[House Hearing, 116 Congress] [From the U.S. Government Publishing Office] CYBER CRIMINALS AND FRAUDSTERS: HOW BAD ACTORS ARE EXPLOITING THE FINANCIAL SYSTEM DURING THE COVID-19 PANDEMIC ======================================================================= VIRTUAL HEARING BEFORE THE SUBCOMMITTEE ON NATIONAL SECURITY, INTERNATIONAL DEVELOPMENT AND MONETARY POLICY OF THE COMMITTEE ON FINANCIAL SERVICES U.S. HOUSE OF REPRESENTATIVES ONE HUNDRED SIXTEENTH CONGRESS SECOND SESSION __________ JUNE 16, 2020 __________ Printed for the use of the Committee on Financial Services Serial No. 116-96 [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] ______ U.S. GOVERNMENT PUBLISHING OFFICE 42-896 PDF WASHINGTON : 2021 HOUSE COMMITTEE ON FINANCIAL SERVICES MAXINE WATERS, California, Chairwoman CAROLYN B. MALONEY, New York PATRICK McHENRY, North Carolina, NYDIA M. VELAZQUEZ, New York Ranking Member BRAD SHERMAN, California ANN WAGNER, Missouri GREGORY W. MEEKS, New York FRANK D. LUCAS, Oklahoma WM. LACY CLAY, Missouri BILL POSEY, Florida DAVID SCOTT, Georgia BLAINE LUETKEMEYER, Missouri AL GREEN, Texas BILL HUIZENGA, Michigan EMANUEL CLEAVER, Missouri STEVE STIVERS, Ohio ED PERLMUTTER, Colorado ANDY BARR, Kentucky JIM A. HIMES, Connecticut SCOTT TIPTON, Colorado BILL FOSTER, Illinois ROGER WILLIAMS, Texas JOYCE BEATTY, Ohio FRENCH HILL, Arkansas DENNY HECK, Washington TOM EMMER, Minnesota JUAN VARGAS, California LEE M. ZELDIN, New York JOSH GOTTHEIMER, New Jersey BARRY LOUDERMILK, Georgia VICENTE GONZALEZ, Texas ALEXANDER X. MOONEY, West Virginia AL LAWSON, Florida WARREN DAVIDSON, Ohio MICHAEL SAN NICOLAS, Guam TED BUDD, North Carolina RASHIDA TLAIB, Michigan DAVID KUSTOFF, Tennessee KATIE PORTER, California TREY HOLLINGSWORTH, Indiana CINDY AXNE, Iowa ANTHONY GONZALEZ, Ohio SEAN CASTEN, Illinois JOHN ROSE, Tennessee AYANNA PRESSLEY, Massachusetts BRYAN STEIL, Wisconsin BEN McADAMS, Utah LANCE GOODEN, Texas ALEXANDRIA OCASIO-CORTEZ, New York DENVER RIGGLEMAN, Virginia JENNIFER WEXTON, Virginia WILLIAM TIMMONS, South Carolina STEPHEN F. LYNCH, Massachusetts VAN TAYLOR, Texas TULSI GABBARD, Hawaii ALMA ADAMS, North Carolina MADELEINE DEAN, Pennsylvania JESUS ``CHUY'' GARCIA, Illinois SYLVIA GARCIA, Texas DEAN PHILLIPS, Minnesota Charla Ouertatani, Staff Director Subcommittee on National Security, International Development and Monetary Policy EMANUEL CLEAVER, Missouri, Chairman ED PERLMUTTER, Colorado FRENCH HILL, Arkansas, Ranking JIM A. HIMES, Connecticut Member DENNY HECK, Washington FRANK D. LUCAS, Oklahoma BRAD SHERMAN, California ROGER WILLIAMS, Texas JUAN VARGAS, California TOM EMMER, Minnesota JOSH GOTTHEIMER, New Jersey ANTHONY GONZALEZ, Ohio MICHAEL SAN NICOLAS, Guam JOHN ROSE, Tennessee BEN McADAMS, Utah DENVER RIGGLEMAN, Virginia, Vice JENNIFER WEXTON, Virginia Ranking Member STEPHEN F. LYNCH, Massachusetts WILLIAM TIMMONS, South Carolina TULSI GABBARD, Hawaii VAN TAYLOR, Texas JESUS ``CHUY'' GARCIA, Illinois C O N T E N T S ---------- Page Hearing held on: June 16, 2020................................................ 1 Appendix: June 16, 2020................................................ 35 WITNESSES Tuesday, June 16, 2020 Coleman, Kelvin, Executive Director, National Cyber Security Alliance....................................................... 9 Jaffer, Jamil N., Founder and Executive Director, National Security Institute, and Assistant Professor of Law and Director, National Security Law & Policy Program, Antonin Scalia Law School, George Mason University..................... 10 Kellermann, Tom, Head, Cybersecurity Strategy, VMware, Inc....... 5 Senn, Amanda, Chief Deputy Director, Alabama Securities Commission, and Chair, Cybersecurity Committee, North American Securities Administrators Association (NASAA), on behalf of NASAA.......................................................... 7 APPENDIX Prepared statements: Coleman, Kelvin.............................................. 36 Jaffer, Jamil N.............................................. 41 Kellermann, Tom.............................................. 53 Senn, Amanda................................................. 57 Additional Material Submitted for the Record Cleaver, Hon. Emanuel: Written statement of Americans for Financial Reform.......... 68 Written statement of NAFCU................................... 69 Written statement of Third Way............................... 71 Gottheimer, Hon. Josh: Letters of support from various organizations for the Senior Investor Pandemic and Fraud Protection Act................. 116 Hill, Hon. French: Written statement of the American Securities Association..... 134 Written statement of the Consumer First Coalition............ 140 Jaffer, Jamil: Written responses to questions for the record from Representative Hill........................................ 142 Kellermann, Tom: Written responses to questions for the record from Representatives Perlmutter and Hill........................ 145 CYBER CRIMINALS AND FRAUDSTERS: HOW BAD ACTORS ARE EXPLOITING THE FINANCIAL SYSTEM DURING THE COVID-19 PANDEMIC ---------- Tuesday, June 16, 2020 U.S. House of Representatives, Subcommittee on National Security, International Development and Monetary Policy, Committee on Financial Services, Washington, D.C. The subcommittee met, pursuant to notice, at 12:01 p.m., via Webex, Hon. Emanuel Cleaver [chairman of the subcommittee] presiding. Members present: Representatives Cleaver, Perlmutter, Himes, Heck, Sherman, Vargas, Gottheimer, Wexton, Lynch, Garcia of Illinois; Hill, Lucas, Williams, Emmer, Gonzalez of Ohio, Rose, Timmons, and Taylor. Ex officio present: Representative Waters. Chairman Cleaver. The Subcommittee on National Security, International Development and Monetary Policy will come to order. Without objection, the Chair is authorized to declare a recess of the subcommittee at any time. Also, without objection, members of the full Financial Services Committee who are not members of this subcommittee are authorized to participate in today's hearing. Members are reminded to keep their video function on at all times, even when they are not being recognized by the Chair. Members are also reminded that they are responsible for muting and unmuting themselves, and to mute themselves after they have finished speaking. Consistent with the regulations accompanying H. Res. 965, staff will only mute Members and witnesses as appropriate when not recognized to avoid inadvertent background noise. Members are reminded that all House rules relating to order and decorum apply to this remote hearing. Today's hearing is entitled, ``Cyber Criminals and Fraudsters: How Bad Actors Are Exploiting the Financial System During the COVID-19 Pandemic.'' I now recognize myself for 4 minutes for an opening statement. Let me, first of all, thank Lisa and the rest of the committee staff who have worked so hard to make this and all of our committee hearings possible. As the pandemic continues to move through our communities and our country, and to devastate the physical health of our citizens, it has managed to also infect the economic health of our nation. Congress, through a bipartisan effort, passed the CARES Act, which unlocked unprecedented relief to families and small businesses, relief that, according to the Federal Reserve, may not be enough to prevent a long and protracted economic downturn. Nevertheless, significant investments were made to rescue millions of working citizens. In this time of suffering and hardship for so many, we are seeing criminal actors here at home and around the world redoubling their efforts to target families, financial institutions, and even arteries of government. Poverty and exploitation are indivisible evils. They have been long-time sidekicks. Just last month, the FBI unsealed a criminal indictment of what looks to be the first case of COVID-19-related money laundering and fraud brought by the Department of Justice. The criminal charge relates to a healthcare provider claiming to offer free COVID tests, but billions of Medicare dollars are being wasted. According to the Federal Trade Commission, there are nearly 1,000 reports of COVID-19-related fraud totaling over $0.5 million in my home State of Missouri. This is a fraction of the nearly 100,000 fraud reports nationwide totaling $60 million reported by the Commission. I would like to highlight that these reports do not even fully capture the full landscape of COVID-19-related fraud. The FBI's Criminal Investigative Division notes that there has been potentially $126 million in Paycheck Protection Program (PPP) fraud. We are seeing a 75-percent spike in daily cybercrimes reported by the FBI since