempt. Fortunately, that person has been arrested and 
charged with bank fraud.
    I look forward to hearing from our witnesses today on how 
we can best combat these accounts.
    Before I close, I would like to quickly touch on China and 
the threat to cybersecurity. The U.S. has been the target of 
cyber attacks from nation-states and nonstate actors for over 
20 years. But in the months of outbreak in the virus in the 
United States, cyber espionage from China, Russia, and Iran has 
spiked. Cyber threat actors are taking advantage of this crisis 
to attempt to undermine the U.S. Government and probe our 
systems in the private sector and public sector for weakness, 
and to stoke fear and division and confusion here at home.
    According to the FBI, China has been observed attempting to 
identify and illicitly obtain valuable intellectual property 
(IP), and public health data related to vaccine treatments and 
testing from our networks throughout our country. We cannot 
allow the actions of a few bad actors and foreign threats to 
inhibit our financial institutions.
    I thank the Chair. I yield back, and I look forward to the 
discussion today.
    Chairman Cleaver. Today, we welcome the testimony of, 
first, Mr. Tom Kellermann. Mr. Kellermann currently serves as 
the chief cybersecurity officer for VMware Carbon Black. Prior 
to this, he was the CEO and founder of Strategic Cyber 
Ventures, and served as the Commissioner on President Barack 
Obama's Commission on Cybersecurity.
    In 2003, he coauthored the book, ``Electronic Safety and 
Soundness: Securing Finance in a New Age.'' And in 2017, he was 
appointed as the Wilson Center's Global Fellow for Cyber 
Policy. Thank you for appearing before this subcommittee.
    Second, we have Mr. Kelvin Coleman. Mr. Coleman currently 
serves as executive director of the National Cyber Security 
Alliance, an organization focused on cybersecurity awareness 
for home users, businesses, and educational institutions. Mr. 
Coleman comes to this position with 20 years of experience. He 
served in the White House, having worked on President Bush's 
and President Obama's National Security Telecommunications 
Advisory Committee and National Security Staff, the U.S. 
Department of Homeland Security, as well as the private sector. 
Thank you for appearing before this subcommittee.
    Third, we have Ms. Amanda Senn. Ms. Senn is testifying on 
behalf of the North American Securities Administrators 
Association (NASAA), where she chairs their Cybersecurity 
Committee. NASAA represents State and provincial security 
regulators in the United States, Canada, and Mexico. NASAA 
members are the closest regulators to local communities, small 
businesses, and the investing public throughout North America. 
Ms. Senn is also the chief deputy director of the Alabama 
Securities Commission, the State securities regulator. Thank 
you for appearing before this subcommittee.
    And fourth, Mr. Jamil Jaffer currently serves as the 
founder and executive director of the National Security 
Institute. He is also assistant professor of law and the 
director of the National Security Law and Policy Program at the 
Antonin Scalia Law School at George Mason University. 
Additionally, he is vice president of IronNet Cybersecurity, a 
startup technology firm. Prior to these positions, he served as 
Senior Counsel on the House Permanent Select Committee on 
Intelligence under Chairman Mike Rogers, as well as Assistant 
Counsel to the President in the Bush Administration. Thank you 
for appearing before the subcommittee.
    Witnesses are reminded that your oral testimony will be 
limited to 5 minutes. A chime will go off at the end of your 
time, and I ask that you respect the members' and the other 
witnesses' time by wrapping up your oral testimony.
    And without objection, your written statements will be made 
a part of the record.
    Mr. Kellermann, you are now recognized for 5 minutes to 
give an oral presentation of your testimony.

  STATEMENT OF TOM KELLERMANN, HEAD, CYBERSECURITY STRATEGY, 
                          VMWARE, INC.

    Mr. Kellermann. Thank you.
    Chairman Cleaver, Ranking Member Hill, members of the 
subcommittee, I am Tom Kellermann, head of cybersecurity 
strategy for VMware, Inc. Thank you for the opportunity to 
testify again before the subcommittee today.
    America is grappling with a cyber insurgency, and our 
financial sector is the number one target. A recent report 
issued by the World Economic Forum states that the dark web 
economy of scale will be the third-largest economy in the world 
by 2021.
    During the first 5 months of 2020 alone, cyber attacks 
against the financial sector have increased by 238 percent. 
This is compounded by the 900-percent increase in ransomware 
attacks. Cyber criminals are capitalizing on COVID-19, and they 
are doing so in tandem with the news cycle.
    Over the past 6 months, cyber defenders have seen a high 
level of coordination from cyber criminals who are 
demonstrating significant innovation to maintain persistent and 
even counter-incident response efforts. This includes 
ransomware campaigns, business email compromise scams, and 
access mining.
    Criminals are increasingly sharing resources and 
information and reinvesting their illicit profits into the 
development of new and even more destructive capabilities. The 
cybercrime community has educated themselves as to the 
interdependencies that exist in the financial sector, and they 
have begun to commandeer these very interdependencies to 
manifest criminal conspiracies.
    Thirty-three percent of surveyed financial institutions 
said that they have encountered, ``island hopping.'' This is an 
attack where the supply chains and partners are commandeered to 
target the primary financial institution. Once that bank is 
compromised, the criminals use the digital infrastructure to 
attack that bank's customers. It is also notable that a few 
rogue nation-states are offsetting economic sanctions via 
attacks on our payment systems.
    The international financial system is constantly facing new 
threats as technology proliferates and diversifies. There is an 
increasing number of security breaches and thefts on digital 
currency exchange platforms, as well as the misuse of these 
platforms by cybercriminals to launder stolen money. Dark web 
forums enabled by anonymous virtual currencies have created a 
bazaar for criminals and organized crime to reach a global 
market.
    In addition to organized crime, extremist organizations are 
also known to use alternative payment systems for operational 
purposes and to raise funds. Many of these payment systems and 
cryptocurrencies offer true or relative anonymity. This raises 
the necessity of increased regulation of digital money.
    In 2020, cybercrime conspiracies will become increasingly 
punitive and destructive. In fact, one out of four cyber 
attacks today are destructive.
    Fintech firms themselves present significant operational 
risks, lacking the proper incentive for proper intrusion 
detection as well as ``know thy customer'' anti-money-
laundering protocols under the Bank Secrecy Act.
    Given that 50 percent of all crimes now have a cyber 
component, it is high time that we follow the money to create 
an international e-forfeiture fund.
    The modern epidemic of cybercrime and cyber espionage can 
be mitigated through modernization of existing authorities to 
combat cyber money laundering. Virtual currencies and other 
alternative payment systems that facilitate money laundering 
associated with existing cybercrimes, as well as terrorist 
financing, must be held to account.
    In closing, the safety and soundness of the financial 
sector is dependent on proactive policy. I would like to 
highlight six opportunities for legislative actions for the 
subcommittee's consideration.
    First, any money laundering and forfeiture regulations must 
be modernized to seize the virtual currencies and digital 
payments which are used in cybercrime conspiracies.
    Second, I ask the House to pressure the Senate to pass the 
COUNTER Act, H.R. 2514, that passed out of the House under 
Chairman Cleaver's leadership.
    Third, charge the Financial Stability Oversight Council 
(FSOC) with the responsibility to create a framework for 
regulating cryptocurrencies and developing guidelines for 
strong protections against money laundering and cyber threats 
to those marketplaces.
    Fourth, elevate chief information security officers to 
directly report to the CEOs of financial institutions.
    Fifth, establish a tax credit for financial sector 
companies to dedicate at least 10 percent of their IT budgets 
towards cybersecurity.
    And lastly, support the House passage of S.3636, the United 
States Secret Service Mission Improvement and Realignment Act 
of 2020, which moves the Secret Service back to its original 
home at the Department of the Treasury.
    Chairman Cleaver, Ranking Member Hill, thank you for the 
opportunity to participate in this morning's important hearing. 
I am happy to answer any questions the subcommittee may have.
    [The prepared statement of Mr. Kellermann can be found on 
page 53 of the appendix.]
    Chairman Cleaver. Thank you, Mr. Kellermann.
    Ms. Senn, you are now recognized for 5 minutes to give an 
oral presentation of your testimony.

   STATEMENT OF AMANDA SENN, CHIEF DEPUTY DIRECTOR, ALABAMA 
  SECURITIES COMMISSION, AND CHAIR, CYBERSECURITY COMMITTEE, 
 NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION (NASAA), 
                       ON BEHALF OF NASAA

    Ms. Senn. Good morning, Chairman Cleaver, Ranking Member 
Hill, and members of the subcommittee. My name is Amanda Senn, 
and I am chief deputy director of the Alabama Securities 
Commission, and Chair of the Cybersecurity Committee for the 
North American Securities Administrators Association, or NASAA. 
I am pleased to testify today before the subcommittee on behalf 
of NASAA.
    States are leaders in prosecuting securities violations, 
and our focus is on protecting retail investors. History has 
shown that opportunistic fraudsters will use COVID-19, much as 
they have in other crises, to fleece mom-and-pop investors.
    Acting within the framework of NASAA, State securities 
regulators have formed a task force to root out and shut down 
fraud related to COVID-19. This initiative is being led by 
NASAA's Enforcement Committee and includes more than 100 
investigators from the vast majority of our member 
jurisdictions.
    The objective of this task force is to disrupt, discourage, 
and deter fraudulent or illegal activities which pose threats 
to investors before significant losses can occur. This task 
force is proactively protecting investors against fraud through 
the broad dissemination of enforcement orders, notices, and 
warnings.
    As the subcommittee is aware, the proliferation of 
technology has changed how we solicit, manage, and communicate 
with those handling our investments. For that reason, this task 
force is using online investigative techniques to identify 
websites and social media posts that may be offering or 
promoting investment fraud or unregistered regulated 
activities.
    Unfortunately, though, fraudsters are evolving with 
technology. For example, earlier this month, my office received 
three separate reports pursuant to Alabama's financial 
exploitation reporting law, which indicated individuals had 
become victims of an online fraud scheme.