the start of the pandemic. The Financial Crimes Enforcement Network (FinCEN) is doing what it can by putting out advisories warning consumers and financial institutions of the proliferation of criminal schemes. Last month, FinCEN released warnings of COVID-related medical schemes in what would be the first of several advisories that FinCEN intends to issue concerning financial crimes relating to the COVID-19 pandemic. However, it is abundantly clear that our financial security systems are being taxed right now. The FBI, in their testimony before the Senate Judiciary Committee last week, noted that the sheer volume of complaints that the Internet Crime Complaint Center is receiving is presenting a challenge for the FBI's criminal program. In response, the FBI started a PPP Fraud Working Group with the Department of Justice and the Small Business Administration's Inspector General to triage the overwhelming caseload. The thieves and fraudsters that are targeting consumers are not just at home, but they are indeed everywhere. International law enforcement coordinating agencies, Interpol and Europol, have highlighted their efforts to target cross-border criminals. There is some positive news. We have done something to help address this as a committee and as a Chamber. Last year, we unanimously passed through the House the COUNTER Act. The bill closed a number of loopholes that have allowed financial crimes to be committed, and pulls us into the 21st Century by positioning the U.S. to face tomorrow's challenges. I look forward to hearing from all of you on these important issues. The Chair now recognizes the ranking member of the subcommittee, the gentleman from Arkansas, Mr. Hill, for 4 minutes for an opening statement. Mr. Hill. I thank the chairman. I appreciate you convening this virtual hearing. And I appreciate the witnesses being with us today to share their expertise. Mr. Chairman, I have a letter from the American Securities Association that I would like to enter into the record. Thank you very much. Chairman Cleaver. Without objection, it is so ordered. Mr. Hill. Thank you. I appreciate our ability to innovate. My thanks, too, to the staff for providing this foundation for our virtual hearings. We had a roundtable a few days ago on this topic, and I thank the chairman for holding this formal hearing and returning to this topic. It is an important dialogue as it relates to our constituents: national security. And featuring it in a hearing means that our discussion will be cataloged in our official records. As we continue our essential work, I do hope that in the coming months, we are able to hold bipartisan hearings on the following topics that I think are important before our committee. First of all, the Committee on Foreign Investment in the United States (CFIUS). We are required annually to conduct oversight on CFIUS, and we made significant reforms in the last Congress, and I hope we can have a hearing on that. Also, monetary policy. We will be having Federal Reserve Chair Jay Powell before the Full Committee this week, but I think it is important for us to look at monetary policy in the face of the unprecedented actions taken by the Fed to expand its balance sheet. And finally, the international financial institutions and how they are responding to COVID-19 across the world, particularly in our emerging markets. I thank the chairman for the opportunity to work on these issues for future hearings. Cybersecurity and the need for strong cyber protocols has long been a topic of discussion in this committee, and the virus has only underscored the need and showcased the vulnerabilities that we have in certain aspects of our financial ecosystem. According to the FBI Internet Crime Complaint Center (IC3), the number of cybersecurity complaints to the IC3 in the last 4 months has spiked from typically 1,000 daily before the pandemic to as many as 4,000 incidents a day. Furthermore, a survey conducted last month by VMware Carbon Black, one of our witnesses today, found that 80 percent of surveyed banks reported year-on-year increases in cyber attacks within the financial services sector. This year, those attacks have surged 238 percent from February to April. As many businesses and financial institutions are adapting to the new teleworking policies and the challenges that come from working remotely, it is imperative that they have the right infrastructure in place to handle new security protocols and sensitivities. Just last week, the FBI announced that bad actors are seeking to exploit customers through mobile banking, and recommended that consumers take proper precautions. These attacks can take various shapes and infiltrate in a variety of ways, even here in Arkansas. I noted in the roundtable a few weeks ago that we had a PPP program that was a fraud attempt. Fortunately, that person has been arrested and charged with bank fraud. I look forward to hearing from our witnesses today on how we can best combat these accounts. Before I close, I would like to quickly touch on China and the threat to cybersecurity. The U.S. has been the target of cyber attacks from nation-states and nonstate actors for over 20 years. But in the months of outbreak in the virus in the United States, cyber espionage from China, Russia, and Iran has spiked. Cyber threat actors are taking advantage of this crisis to attempt to undermine the U.S. Government and probe our systems in the private sector and public sector for weakness, and to stoke fear and division and confusion here at home. According to the FBI, China has been observed attempting to identify and illicitly obtain valuable intellectual property (IP), and public health data related to vaccine treatments and testing from our networks throughout our country. We cannot allow the actions of a few bad actors and foreign threats to inhibit our financial institutions. I thank the Chair. I yield back, and I look forward to the discussion today. Chairman Cleaver. Today, we welcome the testimony of, first, Mr. Tom Kellermann. Mr. Kellermann currently serves as the chief cybersecurity officer for VMware Carbon Black. Prior to this, he was the CEO and founder of Strategic Cyber Ventures, and served as the Commissioner on President Barack Obama's Commission on Cybersecurity. In 2003, he coauthored the book, ``Electronic Safety and Soundness: Securing Finance in a New Age.'' And in 2017, he was appointed as the Wilson Center's Global Fellow for Cyber Policy. Thank you for appearing before this subcommittee. Second, we have Mr. Kelvin Coleman. Mr. Coleman currently serves as executive director of the National Cyber Security Alliance, an organization focused on cybersecurity awareness for home users, businesses, and educational institutions. Mr. Coleman comes to this position with 20 years of experience. He served in the White House, having worked on President Bush's and President Obama's National Security Telecommunications Advisory Committee and National Security Staff, the U.S. Department of Homeland Security, as well as the private sector. Thank you for appearing before this subcommittee. Third, we have Ms. Amanda Senn. Ms. Senn is testifying on behalf of the North American Securities Administrators Association (NASAA), where she chairs their Cybersecurity Committee. NASAA represents State and provincial security regulators in the United States, Canada, and Mexico. NASAA members are the closest regulators to local communities, small businesses, and the investing public throughout North America. Ms. Senn is also the chief deputy director of the Alabama Securities Commission, the State securities regulator. Thank you for appearing before this subcommittee. And fourth, Mr. Jamil Jaffer currently serves as the founder and executive director of the National Security Institute. He is also assistant professor of law and the director of the National Security Law and Policy Program at the Antonin Scalia Law School at George Mason University. Additionally, he is vice president of IronNet Cybersecurity, a startup technology firm. Prior to these positions, he served as Senior Counsel on the House Permanent Select Committee on Intelligence under Chairman Mike Rogers, as well as Assistant Counsel to the President in the Bush Administration. Thank you for appearing before the subcommittee. Witnesses are reminded that your oral testimony will be limited to 5 minutes. A chime will go off at the end of your time, and I ask that you respect the members' and the other witnesses' time by wrapping up your oral testimony. And without objection, your written statements will be made a part of the record. Mr. Kellermann, you are now recognized