    These victims had visited the web page of a very reputable 
broker, and they discovered they were unable to log in. Upon 
their attempts, they received a screen with a help button. The 
individuals were instructed to call a 1-800 number, and the 
person who answered the phone told the victims that the 
broker's website was down because 5G towers were being placed 
in California.
    That person then instructed the callers to log into their 
accounts with information that was provided by the suspect. The 
victims logged in as instructed, and shortly thereafter, wire 
transfers were initiated from their account to overseas banking 
accounts.
    During an interview with the firm last Friday, our case 
agent learned that $1.2 million had already been stolen from 
the accounts of investors. It is believed that malware was 
responsible for redirecting the victims from the legitimate web 
page to the fraudulent knockoff site.
    To date, at least 84 victims nationwide have been impacted, 
and the numbers continue to rise. At one time, this crime would 
have likely been perpetrated by a person that local authorities 
could readily identify through the use of subpoenas and search 
warrants. In the digital age, however, regulators are 
confronted with numerous evidentiary challenges which, given 
limited resources, make it difficult to investigate and 
prosecute these cases.
    States are, however, committed to our investor protection 
mission regardless of the means used to rip off our investors.
    The committee has invited NASAA to share its views 
regarding legislative proposals that have been posted in 
connection with today's hearing. I want to just mention two.
    The first is the Senior Investor Pandemic and Fraud 
Protection Act. This would implement the Senior Investor 
Protection Grant Program that was originally authorized by 
Section 989(A) of the Dodd-Frank Act, but was never put into 
effect.
    This bill would also expand the scope of the grant to 
include frauds related to COVID-19. And under the bill, State 
regulators could apply for up to $500,000 annually in grant 
funding to combat financial fraud of seniors and vulnerable 
adults in cases related to the pandemic. This would extend for 
a maximum of 2 years.
    The grant funds could be used to hire staff to investigate 
fraudulent conduct, to acquire technology and equipment, and to 
train investigators and prosecutors to target COVID-19 fraud, 
and also to provide important educational materials to seniors 
and vulnerable adults.
    NASAA strongly supports this bill, and so do at least 11 
other organizations, and we urge Congress to act on it.
    The second is the COVID-19 Restitution Assistance Fund for 
Victims of Securities Violations Act, which would create a fund 
at the SEC to provide restitution payments for individuals in 
connection with securities fraud related to coronavirus if they 
do not otherwise receive full restitution. As you can imagine, 
in financial fraud cases, once the money is gone, often, it is 
never recovered.
    Some States have enacted similar legislation with great 
success, and we strongly support this bill.
    Thank you again for the opportunity to testify, and I will 
be pleased to answer any questions you may have.
    [The prepared statement of Ms. Senn may be found on page 57 
of the appendix.]
    Chairman Cleaver. Thank you for your testimony, Ms. Senn.
    Mr. Coleman, you are now recognized for 5 minutes to give 
an oral presentation of your testimony.

STATEMENT OF KELVIN COLEMAN, EXECUTIVE DIRECTOR, NATIONAL CYBER 
                       SECURITY ALLIANCE

    Mr. Coleman. Chairman Cleaver, Ranking Member Hill, and 
members of the subcommittee, thank you for inviting me to 
today's hearing. It is a pleasure to join Tom, Amanda, and 
Jamil.
    My name is Kelvin Coleman, and I am the executive director 
of the National Cyber Security Alliance (NCSA). NCSA's core 
mission is to build strong public-private partnerships to 
create and implement broad-reaching cybersecurity, education, 
and awareness initiatives.
    The United States confronts a dangerous combination of both 
known and unknown cyber vulnerabilities. We face adversaries 
who are strong and rapidly expanding with ever-increasing cyber 
capabilities to breach our networks.
    During today's hearing, we will examine cyber threats and 
the bad actors who are exploiting the COVID-19 crisis. We will 
have robust discussions of tools, techniques, and procedures 
used by these bad actors. And we will certainly deliberate on 
the products and processes we put into place to mitigate those 
challenges.
    And while products and processes are important, I believe 
we need to focus even more on encouraging and supporting 
partnerships. I am going to talk a lot about partnerships 
today, and that is exactly what the National Cyber Security 
Alliance focuses on.
    In the words of Michael Madden of Mimecast, NCSA is the 
lead in building community defense through partnerships for our 
nation.
    This is especially true during the COVID-19 era. Tonia 
Dudley and her team at Cofense are seeing threat actors that 
continue to exploit the Paycheck Protection Program and SMB 
funding initiatives in several sophisticated phishing 
campaigns.
    Because of this type of threat and many others, NCSA, our 
board companies, Federal partners, and nonprofit collaborators 
have worked swiftly to provide organizations and individuals 
with relevant and helpful information to help address security 
and privacy concerns during the global COVID-19 outbreak. We 
have built what we call the COVID Security Resource Library, 
and folks have found it extraordinarily helpful.
    And with the help of companies like Trend Micro and 
Generali Global Assistance, we also created a COVID-19 webinar 
series for small and medium-sized businesses.
    Of course, bad actors were committing malicious acts before 
COVID-19, and they will certainly do so after this crisis 
subsides.
    To deal with threats in our continuously connected society, 
NCSA leads a number of other initiatives, including 
Cybersecurity Awareness Month, Data Privacy Day, and the 
CyberSecurity My Business program.
    And while these programs and resources provide tremendous 
value in the fight to protect Americans, I will say it again: 
partnerships are our biggest assets. And the private sector is 
incredibly important in this fight.
    The Federal Government plays an equally important role in 
cybersecurity and educational awareness. Chief among NCSA's 
Federal partners is the Cybersecurity and Infrastructure 
Security Agency (CISA). They have been very helpful in the 
fight to help Americans secure their networks. And I must say, 
CISA is very engaged, very responsive, and very supportive 
overall.
    NCSA, in coordination with our partners, has put a lot of 
effort into building a more secure, interconnected world. In 
the words of Kristina Dorville at AIG, bad actors are 
communicating, and bad actors are coordinating, so why 
shouldn't the good guys?
    With that said, there is still so much to be done. Congress 
should consider making game-changing investments into 
cybersecurity awareness and education, investments that could 
benefit the American people as well as the small and medium-
sized business community.
    As Americans begin to rely more heavily on telework, bad 
actors will increase their malicious activities and target 
those working from home. Americans must be equipped with the 
knowledge to protect themselves, their families, and their 
communities. Congress can and should play an important role in 
making sure Americans understand the many dangers of 
inadequately securing their systems, devices, and information.
    Thank you, Mr. Chairman, and I look forward to answering 
the subcommittee's questions.
    [The prepared statement of Mr. Coleman can be found on page 
36 of the appendix.]
    Chairman Cleaver. Thank you, Mr. Coleman.
    Mr. Jaffer, you are now recognized for 5 minutes to give an 
oral presentation of your testimony.

 STATEMENT OF JAMIL N. JAFFER, FOUNDER AND EXECUTIVE DIRECTOR, 
NATIONAL SECURITY INSTITUTE, AND ASSISTANT PROFESSOR OF LAW AND 
   DIRECTOR, NATIONAL SECURITY LAW & POLICY PROGRAM, ANTONIN 
           SCALIA LAW SCHOOL, GEORGE MASON UNIVERSITY

    Mr. Jaffer. Thank you, Mr. Chairman. Thank you, Chairman 
Cleaver, Ranking Member Hill, and members of the subcommittee, 
for being here today and for inviting me to talk about the very 
real threats that face our nation and the U.S. financial sector 
and those of our allied nations.
    As you know, the threats to our financial sector have been 
real and serious for decades. They have become particularly 
problematic in the context of the current pandemic.
    I want to note your leadership, Mr. Chairman, for calling 
out the very real threat of Iranian attacks on the United 
States, including on our financial infrastructure, for 
protecting our oil and natural gas pipeline infrastructure, and 
for fighting actively against overt and covert disinformation 
efforts online, including those that seek to divide us as a 
nation.
    In addition, Ranking Member Hill, I want to thank you for 
your leading efforts on identity theft, for your sanctions 
against Russia for its meddling in the 2016 election, and for 
your efforts to press NATO to extend its security umbrella to 
cover cyberspace, and ensuring that we continue to enjoy and 
innovate the military superiority in the cyber arena.
    I think it is critical today that we identify the very real 
threats that we face as a nation in the financial sector and 
take action immediately to address them. In a 2019 letter to 
shareholders, the CEO of JPMorgan Chase, Jamie Dimon, noted 
that the threat of cybersecurity may very well be the biggest 
threat to the U.S. financial system writ large.
    For the fourth year in a row, in 2019, IBM assessed that 
the financial insurance sector was the most targeted sector in 
our economy, with 17 percent of all attacks at the top 10 most 
attacked industries.
    The DNI, in January 2019, noted the attacks from North 
Korea, estimating almost $1.1 billion in worldwide theft of 
resources from the financial sector, including $81 million from 
the New York Federal Reserve account of Bangladesh's central 
bank.
    And yet, given that significant threat already facing the 
financial sector, we have seen a dramatic increase in financial 
sector threats since the COVID pandemic began. In fact, the FBI 
and the U.K.'s National Cybersecurity Center noted that they 
are seeing criminal activities on a scale likely to dwarf 
anything seen before, taking place at a speed that is 
breathtaking, with a sheer variety of fraud that is shocking.
    These are very serious threats. Carbon Black, the company 
that Tom represents, saw ransomware attacks increase 148 
percent in March 2020 over the baseline from just the prior 
month. And the financial sector was the single largest target 
of those increases in ransomware attacks, with a 38 percent 
increase in attacks.
    We have seen attacks in Washington State, where the 
unemployment system has lost hundreds of millions of dollars in 
the post-COVID environment.