for 5 minutes to give an oral presentation of your testimony. STATEMENT OF TOM KELLERMANN, HEAD, CYBERSECURITY STRATEGY, VMWARE, INC. Mr. Kellermann. Thank you. Chairman Cleaver, Ranking Member Hill, members of the subcommittee, I am Tom Kellermann, head of cybersecurity strategy for VMware, Inc. Thank you for the opportunity to testify again before the subcommittee today. America is grappling with a cyber insurgency, and our financial sector is the number one target. A recent report issued by the World Economic Forum states that the dark web economy of scale will be the third-largest economy in the world by 2021. During the first 5 months of 2020 alone, cyber attacks against the financial sector have increased by 238 percent. This is compounded by the 900-percent increase in ransomware attacks. Cyber criminals are capitalizing on COVID-19, and they are doing so in tandem with the news cycle. Over the past 6 months, cyber defenders have seen a high level of coordination from cyber criminals who are demonstrating significant innovation to maintain persistent and even counter-incident response efforts. This includes ransomware campaigns, business email compromise scams, and access mining. Criminals are increasingly sharing resources and information and reinvesting their illicit profits into the development of new and even more destructive capabilities. The cybercrime community has educated themselves as to the interdependencies that exist in the financial sector, and they have begun to commandeer these very interdependencies to manifest criminal conspiracies. Thirty-three percent of surveyed financial institutions said that they have encountered, ``island hopping.'' This is an attack where the supply chains and partners are commandeered to target the primary financial institution. Once that bank is compromised, the criminals use the digital infrastructure to attack that bank's customers. It is also notable that a few rogue nation-states are offsetting economic sanctions via attacks on our payment systems. The international financial system is constantly facing new threats as technology proliferates and diversifies. There is an increasing number of security breaches and thefts on digital currency exchange platforms, as well as the misuse of these platforms by cybercriminals to launder stolen money. Dark web forums enabled by anonymous virtual currencies have created a bazaar for criminals and organized crime to reach a global market. In addition to organized crime, extremist organizations are also known to use alternative payment systems for operational purposes and to raise funds. Many of these payment systems and cryptocurrencies offer true or relative anonymity. This raises the necessity of increased regulation of digital money. In 2020, cybercrime conspiracies will become increasingly punitive and destructive. In fact, one out of four cyber attacks today are destructive. Fintech firms themselves present significant operational risks, lacking the proper incentive for proper intrusion detection as well as ``know thy customer'' anti-money- laundering protocols under the Bank Secrecy Act. Given that 50 percent of all crimes now have a cyber component, it is high time that we follow the money to create an international e-forfeiture fund. The modern epidemic of cybercrime and cyber espionage can be mitigated through modernization of existing authorities to combat cyber money laundering. Virtual currencies and other alternative payment systems that facilitate money laundering associated with existing cybercrimes, as well as terrorist financing, must be held to account. In closing, the safety and soundness of the financial sector is dependent on proactive policy. I would like to highlight six opportunities for legislative actions for the subcommittee's consideration. First, any money laundering and forfeiture regulations must be modernized to seize the virtual currencies and digital payments which are used in cybercrime conspiracies. Second, I ask the House to pressure the Senate to pass the COUNTER Act, H.R. 2514, that passed out of the House under Chairman Cleaver's leadership. Third, charge the Financial Stability Oversight Council (FSOC) with the responsibility to create a framework for regulating cryptocurrencies and developing guidelines for strong protections against money laundering and cyber threats to those marketplaces. Fourth, elevate chief information security officers to directly report to the CEOs of financial institutions. Fifth, establish a tax credit for financial sector companies to dedicate at least 10 percent of their IT budgets towards cybersecurity. And lastly, support the House passage of S.3636, the United States Secret Service Mission Improvement and Realignment Act of 2020, which moves the Secret Service back to its original home at the Department of the Treasury. Chairman Cleaver, Ranking Member Hill, thank you for the opportunity to participate in this morning's important hearing. I am happy to answer any questions the subcommittee may have. [The prepared statement of Mr. Kellermann can be found on page 53 of the appendix.] Chairman Cleaver. Thank you, Mr. Kellermann. Ms. Senn, you are now recognized for 5 minutes to give an oral presentation of your testimony. STATEMENT OF AMANDA SENN, CHIEF DEPUTY DIRECTOR, ALABAMA SECURITIES COMMISSION, AND CHAIR, CYBERSECURITY COMMITTEE, NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION (NASAA), ON BEHALF OF NASAA Ms. Senn. Good morning, Chairman Cleaver, Ranking Member Hill, and members of the subcommittee. My name is Amanda Senn, and I am chief deputy director of the Alabama Securities Commission, and Chair of the Cybersecurity Committee for the North American Securities Administrators Association, or NASAA. I am pleased to testify today before the subcommittee on behalf of NASAA. States are leaders in prosecuting securities violations, and our focus is on protecting retail investors. History has shown that opportunistic fraudsters will use COVID-19, much as they have in other crises, to fleece mom-and-pop investors. Acting within the framework of NASAA, State securities regulators have formed a task force to root out and shut down fraud related to COVID-19. This initiative is being led by NASAA's Enforcement Committee and includes more than 100 investigators from the vast majority of our member jurisdictions. The objective of this task force is to disrupt, discourage, and deter fraudulent or illegal activities which pose threats to investors before significant losses can occur. This task force is proactively protecting investors against fraud through the broad dissemination of enforcement orders, notices, and warnings. As the subcommittee is aware, the proliferation of technology has changed how we solicit, manage, and communicate with those handling our investments. For that reason, this task force is using online investigative techniques to identify websites and social media posts that may be offering or promoting investment fraud or unregistered regulated activities. Unfortunately, though, fraudsters are evolving with technology. For example, earlier this month, my office received three separate reports pursuant to Alabama's financial exploitation reporting law, which indicated individuals had become victims of an online fraud scheme. These victims had visited the web page of a very reputable broker, and they discovered they were unable to log in. Upon their attempts, they received a screen with a help button. The individuals were instructed to call a 1-800 number, and the person who answered the phone told the victims that the broker's website was down because 5G towers were being placed in California. That person then instructed the callers to log into their accounts with information that was provided by the suspect. The victims logged in as instructed, and shortly thereafter, wire transfers were initiated from their account to overseas banking accounts. During an interview with the firm last Friday, our case agent learned that $1.2 million had already been stolen from the accounts of investors. It is believed that malware was responsible for redirecting the victims from the legitimate web page to the fraudulent knockoff site. To date, at least 84 victims nationwide have been impacted, and the numbers continue to rise. At one time, this crime would have likely been perpetrated by a person that local authorities could readily identify through the use of subpoenas and search warrants. In the digital age, however, regulators are confronted with numerous evidentiary challenges which, given limited resources, make it difficult to investigate and prosecute these cases. States