    And it isn't just here in the United States. In Germany, 
the state of North Rhine-Westphalia lost between $35 million to 
$110 million in fraudulent payments based on 3,000 fake 
requests in the post-COVID environment.
    We have seen reports coming out of many government 
agencies, including the FBI, as well as CISA and other 
agencies, and we have noted that it isn't simply an attack 
limited to the United States. We have seen North Korea go 
around the world.
    And what was at one point $1 billion, in the DNI's 
testimony, back in January 2019, by the end of 2019 had become 
$2 billion, nearly a doubling of their financial sector 
targeting effects. And they are doing more currently, as we 
speak.
    And it is not just not North Korea. We see China and Russia 
active in this space. And we see other actors, as Tom 
Kellermann mentioned, the actors that are nonstate actors, 
including potential terrorist and extremist groups, taking 
advantage of the weaknesses in our money laundering systems and 
the like to exploit our systems to engage in both financial 
fraud as well as movement of illicit funds.
    This is a critical issue that we must confront. And as this 
committee, I think there are five things that you ought to 
consider.
    First, Juan Zarate, and members of this committee, have 
suggested that the Secret Service ought be moved back from DHS 
to the Treasury Department. I think this is a positive move and 
would help the Secret Service retain its role in cybersecurity.
    Second, I think this committee ought to consider offering 
the Treasury Department an operational role in cybersecurity, 
giving them the resources and the capability to engage directly 
with the financial sector and with the intelligence community 
that they are already a part of to gather information, send it 
back out to the community, and bring both the public and 
private sectors together in this critical industry.
    Third, it is important that the committee consider working 
with the Treasury Department and other departments and agencies 
to create what the Cyberspace Solarium Commission recommended: 
a joint collaborative environment where industry and the 
government could come together in real-time to share threats 
and to actually collaborate on those threats, not just 
information-sharing but actual real-time collaboration.
    Finally, the committee ought to consider working with 
Treasury and encouraging them to launch efforts with key 
allies, as Juan has suggested, to recreate in the G-7 things 
like the Financial Action Task Force in the anti-money-
laundering (AML) arena. AML is a critical issue in this 
environment where tremendous amounts of money are being sent 
around by governments and the like, and it is critical that we 
take action now to address the AML concerns.
    And finally, it is important that our government work 
closely with NATO to expand out our efforts to protect our 
allies in Europe and elsewhere around the globe.
    Thank you very much, and I look forward to your questions.
    [The prepared statement of Mr. Jaffer can be found on page 
41 of the appendix.]
    Chairman Cleaver. Thank you, Mr. Jaffer.
    That is the conclusion of our witnesses' statements. I now 
recognize myself for 5 minutes for questions.
    I would like to spend just a little time talking about the 
sheer volume of Americans who find themselves teleworking, and 
the threat that poses to the financial system.
    As I mentioned earlier in my opening statement, one-third 
of the world's populations were in lockdown, and up to 90 
percent of financial services employees, banking and insurance 
companies, were working from home.
    We started our conversation today, but earlier, we had a 
roundtable where we talked about network security. And I 
believe it was Mr. Kellermann who said that financial 
institutions have had the best security in the world.
    But teleworking and Russian dark web customized malware has 
allowed adversaries to leverage ways around network defenses. 
You noted something that I thought was interesting, and I think 
we sought to address in the COUNTER Act, which is the need for 
both firms and regulators to be innovative in the way they 
confront these new fintech criminal techniques.
    Mr. Kellermann, and Mr. Coleman, can you both talk a bit 
about how financial institutions can improve the way in which 
we can go after these financial criminals and stop these 
breaches?
    Mr. Kellermann. Thank you. I would be happy to address 
that.
    First and foremost, we need the defensive line set at the 
top. The chief information security officers of the financial 
institutions have been marginalized for too long, and their 
perspective and their stratagems are not being enacted fully as 
they compete for resources with chief information officers 
(CIOs).
    Second, I think more proactive cyber threat hunting must 
occur not only within financial sector participants but across 
the information supply chain and extend to shared service 
providers. Cyber threat hunting is much like you need to make 
sure no one is in the bank vault when you close the doors for 
the day, not just conducting vulnerability assessments to see 
if the locks are working or the alarms are working.
    And then lastly, because of telework, the major security 
provisions that have been but in place by banks are no longer 
effective because the network security paradigm can be bypassed 
by those VPN tunnels that allow access to those systems. So, I 
think better forms of authentication and just-in-time 
administration should be granted within those ecosystems as 
well.
    Chairman Cleaver. Thank you.
    I have a question for Mr. Coleman, but let me just follow 
up, Mr. Kellerman. You know that all of the members on this 
committee live in communities. And I am wondering, what do you 
suggest we do? We have many, many, many banks in our 
communities. We have all kinds of financial institutions. How 
do we get to them to implement some of the things that you are 
presenting to us today? They are not going to participate in 
our hearings, but they are struggling. What can we do 
nationally to deal with this issue?
    Mr. Kellermann. I think that we can incent them through tax 
incentives for investment in cybersecurity as well as inspire 
the regulators, whether they be State regulators or national 
regulators of the Federal Financial Institutions Examination 
Council (FFIEC), to incorporate this construct of cyber threat 
hunting. Because with cyber threat hunting, it eliminates the 
veil of plausible deniability that you may or may not have a 
problem.
    When you conduct a cyber threat hunt, and you identify a 
bad actor inside your network, it is something that must be 
acted on immediately. And so, it really provides game day film 
on what the priority should be in the near term.
    Chairman Cleaver. Thank you. Mr. Coleman, what can we do, 
what can businesses and educational institutions do to protect 
themselves and those they serve?
    Mr. Coleman. Mr. Chairman, our friends at Proofpoint have 
said to me that defenders don't focus on people but attackers 
do, meaning 90 percent-plus of effective breaches come through 
to an end user or to a person. So those breaches that happen, 
90 percent of them are because of some human action or 
behavior. But only about 20 percent, a little less than 20 
percent of training dollars, awareness dollars actually go to 
that end user.
    I think we need to flip that. I think we need to encourage 
businesses to put more investment into their training and 
awareness. The way we do with, unfortunately, active shooter 
training or inclement weather training, these other trainings 
that we have, we absolutely need to do that with cybersecurity 
as well.
    Not so ironically, Americans are hit every single day with 
these attacks and breaches. Yet, many of them, particularly in 
the business community, are only getting training once, maybe 
twice a year.
    At the National Cyber Security Alliance, we are encouraging 
people to perhaps get to the gold standard of once-a-month 
training and awareness as it relates to cybersecurity because 
the threats are evolving so quickly, and we need to be able to 
educate those folks.
    Chairman Cleaver. Thank you, Mr. Coleman. I appreciate 
that.
    My time is up, so I will now recognize the distinguished 
ranking member of the subcommittee, Mr. Hill, for 5 minutes for 
questions.
    Mr. Hill. I want to thank the chairman for the hearing. I 
appreciate our excellent witnesses.
    Let me start with Mr. Kellermann. Thanks for coming to the 
roundtable a few days ago. I wanted to follow up. We talked a 
little bit about coordination with the regulators at that 
roundtable. But you made a comment in your testimony today that 
I thought was interesting about lack of security among 
fintechs. You used the words, ``operational risk.''
    Could you get more specific? Are you talking about their 
AML/BSA compliance on their platforms? Are you talking about 
their lack of use of APIs? Give me a little color context on 
your concern about fintech applications.
    Mr. Kellermann. Whereas, fintechs are the tip of the spear 
vis-a-vis technological renaissance occurring in the financial 
sector, we at VMWare Carbon Black have noted increased attacks 
against the APIs of fintech vendors to bypass security controls 
they have in place and to leverage what is called island 
hopping, which is where they attempt to take over the digital 
infrastructure that was built by that vendor and then use it to 
attack those who implicitly trust it.
    This ``island hopping'' phenomenon is my biggest concern in 
this sector, is that you have these entities who are being 
targeted by very professional cybercriminal crews, typically 
Eastern European or Brazilian in nature, and they are using the 
financial platforms that have been developed for greater 
liquidity and access to financial services and the like to 
target their constituencies. And so, greater attention must be 
paid to the security and modernizing the security of fintech 
participants.
    Mr. Hill. Thank you.
    Mr. Jaffer, thank you for your testimony, and I appreciate 
your discussing in your detailed testimony about China and 
China's threat, that in March of 2020 a Chinese hacking group 
carried out one of the broadest campaigns by a Chinese cyber 
espionage actor that we have observed in recent years.
    Mr. Jaffer, are you concerned that China is a new and 
expanded threat in the cyber arena? In the past, we have 
frequently talked about North Korea, Iran, and Russia--Eastern 
European players, as we just noted. How do you think China 
compares to other countries when it comes to cyber attacks?
    Mr. Jaffer. Thank you, Congressman Hill.
    China is in the top rank of countries, if not number one of 
three, along with us and Russia,, in terms of cyber 
capabilities.
    Now, the thing about China is they have long been focused 
on intellectual property theft. They have engaged in what my 
boss, the former Director of NSA, General Keith Alexander, 
called the greatest transfer of wealth in human history, 
literally extracting information out of the United States that 
they take back to China in order to repurpose for the purpose 
of creating economic benefits to their nation. That has been a 
huge issue.
    China is increasingly now pivoting beyond that to 
intelligence collection, which they have always also done, and 
they are now increasingly getting involved in financial fraud 
schemes and allowing these things to take place within their 
infrastructure.
    China doesn't operate only through their government agents, 
although they have a tremendous number of military intelligence 
resources devoted to focusing on the United States. They also 
operate through allowing hackers in their country to take 
action against the United States and against other allies of 
ours.
    The key issue that we see with China today, though, is what 
they are doing in terms of covert and overt misinformation and 
disinformation. They have taken a page right out of the 
Russians' playbook from 2016, and they are doubling down on 
that.
    We have seen the Chinese Foreign Ministry already talk 
about the Black Lives Matter movement. It is no accident that 
the Chinese are talking about that publicly. They are already 
putting a million of their own people in prisons in the 
Xinjiang province, and yet they are concerned about Americans.
    The reality is, they are not concerned about Americans. 
What they are concerned about is taking over a global 
leadership role from the United States, and they will use every 
means at their disposal to do it, including cyber activities, 
and that is what makes them particularly dangerous in this 
arena.
    Mr. Hill. Thank you.
    Do you see coordination between North Korea and their 
efforts in cyber attacks? Of course, they are some of the most 
famous with WannaCry of a few years ago and the Cosmos Bank 
scheme of just a few months, maybe a year or so ago. Do you see 
North Korea and China at all coordinating their efforts, or do 
you see North Korea purely on its own?
    Mr. Jaffer. I think North Korea generally acts on its own.
    Now, that being said, the North Koreans know how much they 
can get away with without pushing the Chinese over the line. If 
the North Koreans go too far, whether it is with nuclear 
weapons testing or cyber activities or the like, the Chinese 
will get concerned and potentially take action.
    North Korea has gotten smart. They have learned to play the 
Russians and the Chinese offense against one another too. So 
they are not simply relying on China as their only client 
superpower. They are also playing with the Russians.
    They have, as you have noticed, though, been fairly quiet 
when it comes to their testing of nuclear weapons and missiles 
recently and they have really been focused on the financial 
gain they can achieve in the current environment. So that is 
the big concern today for North Korea, although you can't put 
away the North Korean nuclear problem, which is ever present.
    Mr. Hill. Thank you so much.
    I yield back, Mr. Chairman.
    Chairman Cleaver. Thank you.
    I now recognize Mr. Perlmutter from Colorado for 5 minutes.
    Mr. Perlmutter. Thank you, Mr. Chairman.
    This question is for Mr. Kellermann. A couple of years ago, 
I had a bill called the Data Breach Insurance Act. And you 
mentioned tax incentives to try to get companies and 
individuals to beef up their cybersecurity. Can you discuss 
that a little bit more, how you see incentives might work to 
drive folks to the NIST protocol?
    Mr. Kellermann. Yes. Thank you for asking me that.
    I am a huge fan of using that carrot to motivate businesses 
to view cybersecurity as a functionality of conducting business 
in today's world versus an expense. Whether it is a percentage 
of their IT budget that is spent on cybersecurity or whether it 
is compliance with a standard like NIST or even compliance with 
a standard which isn't quite a standard but a best practice 
like the CIS Critical Controls, we would be better off than 
where we are right now.
    Frankly, there is insufficient investment and leadership in 
the private sector as it relates to cybersecurity, which is why 
we are dealing with this cybercrime wave.
    Mr. Perlmutter. Has that been exaggerated, exacerbated, 
because we are now sort of in this remote telecommuting world? 
Would we be better off if we were--if smaller companies and 
small financial institutions were to beef up their 
cybersecurity?
    Mr. Kellermann. Yes, it has been exacerbated because of 
telework. The security of teleworkers is far less than that of 
someone who is working in a corporate environment because they 
don't have all the perimeter defenses, much like a corporate 
facility has greater security than your home typically.
    I do think it is an imperative for those organizations to 
invest more seriously in cybersecurity, but I also realize they 
are small businesses and they have been dramatically impacted 
by the economic recession that they are facing.
    But going forward, I think most people need to appreciate 
that encryption is not the sole answer, that encryption is not 
bulletproof, it is not something that hackers can't get around. 
When a hacker hacks your computer metaphorically, they steal 
the key to unlock the encryption. So what does the encryption 
really mean? But I will leave that there.
    Mr. Perlmutter. Okay. I think I may have to dust off the 
Data Breach Insurance Act and resubmit it over the next month 
or two to try to use at least some incentive bases so that they 
can beef it up, knowing full well that a bank robber, no matter 
how thick the vault is, will always try to find a way to get 
through that front door, back door, whatever.
    Let me change the subject quickly to all of the panelists. 
Mr. Jaffer was speaking about disinformation. And I am curious 
if you all have seen efforts, whether it is Black Lives Matter 
or vaccines or whatever it might be, given the fact we are in 
this COVID-19 time in history, whether you have seen 
disinformation campaigns rise.
    And I will start--Mr. Kellermann, you are on my screen, so 
let's start with you, and then go to Mr. Jaffer.
    Mr. Kellermann. I think that our traditional Cold War 
adversaries are taking advantage of the situation. The American 
hegemony, the American empire you might want to call it, is the 
weakest we have ever been through a combination of factors.
    I explicitly don't see true evidence. I am not actually 
looking for it, because I assume it is happening, frankly, but 
I do see escalated cyber attack capabilities and activity 
occurring not just against the financial sector, but against 
the healthcare sector and a myriad of other sectors in this 
regard.
    Mr. Perlmutter. Mr. Jaffer, any comments?
    Mr. Jaffer. Yes. Thank you, Congressman Perlmutter.
    Yes, we know unquestionably that China has engaged in these 
type of activities in Taiwan and interfered with their 
election. We know that Russia did it in 2016 to our election.
    We haven't seen specific bulletproof evidence, as Mr. 
Kellermann pointed out, that they are engaged in those covert 
activities today when it comes to trying to throw gas on the 
fires that are already burning in this country. But we know for 
a fact that they are out there saying it publicly. We see overt 
activities by the Chinese and the Russians trying to meddle 
with our political environment.
    It is almost unquestionable that when they engage in those 
type of overt activities, they are doing the same thing 
covertly.
    So, I think that over the next few weeks and months, and 
probably over the next year, we will see the intelligence 
community and the Bureau and the rest of our national security 
organizations coming out with evidence to demonstrate that, in 
fact, the Chinese, the Russians, and potentially the Iranians 
are seeking to actively gaslight what is taking place in this 
country, very real and honest debates are happening, and 
attempting to manipulate those, let's call it additional chaos 
and disorder in this country, in the context of the already 
ongoing pandemic.
    Mr. Perlmutter. Thank you for that sobering testimony in an 
already difficult time.
    I thank the panelists. Thanks for being part of the 
roundtable, and today's hearing. And I yield back to the Chair.
    Chairman Cleaver. Thank you, Mr. Perlmutter.
    The Chair now recognizes the gentleman from the great State 
of Texas, Mr. Williams.
    Mr. Williams. Thank you, Mr. Chairman, for calling this 
hearing.
    And thanks to all of you for joining us in this virtual 
setting for this important hearing.
    As cyber criminals get more advanced, we need to make sure 
our government's efforts to combat these threats are being used 
as effectively as possible.
    Last week, I introduced a bill with my buddy on the other 
side of the aisle, Denny Heck, to transfer the Secret Service 
from the Department of Homeland Security back to the Treasury 
Department, as we have talked about today, where it had 
previously been located almost 140 years before the September 
11th terrorist attacks. This strategic realignment would help 
put increased focus on the financial crimes and cybercrimes of 
the Secret Service.
    Juan Zarate, the first Assistant Secretary of the Treasury 
for Terrorist Financing and Financial Crimes after 9/11, and 
Tim Maurer, author of the book, ``Cyber Mercenaries: The State, 
Hackers, and Power,'' wrote in a recent op-ed that the move 
would strengthen the government's ability to protect the 
financial system and build on the Trump Administration's 
interagency focus on cyber threats.
    This transfer is also supported by the Treasury Department, 
by the Department of Homeland Security (DHS), and by the 
Federal Law Enforcement Officers Association, which advocates 
for the Federal law enforcement community.
    So, Mr. Jaffer, could you give us your thoughts on how this 
move would be beneficial to our government's ability to defend 
against financial crimes?
    Mr. Jaffer. Absolutely. Congressman Williams, as you well 
know, the Secret Service was originally set up by Abraham 
Lincoln in the aftermath of the Civil War in order to protect 
the U.S. currency. Its first and primary mission was financial 
crimes.
    So, the idea that the Secret Service ought to be focused on 
that as a primary mission and be in the place where that is the 
primary role of the agency makes a lot of sense.
    I support moving the Secret Service from DHS back to 
Treasury, in part because it will then prioritize its 
relationships, existing relationships that Treasury already has 
in the cyber arena with industry today. And those are very 
trusted, strong relationships. The Secret Service can build on 
these.
    But I think the Secret Service needs more than that. It is 
not just a matter, Congressman, of moving them from one agency 
to another. That is critically important. I think it will 
elevate their role. But I think it is also about providing them 
the resources they need to do that job, and do that job better, 
and to provide them additional authorities, investigative 
authorities, to really go after this crime.
    The Secret Service is largely bound by the authorities they 
have had historically for a long time, and those are very 
useful authorities, but there is no question they will need 
additional resources in this effort.
    And being hidden in the larger entity that is DHS makes it 
harder for them to get priority, harder for them to get 
resources, and ends up making them focus on their protective 
mission, which at the end of the day isn't their highest and 
best value today when it comes to threats facing our financial 
sector.
    So, I support that effort. Juan is a good friend and 
mentor, and I am glad, Congressman, that you and Mr. Heck 
introduced that legislation.
    Mr. Williams. Thank you. We will put you on the winning 
team then, okay?
    Mr. Jaffer. Yes, sir.
    Mr. Williams. From hostile countries like China and Russia 
to other criminals in the private sector, there will always be 
people looking to exploit our country's cyber vulnerabilities.
    In 2018, the Trump Administration put out the updated--the 
National Cyber Strategy for the first time in 15 years. I 
applaud this action by the Administration, but I am sure that 
the threats facing the country are drastically different now 
than just 2 years ago.
    So, again, Mr. Jaffer, would you support mandating this 
report be updated annually? And can you discuss how the threats 
facing government entities and the private sector have evolved 
over the past 2 years?
    Mr. Williams. Absolutely. Congressman, as you know, the 
idea that we didn't update our national cybersecurity strategy 
for a decade and a half is shocking and concerning, and I am 
glad the President and his team decided to put out a new 
strategy.