are, however, committed to our investor protection mission regardless of the means used to rip off our investors. The committee has invited NASAA to share its views regarding legislative proposals that have been posted in connection with today's hearing. I want to just mention two. The first is the Senior Investor Pandemic and Fraud Protection Act. This would implement the Senior Investor Protection Grant Program that was originally authorized by Section 989(A) of the Dodd-Frank Act, but was never put into effect. This bill would also expand the scope of the grant to include frauds related to COVID-19. And under the bill, State regulators could apply for up to $500,000 annually in grant funding to combat financial fraud of seniors and vulnerable adults in cases related to the pandemic. This would extend for a maximum of 2 years. The grant funds could be used to hire staff to investigate fraudulent conduct, to acquire technology and equipment, and to train investigators and prosecutors to target COVID-19 fraud, and also to provide important educational materials to seniors and vulnerable adults. NASAA strongly supports this bill, and so do at least 11 other organizations, and we urge Congress to act on it. The second is the COVID-19 Restitution Assistance Fund for Victims of Securities Violations Act, which would create a fund at the SEC to provide restitution payments for individuals in connection with securities fraud related to coronavirus if they do not otherwise receive full restitution. As you can imagine, in financial fraud cases, once the money is gone, often, it is never recovered. Some States have enacted similar legislation with great success, and we strongly support this bill. Thank you again for the opportunity to testify, and I will be pleased to answer any questions you may have. [The prepared statement of Ms. Senn may be found on page 57 of the appendix.] Chairman Cleaver. Thank you for your testimony, Ms. Senn. Mr. Coleman, you are now recognized for 5 minutes to give an oral presentation of your testimony. STATEMENT OF KELVIN COLEMAN, EXECUTIVE DIRECTOR, NATIONAL CYBER SECURITY ALLIANCE Mr. Coleman. Chairman Cleaver, Ranking Member Hill, and members of the subcommittee, thank you for inviting me to today's hearing. It is a pleasure to join Tom, Amanda, and Jamil. My name is Kelvin Coleman, and I am the executive director of the National Cyber Security Alliance (NCSA). NCSA's core mission is to build strong public-private partnerships to create and implement broad-reaching cybersecurity, education, and awareness initiatives. The United States confronts a dangerous combination of both known and unknown cyber vulnerabilities. We face adversaries who are strong and rapidly expanding with ever-increasing cyber capabilities to breach our networks. During today's hearing, we will examine cyber threats and the bad actors who are exploiting the COVID-19 crisis. We will have robust discussions of tools, techniques, and procedures used by these bad actors. And we will certainly deliberate on the products and processes we put into place to mitigate those challenges. And while products and processes are important, I believe we need to focus even more on encouraging and supporting partnerships. I am going to talk a lot about partnerships today, and that is exactly what the National Cyber Security Alliance focuses on. In the words of Michael Madden of Mimecast, NCSA is the lead in building community defense through partnerships for our nation. This is especially true during the COVID-19 era. Tonia Dudley and her team at Cofense are seeing threat actors that continue to exploit the Paycheck Protection Program and SMB funding initiatives in several sophisticated phishing campaigns. Because of this type of threat and many others, NCSA, our board companies, Federal partners, and nonprofit collaborators have worked swiftly to provide organizations and individuals with relevant and helpful information to help address security and privacy concerns during the global COVID-19 outbreak. We have built what we call the COVID Security Resource Library, and folks have found it extraordinarily helpful. And with the help of companies like Trend Micro and Generali Global Assistance, we also created a COVID-19 webinar series for small and medium-sized businesses. Of course, bad actors were committing malicious acts before COVID-19, and they will certainly do so after this crisis subsides. To deal with threats in our continuously connected society, NCSA leads a number of other initiatives, including Cybersecurity Awareness Month, Data Privacy Day, and the CyberSecurity My Business program. And while these programs and resources provide tremendous value in the fight to protect Americans, I will say it again: partnerships are our biggest assets. And the private sector is incredibly important in this fight. The Federal Government plays an equally important role in cybersecurity and educational awareness. Chief among NCSA's Federal partners is the Cybersecurity and Infrastructure Security Agency (CISA). They have been very helpful in the fight to help Americans secure their networks. And I must say, CISA is very engaged, very responsive, and very supportive overall. NCSA, in coordination with our partners, has put a lot of effort into building a more secure, interconnected world. In the words of Kristina Dorville at AIG, bad actors are communicating, and bad actors are coordinating, so why shouldn't the good guys? With that said, there is still so much to be done. Congress should consider making game-changing investments into cybersecurity awareness and education, investments that could benefit the American people as well as the small and medium- sized business community. As Americans begin to rely more heavily on telework, bad actors will increase their malicious activities and target those working from home. Americans must be equipped with the knowledge to protect themselves, their families, and their communities. Congress can and should play an important role in making sure Americans understand the many dangers of inadequately securing their systems, devices, and information. Thank you, Mr. Chairman, and I look forward to answering the subcommittee's questions. [The prepared statement of Mr. Coleman can be found on page 36 of the appendix.] Chairman Cleaver. Thank you, Mr. Coleman. Mr. Jaffer, you are now recognized for 5 minutes to give an oral presentation of your testimony. STATEMENT OF JAMIL N. JAFFER, FOUNDER AND EXECUTIVE DIRECTOR, NATIONAL SECURITY INSTITUTE, AND ASSISTANT PROFESSOR OF LAW AND DIRECTOR, NATIONAL SECURITY LAW & POLICY PROGRAM, ANTONIN SCALIA LAW SCHOOL, GEORGE MASON UNIVERSITY Mr. Jaffer. Thank you, Mr. Chairman. Thank you, Chairman Cleaver, Ranking Member Hill, and members of the subcommittee, for being here today and for inviting me to talk about the very real threats that face our nation and the U.S. financial sector and those of our allied nations. As you know, the threats to our financial sector have been real and serious for decades. They have become particularly problematic in the context of the current pandemic. I want to note your leadership, Mr. Chairman, for calling out the very real threat of Iranian attacks on the United States, including on our financial infrastructure, for protecting our oil and natural gas pipeline infrastructure, and for fighting actively against overt and covert disinformation efforts online, including those that seek to divide us as a nation. In addition, Ranking Member Hill, I want to thank you for your leading efforts on identity theft, for your sanctions against Russia for its meddling in the 2016 election, and for your efforts to press NATO to extend its security umbrella to cover cyberspace, and ensuring that we continue to enjoy and innovate the military superiority in the cyber arena. I think it is critical today that we identify the very real threats that we face as a nation in the financial sector and take action immediately to address them. In a 2019 letter to shareholders, the CEO of JPMorgan Chase, Jamie Dimon, noted that the threat of cybersecurity may very well be the biggest threat to the U.S. financial system writ large. For the fourth year in a row, in 2019, IBM assessed that the financial insurance sector was the most targeted sector in our economy, with 17 percent of all attacks at the top 10 most attacked industries. The DNI, in January 2019, noted the attacks from North Korea, estimating almost $1.1 billion in worldwide theft of resources from the financial sector, including $81 million from the New York Federal Reserve account of Bangladesh's central bank. And yet, given that