    I do think it is valuable for Congress to require the 
Administration to issue the strategy on a regular basis. 
Whether that is a year or every 2 or 3 years, I would leave 
that to you all and the White House to figure out what the 
right cadence is. But I think it does make sense to have it 
updated rapidly, because obviously, we are in a constantly 
changing threat environment.
    Now, in particular in the United States today, the threat 
has changed. You have seen what has already happened. You have 
heard testimony today about the way that criminals who are very 
innovative and nation-states who are very innovative take 
advantage of the current moment. They are not worried about the 
fact the pandemic is hurting them. They are focused on how to 
come after us and our people and our finances, and they are 
very focused on that.
    At the end of the day, though, the government's traditional 
role has been protecting the nation when it comes to all other 
things from nation-states. But in cybersecurity, we actually 
have the private sector on the front lines.
    So I think Kelvin is exactly right, that this is all about 
partnerships. We have to bring the government and industry 
together. And that is why having an entity at Treasury, having 
Secret Service there, but also giving them operational 
capability, will help better defend the financial sector where 
they are on the front line defending today, when normally it 
would be our military or our law enforcement efforts at the 
front line.
    Mr. Williams. Okay. Quickly, COVID-19 has given cyber 
criminals a new opportunity to exploit the crisis to take 
advantage of hardworking Americans. Many companies and 
governments have been forced to switch their operations to a 
virtual setting to conduct their normal operations, just as we 
are doing right now with this hearing.
    So, Mr. Coleman, quickly, what advice would you give 
companies adapting to these remote settings on how they can 
stay safe while they are figuring out these new operating 
procedures?
    Mr. Coleman. Congressman, I would absolutely advise them, 
do not abandon your training and awareness. That is a low-
hanging-fruit opportunity for them to make sure that their 
workers are continuing to be resilient in terms of trying to 
protect themselves. So, the first thing I would say is, please 
do not abandon the training and awareness that they probably 
had set up pre-COVID-19.
    Mr. Williams. Thank you, Mr. Chairman. I yield back.
    Chairman Cleaver. Thank you.
    The Chair now recognizes the gentleman from Washington, Mr. 
Heck.
    Mr. Heck. Thank you, Mr. Chairman, and Ranking Member Hill. 
And thank you to all of the panelists. What a spectacular and 
timely topic for us to discuss.
    As the Chair indicated, I represent Washington State, and 
tragically, unfortunately, nobody has been hit harder by the 
unemployment insurance fraud that has gone on in this country 
than Washington State, perpetuated by the cybercrime group that 
is based in Nigeria, known as Scattered Canary.
    We don't know exactly how much they bilked us out of, but 
we know for sure that somewhere between $550 million and $650 
million was fraudulently paid out by our State Department of 
Employment Security. Fortunately, we have been able to recover 
about $330 million of whatever the total number is.
    And that operation, that recovery was only made possible, 
frankly, because the U.S. Secret Service was able to identify 
this operation and went to work. And frankly, I want to express 
publicly my appreciation to the Secret Service for this on 
behalf of the taxpayers of Washington State and all Americans 
for that matter.
    But I am not under any illusion that it is just Scattered 
Canary out there. They are part of one of who knows how many 
hundreds or thousands of organizations who basically are intent 
on fraudulently appropriating our money. And that is why I am 
so concerned. I am very concerned.
    Between the lasting damage done to the government's 
investigative capacity by the Budget Control Act--and it has 
been diminished--and the loss of mission focus that has been 
referred to here resulting from moving the Secret Service to 
the Department of Homeland Security, I think our Federal 
Government remains pretty unprepared, by and large, to identify 
and investigate financial cybercrimes, especially factoring in 
the massive amounts of Federal resources being distributed 
across the country.
    And that is why I was indeed proud to join with my friend, 
Representative Williams, in introducing the bipartisan and now 
bicameral U.S. Secret Service Mission Improvement and 
Realignment Act, which would, of course, as indicated, move the 
Secret Service back from the Department of Homeland Security to 
its ancestral home at Treasury.
    I think, as has been indicated, that will enable it to tap 
into the institutional knowledge and expertise at Treasury to 
better defend us against countering fraud and cybercriminal 
activity.
    So, Mr. Kellermann, I want to ask you the question that Mr. 
Williams asked of Mr. Jaffer. You specifically mentioned the 
importance of passing the Secret Service Mission Improvement 
and Realignment Act. Thank you for that. But I want to ask you, 
in your own words, why do you think it is important, above and 
beyond what has been indicated?
    And perhaps secondarily, what do we have to lose if we 
continue to keep the Secret Service housed at the Department of 
Homeland Security? That is for you, Mr. Kellermann.
    Mr. Kellermann. Thank you.
    I have always been impressed, in my 20 years in 
cybersecurity, with the efforts of the Criminal Investigative 
Division (CID) of the Secret Service. They haven't been too 
flashy and taken too much credit for their successes, but they 
have done Herculean efforts as it relates to disrupting some of 
the most advanced cybercrime conspiracies in the world, 
beginning with the Eastern Europeans' cybercriminal syndicates 
back in the early 2000s.
    But they have always been underresourced, and they have 
always been stuck in this position where some of their very 
best analysts had to still provide for protection duty, which 
put a strain on even then keeping the best technological talent 
within their ranks.
    And this was compounded when they moved over to DHS post-9/
11. I understand why, but, at the same time, I think they could 
truly help us move the needle as it relates to civilizing 
American cyberspace and thwarting and suppressing some of the 
more advanced financial crime, cybercrime conspiracies that are 
ongoing if they were back in Treasury working hand-in-hand with 
FinCEN and others.
    So, again, I tip my hat to you. I think this is incredibly 
important legislation, and hopefully, it happens.
    Mr. Heck. Thank you.
    What other steps do you think need to be taken to fill or 
expand or make appropriate to the measure of the challenge our 
government's capacity to investigate and pursue financial 
cybercrimes? Aside from just changing the organizational chart, 
Mr. Kellermann, what else do we need to do?
    Mr. Kellermann. I feel that they should be given the 
resources to hire more personnel, number one.
    Number two, they should expand the Electronic Crimes Task 
Forces--or I think they are now called the Cyber Fraud Task 
Forces--internationally to get greater information sharing and 
partnership with various countries who have very significant 
and very powerful organized crime syndicates who have adopted 
this cybercrime model.
    And then, lastly, when they come across an investigation 
where there is a cybercrime conspiracy and it is obvious there 
has been misuse of virtual currencies and alternative payment 
systems, those moneys could be used to fund their endeavors or 
fund the efforts to protect the financial sector from attack.
    Mr. Heck. Thank you, Mr. Kellermann.
    And just finally then, let me say that if Washington 
State's experience is any measure of this, where in this one 
instance we have lost hundreds of millions of dollars in just 
one State, what we are talking about here is a proposition of 
risk that is billions upon billions upon billions.
    I am pleased to have joined Mr. Williams in introducing 
this bill.
    Thank you, Mr. Chairman, and I yield back.
    Chairman Cleaver. Thank you, Mr. Heck.
    The Chair now recognizes Representative Gonzalez from Ohio.
    Mr. Gonzalez of Ohio. Thank you, Mr. Chairman.
    And thank you to our witnesses.
    Echoing Mr. Heck's comments, this has been an incredibly 
enlightening and important hearing today. So, I thank the 
chairman for his leadership and for our witnesses today.
    I want to focus my questions primarily on Mr. Kellermann, 
if you would humor me here. I want to first focus on the 
attribution issue and our ability to attribute these crimes to 
different folks.
    In both your written testimony and in your oral statement, 
you talked about how cybercriminals are evolving in both attack 
sophistication and organization.
    Can you shed some light specifically on the organization 
side? How have cybercriminals evolved, call it, in the last 2 
to 3 years, and what are you seeing as sort of the next phase 
here?
    Mr. Kellermann. Thank you for the opportunity.
    I would cite the World Economic Forum report that there has 
been an industrialization stage occurring within the economy of 
scale of the dark web. There are more groups providing specific 
services and capability sets. You are seeing advanced business 
models specific to things like access mining.
    Access mining is, as a construct, a report issued by VMware 
Carbon Black over a year ago where hackers will hack systems. 
If they don't really have a use for those systems, they will 
profile that system, and they will say, this is Bank A's 
system. They will then sell access to that system to a 
traditional criminal, who would have the capacity to liquidate 
that experience, per se.
    In many countries, as we well know, you see this Robin Hood 
experience where the best cybercriminals are insulated and 
protected as long as they don't hack anything within those 
sovereign boundaries and as long as they act in a patriotic 
fashion. I am sure my friends in the Secret Service or in the 
FBI can attest to that. But I would say that it is a true 
economy of scale now, sir.
    Mr. Gonzalez of Ohio. Is there any sense that these are 
connected to nation-states, in particular the Chinas and 
Russias of the world? How directly are the links to some of our 
adversaries?
    Mr. Kellermann. From my gut, I feel like there is a link 
between some of these groups, but, then again, I can't verify 
that. I am sure that if you had the Secret Service or the FBI 
testify, maybe in a classified setting, they could speak to 
that.
    I think there is a big difference between, let's say, a 
Russian hacker and a Chinese hacker. Chinese hackers are less 
likely to target the financial sector because, frankly, we are 
their number one debtor, and, frankly, we are their number one 
consumer. That being said, I don't think it is the case when it 
comes to Russian-speaking hackers in Eastern Europe.
    Mr. Gonzalez of Ohio. Right.
    And then you also talk about a dark wallet as a platform 
where jihadists can avoid your customer regulations and launder 
money.
    My question is, technologically, do we have the ability to 
shut down something like a dark wallet? Is that technologically 
possible?
    Mr. Kellermann. I wouldn't be an advocate of, let's say, 
shutting it down. I would just challenge the developers of 
these platforms to at least, when called upon, to know who your 
customer is when called upon, and to be able to freeze the 
assets associated with anything that has been proven to be part 
of a criminal or terrorist conspiracy using cyberspace.