significant threat already facing the financial sector, we have seen a dramatic increase in financial sector threats since the COVID pandemic began. In fact, the FBI and the U.K.'s National Cybersecurity Center noted that they are seeing criminal activities on a scale likely to dwarf anything seen before, taking place at a speed that is breathtaking, with a sheer variety of fraud that is shocking. These are very serious threats. Carbon Black, the company that Tom represents, saw ransomware attacks increase 148 percent in March 2020 over the baseline from just the prior month. And the financial sector was the single largest target of those increases in ransomware attacks, with a 38 percent increase in attacks. We have seen attacks in Washington State, where the unemployment system has lost hundreds of millions of dollars in the post-COVID environment. And it isn't just here in the United States. In Germany, the state of North Rhine-Westphalia lost between $35 million to $110 million in fraudulent payments based on 3,000 fake requests in the post-COVID environment. We have seen reports coming out of many government agencies, including the FBI, as well as CISA and other agencies, and we have noted that it isn't simply an attack limited to the United States. We have seen North Korea go around the world. And what was at one point $1 billion, in the DNI's testimony, back in January 2019, by the end of 2019 had become $2 billion, nearly a doubling of their financial sector targeting effects. And they are doing more currently, as we speak. And it is not just not North Korea. We see China and Russia active in this space. And we see other actors, as Tom Kellermann mentioned, the actors that are nonstate actors, including potential terrorist and extremist groups, taking advantage of the weaknesses in our money laundering systems and the like to exploit our systems to engage in both financial fraud as well as movement of illicit funds. This is a critical issue that we must confront. And as this committee, I think there are five things that you ought to consider. First, Juan Zarate, and members of this committee, have suggested that the Secret Service ought be moved back from DHS to the Treasury Department. I think this is a positive move and would help the Secret Service retain its role in cybersecurity. Second, I think this committee ought to consider offering the Treasury Department an operational role in cybersecurity, giving them the resources and the capability to engage directly with the financial sector and with the intelligence community that they are already a part of to gather information, send it back out to the community, and bring both the public and private sectors together in this critical industry. Third, it is important that the committee consider working with the Treasury Department and other departments and agencies to create what the Cyberspace Solarium Commission recommended: a joint collaborative environment where industry and the government could come together in real-time to share threats and to actually collaborate on those threats, not just information-sharing but actual real-time collaboration. Finally, the committee ought to consider working with Treasury and encouraging them to launch efforts with key allies, as Juan has suggested, to recreate in the G-7 things like the Financial Action Task Force in the anti-money- laundering (AML) arena. AML is a critical issue in this environment where tremendous amounts of money are being sent around by governments and the like, and it is critical that we take action now to address the AML concerns. And finally, it is important that our government work closely with NATO to expand out our efforts to protect our allies in Europe and elsewhere around the globe. Thank you very much, and I look forward to your questions. [The prepared statement of Mr. Jaffer can be found on page 41 of the appendix.] Chairman Cleaver. Thank you, Mr. Jaffer. That is the conclusion of our witnesses' statements. I now recognize myself for 5 minutes for questions. I would like to spend just a little time talking about the sheer volume of Americans who find themselves teleworking, and the threat that poses to the financial system. As I mentioned earlier in my opening statement, one-third of the world's populations were in lockdown, and up to 90 percent of financial services employees, banking and insurance companies, were working from home. We started our conversation today, but earlier, we had a roundtable where we talked about network security. And I believe it was Mr. Kellermann who said that financial institutions have had the best security in the world. But teleworking and Russian dark web customized malware has allowed adversaries to leverage ways around network defenses. You noted something that I thought was interesting, and I think we sought to address in the COUNTER Act, which is the need for both firms and regulators to be innovative in the way they confront these new fintech criminal techniques. Mr. Kellermann, and Mr. Coleman, can you both talk a bit about how financial institutions can improve the way in which we can go after these financial criminals and stop these breaches? Mr. Kellermann. Thank you. I would be happy to address that. First and foremost, we need the defensive line set at the top. The chief information security officers of the financial institutions have been marginalized for too long, and their perspective and their stratagems are not being enacted fully as they compete for resources with chief information officers (CIOs). Second, I think more proactive cyber threat hunting must occur not only within financial sector participants but across the information supply chain and extend to shared service providers. Cyber threat hunting is much like you need to make sure no one is in the bank vault when you close the doors for the day, not just conducting vulnerability assessments to see if the locks are working or the alarms are working. And then lastly, because of telework, the major security provisions that have been but in place by banks are no longer effective because the network security paradigm can be bypassed by those VPN tunnels that allow access to those systems. So, I think better forms of authentication and just-in-time administration should be granted within those ecosystems as well. Chairman Cleaver. Thank you. I have a question for Mr. Coleman, but let me just follow up, Mr. Kellerman. You know that all of the members on this committee live in communities. And I am wondering, what do you suggest we do? We have many, many, many banks in our communities. We have all kinds of financial institutions. How do we get to them to implement some of the things that you are presenting to us today? They are not going to participate in our hearings, but they are struggling. What can we do nationally to deal with this issue? Mr. Kellermann. I think that we can incent them through tax incentives for investment in cybersecurity as well as inspire the regulators, whether they be State regulators or national regulators of the Federal Financial Institutions Examination Council (FFIEC), to incorporate this construct of cyber threat hunting. Because with cyber threat hunting, it eliminates the veil of plausible deniability that you may or may not have a problem. When you conduct a cyber threat hunt, and you identify a bad actor inside your network, it is something that must be acted on immediately. And so, it really provides game day film on what the priority should be in the near term. Chairman Cleaver. Thank you. Mr. Coleman, what can we do, what can businesses and educational institutions do to protect themselves and those they serve? Mr. Coleman. Mr. Chairman, our friends at Proofpoint have said to me that defenders don't focus on people but attackers do, meaning 90 percent-plus of effective breaches come through to an end user or to a person. So those breaches that happen, 90 percent of them are because of some human action or behavior. But only about 20 percent, a little less than 20 percent of training dollars, awareness dollars actually go to that end user. I think we need to flip that. I think we need to encourage businesses to put more investment into their training and awareness. The way we do with, unfortunately, active shooter training or inclement weather training, these other trainings that we have, we absolutely need to do that with cybersecurity as well. Not so ironically, Americans are hit every single day with these attacks and breaches. Yet, many of them, particularly in the business community, are only getting training once, maybe twice a year. At the National Cyber Security Alliance, we are encouraging people to perhaps get to the gold standard of once-a-month training and awareness as it relates to cybersecurity because the threats are evolving so quickly, and we need to be able to educate those folks. Chairman Cleaver. Thank you, Mr. Coleman. I appreciate that. My time is up, so I will now recognize the distinguished ranking member of the subcommittee, Mr. Hill, for 5 minutes for questions. Mr. Hill. I want to thank the chairman for the hearing. I appreciate our excellent witnesses. Let me start with Mr. Kellermann. Thanks for coming to the roundtable a few days ago. I wanted to follow up. We talked a little bit about coordination with the regulators at that roundtable. But you made a comment in your testimony today that I thought was interesting about lack of security among fintechs. You used the words, ``operational risk.'' Could you get more specific? Are you talking about their AML/BSA compliance on their platforms? Are you talking about their lack of use of APIs? Give me a little color context on your concern about fintech applications. Mr. Kellermann. Whereas, fintechs are the tip of the spear vis-a-vis technological renaissance occurring in the financial sector, we at VMWare Carbon Black have noted increased attacks against the APIs of fintech vendors to bypass security controls they have in place and to leverage what is called island hopping, which is where they attempt to take over the digital infrastructure that was built by that vendor and then use it to attack those who implicitly trust it. This ``island hopping'' phenomenon is my biggest concern in this sector, is that you have these entities who are being targeted by very professional cybercriminal crews, typically Eastern European or Brazilian in nature, and they are using the financial platforms that have been developed for greater liquidity and access to financial services and the like to target their constituencies. And so, greater attention must be paid to the security and modernizing the security of fintech participants. Mr. Hill. Thank you. Mr. Jaffer, thank you for your testimony, and I appreciate your discussing in your detailed testimony about China and China's threat, that in March of 2020 a Chinese hacking group carried out one of the broadest campaigns by a Chinese cyber espionage actor that we have observed in recent years. Mr. Jaffer, are you concerned that China is a new and expanded threat in the cyber arena? In the past, we have frequently talked about North Korea, Iran, and Russia--Eastern European players, as we just noted. How do you think China compares to other countries when it comes to cyber attacks? Mr. Jaffer. Thank you, Congressman Hill. China is in the top rank of countries, if not number one of three, along with us and Russia,, in terms of cyber capabilities. Now, the thing about China is they have long been focused on intellectual property theft. They have engaged in what my boss, the former Director of NSA, General Keith Alexander, called the greatest transfer of wealth in human history, literally extracting information out of the United States that they take back to China in order to repurpose for the purpose of creating economic benefits to their nation. That has been a huge issue. China is increasingly now pivoting beyond that to intelligence collection, which they have always also done, and they are now increasingly getting involved in financial fraud schemes and allowing these things to take place within their infrastructure. China doesn't operate only through their government agents, although they have a tremendous number of military intelligence resources devoted to focusing on the United States. They also operate through allowing hackers in their country to take action against the United States and against other allies of ours. The key issue that we see with China today, though, is what they are doing in terms of covert and overt misinformation and disinformation. They have taken a page right out of the Russians' playbook from 2016, and they are doubling down on that. We have seen the Chinese Foreign Ministry already talk about the Black Lives Matter movement. It is no accident that the Chinese are talking about that publicly. They are already putting a million of their own people in prisons in the Xinjiang province, and yet they are concerned about Americans. The reality is, they are not concerned about Americans. What they are concerned about is taking over a global leadership role from the United States, and they will use every means at their disposal to do it, including cyber activities, and that is what makes them particularly dangerous in this arena. Mr. Hill. Thank you. Do you see coordination between North Korea and their efforts in cyber attacks? Of course, they are some of the most famous with WannaCry of a few years ago and the Cosmos Bank scheme of just a few months, maybe a year or so ago. Do you see North Korea and China at all coordinating their efforts, or do you see North Korea purely on its own? Mr. Jaffer. I think North Korea generally acts on its own. Now, that being said, the North Koreans know how much they can get away with without pushing the Chinese over the line. If the North Koreans go too far, whether it is with nuclear weapons testing or cyber activities or the like, the Chinese will get concerned and potentially take action. North Korea has gotten smart. They have learned to play the Russians and the Chinese offense against one another too. So they are not simply relying on China as their only client superpower. They are also playing with the Russians. They have, as you have noticed, though, been fairly quiet when it comes to their testing of nuclear weapons and missiles recently and they have really been focused on the financial gain they can achieve in the current environment. So that is the big concern today for North Korea, although you can't put away the North Korean nuclear problem, which is ever present. Mr. Hill. Thank you so much. I yield back, Mr. Chairman. Chairman Cleaver. Thank you. I now recognize Mr. Perlmutter from Colorado for 5 minutes. Mr. Perlmutter. Thank you, Mr. Chairman. This question is for Mr. Kellermann. A couple of years ago, I had a bill called the Data Breach Insurance Act. And you mentioned tax incentives to try to get companies and individuals to beef up their cybersecurity. Can you discuss that a little bit more, how you see incentives might work to drive folks to the NIST protocol? Mr. Kellermann. Yes. Thank you for asking me that. I am a huge fan of using that carrot to motivate businesses to view cybersecurity as a functionality of conducting business in today's world versus an expense. Whether it is a percentage of their IT budget that is spent on cybersecurity or whether it is compliance with a standard like NIST or even compliance with a standard which isn't quite a standard but a best practice like the CIS Critical Controls, we would be better off than where we are right now. Frankly, there is insufficient investment and leadership in the private sector as it relates to cybersecurity, which is why we are dealing with this cybercrime wave. Mr. Perlmutter. Has that been exaggerated, exacerbated, because we are now sort of in this remote telecommuting world? Would we be better off if we were--if smaller companies and small financial institutions were to beef up their cybersecurity? Mr. Kellermann. Yes, it has been exacerbated because of telework. The security of teleworkers is far less than that of someone who is working in a corporate environment because they don't have all the perimeter defenses, much like a corporate facility has greater security than your home typically. I do think it is an imperative for those organizations to invest more seriously in cybersecurity, but I also realize they are small businesses and they have been dramatically impacted by the economic recession that they are facing. But going forward, I think most people need to appreciate that encryption is not the sole answer, that encryption is not bulletproof, it is not something that hackers can't get around. When a hacker hacks your computer metaphorically, they steal the key to unlock the encryption. So what does the encryption really mean? But I will leave that there. Mr. Perlmutter. Okay. I think I may have to dust off the Data Breach Insurance Act and resubmit it over the next month or two to try to use at least some incentive bases so that they can beef it up, knowing full well that a bank robber, no matter how thick the vault is, will always try to find a way to get through that front door, back door, whatever. Let me change the subject quickly to all of the