    I think the FBI, the Secret Service, and the intelligence 
communities do have the capacity to do more interesting things, 
but, then again, I am just a watcher on the wall, sir. I don't 
have that much expertise vis-a-vis dark wallets.
    Mr. Gonzalez of Ohio. Okay. But your gut is that we do have 
the capability of being more aggressive with respect to how we 
go after these individuals or we monitor, to be specific.
    With my last minute, another thing you talk about is the 
international e-forfeiture fund, which I think is really 
interesting and probably something I want to investigate with 
you maybe offline when we have more time.
    But, just with the minute that I have left, structurally, 
how would you envision that being set up? Who would be a part 
of it? And how would it sort of be managed?
    And I know that is a lot for 50 seconds, but give it your 
best shot.
    Mr. Kellermann. We need to incent developing countries to 
play ball with us. As we both know, and as most--all of us know 
for that matter, the most significant entities, transnational 
organizations and organized crime syndicates within these 
sovereign boundaries of those countries, don't necessarily have 
to play ball, and they are just as powerful as the government.
    So how do you incent the government to play ball? I think 
by giving them a percentage of the forfeited assets associated 
with the investigation. That is why I open it up to an 
international lens, because most of cybercrime emanates from 
outside of the United States.
    I think probably the Bank of International Settlements 
might be well-suited to do this, because they already 
facilitate so much in our financial sector between the tier 1 
financials.
    Mr. Gonzalez of Ohio. Great. Thank you for your insight. We 
will reach out after this for more depth.
    Thank you, Mr. Chairman. I yield back.
    Chairman Cleaver. Thank you.
    The Chair now recognizes the gentleman from California, Mr. 
Sherman.
    Mr. Sherman. Thank you, and thanks for putting on this 
virtual hearing.
    My first question is for Mr. Kellermann. Included as one of 
the subjects of today's hearing is a bill that I introduced, 
the Internet Fraud Prevention Act, which addresses the issue of 
business email compromise and especially real estate wire 
fraud.
    And the way it typically works in a real estate situation 
is, you are dealing with somebody who saved their money to buy 
a house. This would be the one time in their life that they 
actually send $50,000 or $100,000 somewhere. And you hack their 
email account, know that they are, in fact, buying a house, and 
you convince them that when they are supposed to wire that 
downpayment, it is supposed to go to account number ``12345'' 
in order to get to their escrow agent, when, in fact, the 
escrow agent or the attorney involved has a different account 
number.
    And the reason this occurs is when you are supposed to wire 
money in this country, you only wire it to a number and not to 
the name of the entity that you are trying to send the money 
to.
    In the U.K., they are implementing a payee matching system 
where, when you wire money, you are going to wire it to an 
account number that has to be in the name of whom you actually 
intend to get the money, and the U.K. regulator believes this 
will reduce this kind of fraud by 90 percent.
    My bill would require the Federal Reserve to perform a 
cost-benefit analysis for implementing a similar program in the 
United States. Would you agree that this is a good approach in 
order to focus on this issue and prevent people from wiring 
money to the wrong account?
    Mr. Kellermann. I do. I do think that it necessitates a 
cost-benefit analysis. But that being said, any obstacle that 
we can put in the way of a fraudster is an obstacle worth 
having.
    My mom is a real estate agent, so I hear about this a lot.
    Mr. Sherman. Thank you.
    Ms. Senn, the next one is for you. I am the Chair of our 
Investor Protection, Entrepreneurship, and Capital Markets 
Subcommittee, as my colleagues know, and I am concerned about 
the threat of cryptocurrency-based fraud.
    In 2019, just a few months ago, in December, the NASAA 
identified cryptocurrency as one of the top 5 threats to 
investors in 2020. Today in your testimony, you note that among 
the schemes being identified by your organization, this COVID-
19 Enforcement Task Force, many involve cryptocurrency or 
promote investments that are outside the stock market.
    The SEC has resisted identifying cryptocurrencies, at least 
Bitcoin and Ethereum, as securities, and so they say, ``Hey, it 
is not our business, it is not a security, we have an `S' in 
our name, that stands for security,'' and of course they apply 
the Howey test, I believe that a lack of an SEC registration 
requirement makes cryptocurrencies attractive to those who have 
investment scams.
    What do you think Congress can do, and what can the States 
do to correct this system where, if investors want to invest in 
a real company that really is providing jobs, they have the 
protection of the SEC and the State commissioners as well, but, 
for cryptocurrency, they don't get much protection?
    Ms. Senn. Thank you, Congressman Sherman.
    We do have a regulatory framework in place under the Howey 
test to regulate investments in cryptocurrency. And on a State 
level and through NASAA, back in 2018, we initiated a 
cryptocurrency sweep, and it was a massive public awareness 
campaign where we notified the public that, hey, guys, these 
things are out here, they are initial coin offerings, they are 
investment-related, be aware there are lots of fraudulent 
offerings, as with any currency as well, but especially in the 
crypto space, because people don't understand it. Investors are 
still learning the digital assets if they want to invest 
properly in that.
    But we have a regulatory framework for investment in 
cryptocurrency. I do believe that, collectively, the States can 
be more proactive in promoting the types of frauds that are 
prevalent--
    Mr. Sherman. If I can interrupt, the SEC clings to this 
idea that Bitcoin and Ether are not securities, and, therefore, 
they don't have jurisdiction. Do the State securities 
commissioners believe they have jurisdiction in those who are 
selling Bitcoin and Ethereum?
    Ms. Senn. If the cryptocurrency is being offered as an 
investment, or with a view toward an investment--yes, sir. I 
know.
    Mr. Sherman. If every--
    Ms. Senn. We also have many transmitters laws.
    Mr. Sherman. Everybody who buys Bitcoin is buying it with 
the prospect of it going up. Every cryptocurrency enthusiast 
who hears a rate, and invests in it, believes it is going to go 
up.
    I believe my time has expired, so I yield back.
    Ms. Senn. I am in agreement.
    Chairman Cleaver. The Chair now recognizes Representative 
Rose from Tennessee.
    Mr. Rose?
    We will move on to Mr. Taylor from Texas.
    Mr. Taylor. Thank you. I really appreciate you putting this 
hearing together, and I think it is important information. I am 
reminded of something that Frederick the Great said long ago: 
``He who defends everything defends nothing.''
    Part of the issue here I think in this whole discussion is 
prioritizing resources. And I have heard a lot about where we 
need to prioritize resources and not prioritize resources. And 
I guess something that I have been thinking about is in--and I 
know there has been a mention of the AML/BSA program that 
financial institutions pursue in trying to find anti-money-
laundering and, with the Bank Secrecy Act, trying to find 
problems in terms of prioritizing.
    I guess I will just kind of ask a broad question: Have you 
seen people wasting resources, wasting the effort, or they are 
trying to do the right thing, but they are headed down the 
wrong path in terms of what they are doing? I will throw that 
out, just experiences from the field. What have you seen that 
you think, gosh, that is a waste of time and effort?
    Mr. Coleman, do you want to take a crack at that?
    Mr. Coleman. Congressman, fortunately, I have not 
experienced that in cybersecurity. Most of the time it is the 
exact opposite in terms of trying to help people understand the 
urgency of investing or taking action throughout normal times, 
let alone a disaster.
    Jon Check from Raytheon, whom I work with, often talks 
about how bad actors will take advantage of a disaster, manmade 
or natural, a situation like we are in now, Congressman. And so 
getting companies, businesses, individuals to act during those 
times is difficult enough, let alone during peacetime.
    So, no, I haven't necessarily seen where people are going 
down the wrong path or wasting time. Actually, it is the 
opposite in terms of trying to encourage them to go forward.
    Mr. Taylor. Anybody else want to take a stab at that one 
and talk about prioritization and making sure resources are 
being used intelligently?
    Mr. Jaffer. Congressman, I think one place that you might 
look is oftentimes, you see a company go out and buy every tool 
they can out there. And they put a lot of them on the shelves 
and they don't utilize them.
    So one thing that we can do is really encourage companies 
to identify the best out there in the field and buy that 
capability, use that capability. And if you are not going to 
use it, don't buy it. If you don't have the capacity to take 
care of it right now, don't invest in it at this time. I think 
it prioritizes that, and that way is a sensible approach for 
institutions.
    I also want to associate myself with Mr. Kellermann's 
remarks earlier about providing carrots to industry to take 
advantage of cybersecurity protection, and so I think that 
giving tax incentives is the right way to go.
    A different approach would be to regulate and to tell 
people exactly what to do and what not to do. The problem with 
that in my mind is that it creates a check-box mentality, and 
in a field where things are changing so rapidly, sir, I think 
it is a mistake to require the type of regulations that would 
be very specific and detailed and ultimately cause people to 
just check the box and not actually gain on security gains.
    Mr. Taylor. In my own experience, I was on a bank board for 
12 years, and we acquired a product which automated the 
verification of checks that were written fraudulently. And so, 
by automating that, we were able to reduce resources in that 
effort and actually be more effective. We actually saw 
reduction in our fraud at our bank. But we also were then able 
to put more resources into other counter-fraud efforts.
    And so I think making the right investment, as you say, a 
part of that is knowing where the efficiency is to be gained 
and then, in turn, understanding where we can actually go get 
those efficiencies.
    And I look forward to working further on this issue. 
Cybersecurity is increasingly becoming a concern in our country 
because we are automating more, and the more we automate, the 
more we turn to systems and computers to do things, the more 
stuff is on the web, the more vulnerable we become or the more 
we have to defend it.
    With that, Mr. Chairman, I yield back.
    Chairman Cleaver. The gentleman yields back.
    The Chair now recognizes the gentleman from New Jersey, Mr. 
Gottheimer.
    Mr. Gottheimer. Thank you so much, Chairman Cleaver and 
Ranking Member Hill, for calling this hearing, and to all of 
our witnesses for being here today.