panelists. Mr. Jaffer was speaking about disinformation. And I am curious if you all have seen efforts, whether it is Black Lives Matter or vaccines or whatever it might be, given the fact we are in this COVID-19 time in history, whether you have seen disinformation campaigns rise. And I will start--Mr. Kellermann, you are on my screen, so let's start with you, and then go to Mr. Jaffer. Mr. Kellermann. I think that our traditional Cold War adversaries are taking advantage of the situation. The American hegemony, the American empire you might want to call it, is the weakest we have ever been through a combination of factors. I explicitly don't see true evidence. I am not actually looking for it, because I assume it is happening, frankly, but I do see escalated cyber attack capabilities and activity occurring not just against the financial sector, but against the healthcare sector and a myriad of other sectors in this regard. Mr. Perlmutter. Mr. Jaffer, any comments? Mr. Jaffer. Yes. Thank you, Congressman Perlmutter. Yes, we know unquestionably that China has engaged in these type of activities in Taiwan and interfered with their election. We know that Russia did it in 2016 to our election. We haven't seen specific bulletproof evidence, as Mr. Kellermann pointed out, that they are engaged in those covert activities today when it comes to trying to throw gas on the fires that are already burning in this country. But we know for a fact that they are out there saying it publicly. We see overt activities by the Chinese and the Russians trying to meddle with our political environment. It is almost unquestionable that when they engage in those type of overt activities, they are doing the same thing covertly. So, I think that over the next few weeks and months, and probably over the next year, we will see the intelligence community and the Bureau and the rest of our national security organizations coming out with evidence to demonstrate that, in fact, the Chinese, the Russians, and potentially the Iranians are seeking to actively gaslight what is taking place in this country, very real and honest debates are happening, and attempting to manipulate those, let's call it additional chaos and disorder in this country, in the context of the already ongoing pandemic. Mr. Perlmutter. Thank you for that sobering testimony in an already difficult time. I thank the panelists. Thanks for being part of the roundtable, and today's hearing. And I yield back to the Chair. Chairman Cleaver. Thank you, Mr. Perlmutter. The Chair now recognizes the gentleman from the great State of Texas, Mr. Williams. Mr. Williams. Thank you, Mr. Chairman, for calling this hearing. And thanks to all of you for joining us in this virtual setting for this important hearing. As cyber criminals get more advanced, we need to make sure our government's efforts to combat these threats are being used as effectively as possible. Last week, I introduced a bill with my buddy on the other side of the aisle, Denny Heck, to transfer the Secret Service from the Department of Homeland Security back to the Treasury Department, as we have talked about today, where it had previously been located almost 140 years before the September 11th terrorist attacks. This strategic realignment would help put increased focus on the financial crimes and cybercrimes of the Secret Service. Juan Zarate, the first Assistant Secretary of the Treasury for Terrorist Financing and Financial Crimes after 9/11, and Tim Maurer, author of the book, ``Cyber Mercenaries: The State, Hackers, and Power,'' wrote in a recent op-ed that the move would strengthen the government's ability to protect the financial system and build on the Trump Administration's interagency focus on cyber threats. This transfer is also supported by the Treasury Department, by the Department of Homeland Security (DHS), and by the Federal Law Enforcement Officers Association, which advocates for the Federal law enforcement community. So, Mr. Jaffer, could you give us your thoughts on how this move would be beneficial to our government's ability to defend against financial crimes? Mr. Jaffer. Absolutely. Congressman Williams, as you well know, the Secret Service was originally set up by Abraham Lincoln in the aftermath of the Civil War in order to protect the U.S. currency. Its first and primary mission was financial crimes. So, the idea that the Secret Service ought to be focused on that as a primary mission and be in the place where that is the primary role of the agency makes a lot of sense. I support moving the Secret Service from DHS back to Treasury, in part because it will then prioritize its relationships, existing relationships that Treasury already has in the cyber arena with industry today. And those are very trusted, strong relationships. The Secret Service can build on these. But I think the Secret Service needs more than that. It is not just a matter, Congressman, of moving them from one agency to another. That is critically important. I think it will elevate their role. But I think it is also about providing them the resources they need to do that job, and do that job better, and to provide them additional authorities, investigative authorities, to really go after this crime. The Secret Service is largely bound by the authorities they have had historically for a long time, and those are very useful authorities, but there is no question they will need additional resources in this effort. And being hidden in the larger entity that is DHS makes it harder for them to get priority, harder for them to get resources, and ends up making them focus on their protective mission, which at the end of the day isn't their highest and best value today when it comes to threats facing our financial sector. So, I support that effort. Juan is a good friend and mentor, and I am glad, Congressman, that you and Mr. Heck introduced that legislation. Mr. Williams. Thank you. We will put you on the winning team then, okay? Mr. Jaffer. Yes, sir. Mr. Williams. From hostile countries like China and Russia to other criminals in the private sector, there will always be people looking to exploit our country's cyber vulnerabilities. In 2018, the Trump Administration put out the updated--the National Cyber Strategy for the first time in 15 years. I applaud this action by the Administration, but I am sure that the threats facing the country are drastically different now than just 2 years ago. So, again, Mr. Jaffer, would you support mandating this report be updated annually? And can you discuss how the threats facing government entities and the private sector have evolved over the past 2 years? Mr. Williams. Absolutely. Congressman, as you know, the idea that we didn't update our national cybersecurity strategy for a decade and a half is shocking and concerning, and I am glad the President and his team decided to put out a new strategy. I do think it is valuable for Congress to require the Administration to issue the strategy on a regular basis. Whether that is a year or every 2 or 3 years, I would leave that to you all and the White House to figure out what the right cadence is. But I think it does make sense to have it updated rapidly, because obviously, we are in a constantly changing threat environment. Now, in particular in the United States today, the threat has changed. You have seen what has already happened. You have heard testimony today about the way that criminals who are very innovative and nation-states who are very innovative take advantage of the current moment. They are not worried about the fact the pandemic is hurting them. They are focused on how to come after us and our people and our finances, and they are very focused on that. At the end of the day, though, the government's traditional role has been protecting the nation when it comes to all other things from nation-states. But in cybersecurity, we actually have the private sector on the front lines. So I think Kelvin is exactly right, that this is all about partnerships. We have to bring the government and industry together. And that is why having an entity at Treasury, having Secret Service there, but also giving them operational capability, will help better defend the financial sector where they are on the front line defending today, when normally it would be our military or our law enforcement efforts at the front line. Mr. Williams. Okay. Quickly, COVID-19 has given cyber criminals a new opportunity to exploit the crisis to take advantage of hardworking Americans. Many companies and governments have been forced to switch their operations to a virtual setting to conduct their normal operations, just as we