    TransUnion, one of the big three credit bureaus, runs a 
weekly survey that shows that 29 percent of consumers say they 
have been targets of digital fraud related to COVID-19. On top 
of that, AARP's Fraud Watch Network recently reported that 
there has been a steep increase in scams targeting the elderly 
and other vulnerable communities.
    These nefarious actors, both domestic and international, 
are using the pandemic and preying on people's fragile states 
in these uncertain times to target their hard-earned retirement 
accounts, their unemployment checks, and other savings.
    Ms. Senn, from your perspective of working directly to 
prevent cybercrime as the Chair of the Cybersecurity Committee 
for the NASAA, do you agree that seniors are disproportionately 
the victims of cybercriminals? And what challenges do law 
enforcement run into while trying to prevent this population 
from falling victim to frauds and scams?
    Ms. Senn. Thank you, Congressman.
    Yes, seniors are disproportionately targeted. They hold 
most of the nation's wealth. You work your entire life so that 
in your golden years, you hopefully can sustain the rest of 
your life with the retirements that you have saved. Criminals 
know that. That is where the money is.
    You have heard the studies where, as you age, your 
cognitive function declines, and your financial judgment is 
part of that. And so, seniors are more vulnerable to financial 
fraud because of that, the weakening in their financial 
judgment.
    Through NASAA, our North American Securities Administrators 
Association, we have developed a model law to report the 
suspected financial exploitation of seniors, and, through that 
law, which 27 States have passed--yesterday was Elder Abuse 
Awareness Day, and we were pleased to announce that--we have 
reports coming in. So we can review--I have a stack of them on 
my desk here of the types of frauds that seniors are being 
exposed to.
    And especially now, during the COVID-19 pandemic, seniors 
are at home, they are being isolated, they are away from their 
friends and family who normally check on them to see how things 
are going and ensure that they are not online surfing the 
internet and being solicited by fraudsters.
    And so, it is critical during this time to reach out to 
your friends and family, check on them, make sure that things 
aren't unusual, red flags--I could talk about those all day--
but to continue to report suspected financial exploitation.
    I want to mention one thing about the financial industry, 
because we regulate on the State level the small businesses. 
And I know you guys are talking at a macro level, but on a 
micro level, we see the trickle down. I sit down with the 
victim investors and talk with them about the frauds that have 
impacted them, and some of them have been ripped off of their 
entire life savings, and it is a problem for all of us--
    Mr. Gottheimer. What do you think States--if I could just 
follow up on that--what do you think States can do, what should 
we equip States to do to be able to fight back and protect 
vulnerable populations from fraud? Are there things you would 
recommend?
    Ms. Senn. Congressman, yes. I mentioned in my opening 
remarks and in my written testimony, we--NASAA supports the 
Senior Investor Pandemic and Fraud Protection Act, and I 
believe that is legislation that you are interested in, which 
would allow States to apply for a grant. And I know we do a 
great job with the limited resources that we have, but, sir, we 
can do better.
    For example, in Alabama, we are able, through a small 
grant, to hire a victim service officer to assist our financial 
abuse victims, mostly seniors, with reporting and to provide 
that human element. So it is critical, yes--
    Mr. Gottheimer. Ma'am, I am glad you mentioned the 
legislation that I have drafted. The Senior Investor Pandemic 
and Fraud Protection Act does a lot, I think, that would really 
help in that effort to allow qualified States to apply for 
these grants, to be able to hire and train investigative staff, 
which seems like that would make a difference, whether it is 
purchasing technology and equipment or developing other 
materials to fight fraud.
    And I am going to ask unanimous consent, Mr. Chairman, to 
submit a series of letters from industry and consumer groups in 
support of this draft legislation into the record.
    Chairman Cleaver. Without objection, it is so ordered.
    Mr. Gottheimer. Thank you so much.
    I can't tell how much time I have left. Mr. Chairman, how 
much time is that? It is not coming up. How long?
    Chairman Cleaver. One minute.
    Mr. Gottheimer. One minute. So I will just say, as the 
world races to find a cure for COVID, Iranian and Chinese 
hackers have waged cyber attacks targeting American companies, 
universities, and research institutions, the pharmaceutical 
company Gilead Sciences, and the World Health Organization 
(WHO).
    Mr. Jaffer, in the time we have left, how vulnerable is our 
financial sector to state-sponsored hacking at this time?
    Mr. Jaffer. I think state-sponsored hacking is the biggest 
threat to our financial sector because of the capabilities they 
can bring to bear.
    If you think about what nation-states have, they have 
almost unlimited resources, both human and monetary, to throw 
at a problem. So, any single private-sector company, whether it 
is JPMorgan Chase or a small community bank like you were 
talking about, they simply don't have the resources to be able 
to go up against that kind of a threat.
    That is why we have to bring them together in a collective 
defense fabric, one bank with another, large banks with small 
banks, all coming together collectively to defend one another 
in this scenario. You just can't beat a nation-state at their 
own game.
    Mr. Gottheimer. Thank you, Mr. Jaffer.
    Ms. Senn, thank you for your answers.
    And thank you, again, to the chairman and the ranking 
member and our witnesses. I yield back.
    Chairman Cleaver. Thank you.
    The gentleman from Tennessee, Mr. Rose, is now recognized 
for 5 minutes.
    Mr. Rose. Thank you, Chairman Cleaver and Ranking Member 
Hill, for yielding and for holding this hearing today.
    I also want to thank our witnesses for their testimony and 
for their expertise.
    As the COVID-19 pandemic continues to impact our country, 
fraudsters and cybercriminals have seized the opportunity to 
prey on vulnerable Americans. They have exploited this crisis 
to infiltrate our institutions and are a systemic threat to our 
financial system.
    The number of cybersecurity complaints in the last 4 months 
has spiked to as many as 4,000 incidents a day.
    Ms. Senn, would you please outline to what extent we are 
seeing an increase? That is, is it exponential, or does it 
compare to fraud seen in the wake of other natural disasters?
    Ms. Senn. Thank you, Congressman.
    In my opinion, it is exponential. I can speak from my 
perspective here in Alabama and for other States that we have 
seen a dramatic, 50 percent uptick in the number of financial 
exploitation reports that are coming in during this time.
    Like I mentioned earlier, I have a stack of them on my 
desk, because primarily, seniors are at home alone. The 
computer is a source of social--it is a social platform. People 
are online more. They are ordering food and other items online. 
Shopping online is a tremendous source of fraud. They are being 
inundated with pop-up things, and people just don't know how to 
sort through BS and get to the legitimate sites.
    And our brokerage firms, you all mentioned small 
businesses, a lot of them are working from home. And so, we are 
working to ensure that controls are in place for the small 
businesses that we regulate on the financial side.
    Mr. Rose. Thank you.
    Cyber threat actors have been taking advantage of the 
crisis to undermine the U.S. Government, to prod systems for 
weaknesses, and stoke fear and confusion.
    Professor Jaffer, where are a majority of these cyber 
attacks originating from, and what has been their main target?
    Mr. Jaffer. Thank you, Congressman.
    Obviously, the vast majority of cyber attacks that come 
against our country are coming from a combination of nation-
states and fraudsters. So it depends on what we are talking 
about. If we are talking about major attacks on our banking 
system or the like, we have seen that come from countries like 
North Korea, and from Iran. We saw the 2016 and the 2012 
attacks on our banking system by Iran, and those continue 
apace.
    Our government is targeted by all manner of nation-states 
and patriotic hackers and the like. I don't really believe in 
patriotic hackers. Those are simply nation-states acting 
through proxies.
    At end of the day, if we are really going to defend this 
nation when it comes to cyberspace, we have to realize that we 
have put the private sector on the front lines unlike any other 
scenario. We don't expect Target and Walmart to defend against 
Russian Bear Bombers coming across the horizon, yet today in 
cyberspace we expect exactly that of JPMorgan, Citibank, 
Walmart, Target, and every mom-and-pop institution, whether it 
is a bank or a bakery, to defend against the Russians, the 
Chinese, and the Iranians. That is simply an unsustainable 
scenario, and we have to bring the nation together.
    Large banks have to protect small banks. Large corporate 
institutions have to protect other smaller corporations. We 
have to take a supply chain mentality to this.
    And that is something that the government single-handedly 
can bring together and create that joint collaborative 
environment that the Cyberspace Solarium Commission talked 
about in order to make that happen. It requires us to move and 
act in real time. We can't simply wait and have the 
conversation a day or two later. By that time, your systems are 
down, sir.
    Mr. Rose. Picking up there, Professor Jaffer, have we given 
our law enforcement agencies and the criminal justice system 
the tools that we need to give them to combat this 21st Century 
challenge?
    Mr. Jaffer. Thank you for that question, Congressman.
    We have historically given a lot of the tools that our 
government needs. One of the challenges we face today, though, 
is that we have a debate in this country about the right 
authorities for police, the right authority for our 
intelligence community. You see the expired provisions of the 
USA Patriot Act. We are now in a pre-9/11 era when it comes to 
protecting ourselves against foreign nation-state threats and 
terrorist threats.
    The same is true of cybercriminals. Those same authorities 
we used are gone. And the fact that we haven't been able to 
come together as a country and reauthorize those provisions 
which are--one of which is controversial, two of which are 
absolutely noncontroversial, is really a concern. And we really 
have to come together and provide authorities and add 
authorities, as we are doing with the Secret Service, and 
resources to really address these threats.
    It is a hard thing to do in a time we are spending a lot of 
money on restarting our economy, but it is something we have to 
do if we are going to protect it in the long-term, sir.
    Mr. Rose. Quickly, one follow-up question. I have always 
felt like we probably were not getting to the easiest place to 
cut off the threat, so the providers of access to the internet. 
Do you think we have enough and a robust enough set of tools in 
that arena to combat crime in the cyber era?
    Mr. Jaffer. The providers do a lot today to take spam off 
the network and the like. Could we empower them with more 
capabilities, more authority, frankly, more information from 
the government? Absolutely.
    The truth is that we have been talking about the government 
giving classified information to the private sector to defend 
itself for the better part of almost a decade and a half. We 
have never really acted in a serious way. That is on the 
intelligence community on one side. But it is also on industry, 
because the industry has to show the government where the 
attack is from.
    And so, we have to create that shared situational 
awareness, but both sides have to play, and the government has 
to give more classified information to industry and in a form 
they can actually use it, sir, and that is the most important 
thing.
    It is one thing to pull somebody in a room and say, ``Here 
is a bunch of secrets.'' Walk out, you can't say anything about 
it. It is different to give them the actual information and let 
them use it to defend themselves.
    Chairman Cleaver. Thank you, Mr. Jaffer.
    Mr. Rose. Thank you. I yield back. I think I have ran out 
of time, but the clock disappeared.
    Chairman Cleaver. Yes. Well, this is your gift for the day.
    Mr. Rose. I yield back.
    Chairman Cleaver. Ms. Wexton of Virginia, you have 5 
minutes.
    Ms. Wexton. Thank you, Mr. Chairman.
    And thank you to the witnesses for being with us today. 
This is a really fascinating and obviously a very timely 
discussion.
    One of the pieces of legislation that we are considering 
today is a bill that I am working on, the COVID-19 Restitution 
Assistance Fund for Victims of Securities Violations Act, which 
would create a fund at the SEC to provide restitution payments 
for individuals harmed by COVID-19-related securities fraud if 
they don't otherwise receive full restitution.
    Ms. Senn, I was pleased to hear you reference this bill in 
your opening remarks. Do you agree with this approach? Do you 
think that this is a positive piece of legislation?
    Ms. Senn. Overwhelmingly yes, Congresswoman. As a long-time 
prosecutor, 10 years of financial crime, I have spent many long 
hours on the topic of victims who will never see another cent 
of the money that was stolen from them by fraudsters. And, in 
Alabama, there is not a recovery fund for victims of financial 
crimes. And so, yes, Alabama and NASAA overwhelmingly support 
the establishment of this fund.
    Ms. Wexton. And you say in your testimony that victims of 
investment scams often have a hard time recovering their 
losses. Can you explain why that is, and what are some of the 
challenges that they faced in recovering their losses?
    Ms. Senn. Yes, ma'am. As my distinguished colleagues on the 
panel have mentioned several times, that money goes overseas, 
and we see it in the bank records. We coordinate regularly with 
our Federal partners. The FBI can provide us with the exact 
location, but we can't go out and get it.
    As Congress is aware, there are certain threshold 
requirements. Due to the limited resources, we have to allocate 
them properly. So, we can't go after Ms. Jones' $50,000 that 
she put as a down payment on her house. Maybe that came from a 
brokerage firm. It is just not possible to spend the money to 
go out and get that. And so, those people oftentimes have seen 
entire retirement accounts dissipated, and they have nowhere to 
turn. They don't have friends and family to look after them. So 
they turn to public welfare, and it is a sad situation. But 
victims of financial fraud need a recovery fund.
    Ms. Wexton. It is very sad that someone's entire life 
savings wouldn't be enough to go and recover it as best we can. 
But do you have any suggestions or thoughts about what other 
actions Congress can take to uncover and prosecute those who 
would commit fraud in this way?
    Ms. Senn. Yes, ma'am.
    As mentioned earlier, the States come together, we 
coordinate, and we communicate. If there is a fraudster in one 
State, we have internal communications where we ensure that our 
resources are being allocated properly so that we can go after 
these folks.
    And we are also coordinating with our Federal counterparts, 
the SEC, CFTC, FBI, and DOJ. But we all have limited resources. 
I know, on the State side, particularly with the financial 
fraud that we are seeing, everybody needs more money for 
technology.
    I am listening to my panelists, and I am shaking my head in 
agreement, yes, especially the smaller businesses. The 
cybersecurity protocols 20 years ago were nothing in 
comparison. You tried to make sure your computer was updated 
occasionally. And so, it is overwhelming to small businesses 
across the State, so I mention those things, money as always.
    Ms. Wexton. Great. Thank you so much, to all of you. With 
that, I will yield back, Mr. Chairman.
    Ms. Senn. Thank you.
    Chairman Cleaver. The gentlelady yields back.
    The Chair now recognizes Mr. Lynch from Massachusetts.
    Mr. Lynch. Thank you, Mr. Chairman. First of all, I want to 
thank you, Mr. Chairman, for holding this hearing, and also 
Ranking Member Hill. I want to thank our witnesses. They have 
all been terrific, and I really appreciate their testimony.
    Mr. Chairman, I don't have many more questions, but I sort 
of handle a similar topic over on the House Oversight and 
Reform Committee, where I chair the Subcommittee on National 
Security, and we sort of overlap. And one of the earlier 
questions was what evidence do you have as to the nature of 
some of these cyber intrusions.
    So, we have submitted a request to our intelligence 
agencies to do a classified briefing when we get back into D.C. 
And I was wondering if, Mr. Chairman, you would cosign that 
request and we would do a joint classified briefing so that we 
can get into some of the details of this that we cannot discuss 
in this forum, which is unclassified?
    But that is my one request. And it would be expanded not 
only to the cyber hacks, but, also, there is evidence that 
foreign actors are also online, exacerbating and disrupting 
some of the discussions around us reforming our criminal 
justice system and the brutal murder of George Floyd in 
Minneapolis.
    They have been piling on, on top of that issue, too, and we 
would like to drill down and see what actions some of these 
malign actors overseas, both government-wise but also 
individual hackers, have influenced that debate as well.
    So, that is all I have. I would love to have you join us. I 
think it is one of the common interests between our committees, 
and it is also bipartisan. It is shared among our colleagues.
    In closing, I do want to say that I fully endorse the 
Realignment Act that has been put forward by Mr. Heck and Mr. 
Williams, and I am happy to support that, and I will yield 
back. Thank you, sir.
    Chairman Cleaver. Thank you, Mr. Lynch. We look forward to 
working with you to see what--and I would ask Mr. Perlmutter as 
well, and Ranking Member Hill to sit down with you. I think we 
should work together on this issue.
    The Chair now recognizes the Chair of the Full Committee, 
the gentlewoman from California, Chairwoman Waters.
    Chairwoman Waters. I would like to thank you for convening 
this hearing on the cybersecurity threats and electronic fraud 
issues that have proliferated during the COVID-19 pandemic. 
Persistent cyber attacks on our financial system are not new. I 
don't know if you have had this discussion this morning, but I 
am concerned that some minority communities, and particularly 
those with higher limited-English-proficient populations, are 
more vulnerable to predatory practices and scams during the 
COVID-19 pandemic.
    For example, in the last financial crisis, consumer groups 
reported that borrowers with limited-English-proficiency paid 
thousands of dollars to scammers for foreclosure prevention 
help that never materialized, with cybersecurity complaints to 
the FBI increasing from 1,000 per day to 4,000 daily, which 
scams have been predominantly targeting seniors, minorities, 
and individuals with limited English proficiency during this 
pandemic.
    What can financial regulators and advocacy groups do to 
better protect and educate consumers in these communities 
against such threats?
    I would like to address this to all of our witnesses. Any 
one of you can start with a response to this if you have any 
information or advice about what is happening as this fraud is 
targeted toward these minority communities.
    Mr. Coleman. Chairwoman Waters, this is Kelvin Coleman with 
the National Cyber Security Alliance. I will start by saying 
that with the nation being over 360 million Americans in 50 
States and 6 territories, the National Cyber Security Alliance 
has been very successful in using force multipliers for trusted 
community groups to spread our message about cybersecurity 
awareness and education. I think this is the perfect 
opportunity to do that as well. So, utilizing and speaking with 
organizations that are trusted and embedded in those 
communities to carry our message forward, because oftentimes, 
these are low-hanging-fruit solutions that we can recommend to 
people.
    I know Amanda and Jamil and Tom are talking about some 
pretty sophisticated products and processes that the U.S. 
Government can look at. But when it comes to the average 
citizen, we need to be talking about more basics, like password 
protection, making sure that they are patching their systems, 
that they are up-to-date. And so, I would advocate utilizing 
those existing embedded community groups to really, again, use 
them as our force multiplier to get the message out there to 
them.
    Chairwoman Waters. Ms. Senn?
    Ms. Senn. Chairwoman Waters, I will add to Kelvin's comment 
that the States--we have discussed this--have provided 
translators in the communities in some of our States, because 
they know the communities, our State securities regulators 
understand their communities' needs, and they are able to 
partner with private industry to host workshops and investor 
education events and have folks there to translate.
    Chairwoman Waters. Thank you very much for that response.
    And I just want to say to the chairman, I thank you so very 
much. This is a subject that is going to get a lot of attention 
based on our new normal. So, thank you very much.
    I yield back the balance of my time.
    Chairman Cleaver. Thank you, Madam Chairwoman.
    Let me, at this time, thank all of the witnesses for their 
very helpful, insightful testimony.
    Without objection, I would like to offer letters of support 
for this hearing provided by the FACT Coalition; the National 
Association of Federally-Insured Credit Unions; a submission 
for the record by the Washington, D.C.-based think tank Third 
Way; and a number of letters of support for legislation to 
reauthorize and funding the Senior Investor Protection Grant 
Program.
    Without objection, it is so ordered.
    The Chair notes that some Members may have additional 
questions for this panel, which they may wish to submit in 
writing. Without objection, the hearing record will remain open 
for 5 legislative days for Members to submit written questions 
to these witnesses and to place their responses in the record. 
Also, without objection, Members will have 5 legislative days 
to submit extraneous materials to the Chair for inclusion in 
the record.
With that this hearing is now adjourned.
[Whereupon, at 1:44 p.m., the hearing was adjourned.]


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]