are doing right now with this hearing. So, Mr. Coleman, quickly, what advice would you give companies adapting to these remote settings on how they can stay safe while they are figuring out these new operating procedures? Mr. Coleman. Congressman, I would absolutely advise them, do not abandon your training and awareness. That is a low- hanging-fruit opportunity for them to make sure that their workers are continuing to be resilient in terms of trying to protect themselves. So, the first thing I would say is, please do not abandon the training and awareness that they probably had set up pre-COVID-19. Mr. Williams. Thank you, Mr. Chairman. I yield back. Chairman Cleaver. Thank you. The Chair now recognizes the gentleman from Washington, Mr. Heck. Mr. Heck. Thank you, Mr. Chairman, and Ranking Member Hill. And thank you to all of the panelists. What a spectacular and timely topic for us to discuss. As the Chair indicated, I represent Washington State, and tragically, unfortunately, nobody has been hit harder by the unemployment insurance fraud that has gone on in this country than Washington State, perpetuated by the cybercrime group that is based in Nigeria, known as Scattered Canary. We don't know exactly how much they bilked us out of, but we know for sure that somewhere between $550 million and $650 million was fraudulently paid out by our State Department of Employment Security. Fortunately, we have been able to recover about $330 million of whatever the total number is. And that operation, that recovery was only made possible, frankly, because the U.S. Secret Service was able to identify this operation and went to work. And frankly, I want to express publicly my appreciation to the Secret Service for this on behalf of the taxpayers of Washington State and all Americans for that matter. But I am not under any illusion that it is just Scattered Canary out there. They are part of one of who knows how many hundreds or thousands of organizations who basically are intent on fraudulently appropriating our money. And that is why I am so concerned. I am very concerned. Between the lasting damage done to the government's investigative capacity by the Budget Control Act--and it has been diminished--and the loss of mission focus that has been referred to here resulting from moving the Secret Service to the Department of Homeland Security, I think our Federal Government remains pretty unprepared, by and large, to identify and investigate financial cybercrimes, especially factoring in the massive amounts of Federal resources being distributed across the country. And that is why I was indeed proud to join with my friend, Representative Williams, in introducing the bipartisan and now bicameral U.S. Secret Service Mission Improvement and Realignment Act, which would, of course, as indicated, move the Secret Service back from the Department of Homeland Security to its ancestral home at Treasury. I think, as has been indicated, that will enable it to tap into the institutional knowledge and expertise at Treasury to better defend us against countering fraud and cybercriminal activity. So, Mr. Kellermann, I want to ask you the question that Mr. Williams asked of Mr. Jaffer. You specifically mentioned the importance of passing the Secret Service Mission Improvement and Realignment Act. Thank you for that. But I want to ask you, in your own words, why do you think it is important, above and beyond what has been indicated? And perhaps secondarily, what do we have to lose if we continue to keep the Secret Service housed at the Department of Homeland Security? That is for you, Mr. Kellermann. Mr. Kellermann. Thank you. I have always been impressed, in my 20 years in cybersecurity, with the efforts of the Criminal Investigative Division (CID) of the Secret Service. They haven't been too flashy and taken too much credit for their successes, but they have done Herculean efforts as it relates to disrupting some of the most advanced cybercrime conspiracies in the world, beginning with the Eastern Europeans' cybercriminal syndicates back in the early 2000s. But they have always been underresourced, and they have always been stuck in this position where some of their very best analysts had to still provide for protection duty, which put a strain on even then keeping the best technological talent within their ranks. And this was compounded when they moved over to DHS post-9/ 11. I understand why, but, at the same time, I think they could truly help us move the needle as it relates to civilizing American cyberspace and thwarting and suppressing some of the more advanced financial crime, cybercrime conspiracies that are ongoing if they were back in Treasury working hand-in-hand with FinCEN and others. So, again, I tip my hat to you. I think this is incredibly important legislation, and hopefully, it happens. Mr. Heck. Thank you. What other steps do you think need to be taken to fill or expand or make appropriate to the measure of the challenge our government's capacity to investigate and pursue financial cybercrimes? Aside from just changing the organizational chart, Mr. Kellermann, what else do we need to do? Mr. Kellermann. I feel that they should be given the resources to hire more personnel, number one. Number two, they should expand the Electronic Crimes Task Forces--or I think they are now called the Cyber Fraud Task Forces--internationally to get greater information sharing and partnership with various countries who have very significant and very powerful organized crime syndicates who have adopted this cybercrime model. And then, lastly, when they come across an investigation where there is a cybercrime conspiracy and it is obvious there has been misuse of virtual currencies and alternative payment systems, those moneys could be used to fund their endeavors or fund the efforts to protect the financial sector from attack. Mr. Heck. Thank you, Mr. Kellermann. And just finally then, let me say that if Washington State's experience is any measure of this, where in this one instance we have lost hundreds of millions of dollars in just one State, what we are talking about here is a proposition of risk that is billions upon billions upon billions. I am pleased to have joined Mr. Williams in introducing this bill. Thank you, Mr. Chairman, and I yield back. Chairman Cleaver. Thank you, Mr. Heck. The Chair now recognizes Representative Gonzalez from Ohio. Mr. Gonzalez of Ohio. Thank you, Mr. Chairman. And thank you to our witnesses. Echoing Mr. Heck's comments, this has been an incredibly enlightening and important hearing today. So, I thank the chairman for his leadership and for our witnesses today. I want to focus my questions primarily on Mr. Kellermann, if you would humor me here. I want to first focus on the attribution issue and our ability to attribute these crimes to different folks. In both your written testimony and in your oral statement, you talked about how cybercriminals are evolving in both attack sophistication and organization. Can you shed some light specifically on the organization side? How have cybercriminals evolved, call it, in the last 2 to 3 years, and what are you seeing as sort of the next phase here? Mr. Kellermann. Thank you for the opportunity. I would cite the World Economic Forum report that there has been an industrialization stage occurring within the economy of scale of the dark web. There are more groups providing specific services and capability sets. You are seeing advanced business models specific to things like access mining. Access mining is, as a construct, a report issued by VMware Carbon Black over a year ago where hackers will hack systems. If they don't really have a use for those systems, they will profile that system, and they will say, this is Bank A's system. They will then sell access to that system to a traditional criminal, who would have the capacity to liquidate that experience, per se. In many countries, as we well know, you see this Robin Hood experience where the best cybercriminals are insulated and protected as long as they don't hack anything within those sovereign boundaries and as long as they act in a patriotic fashion. I am sure my friends in the Secret Service or in the FBI can attest to that. But I would say that it is a true economy of scale now, sir. Mr. Gonzalez of Ohio. Is there any sense that these are connected to nation-states, in particular the Chinas and Russias of the world? How directly are the links to some of our adversaries? Mr. Kellermann. From my gut, I feel like there is a link between some of these groups, but, then again, I can't verify that. I am sure that if you had the Secret Service or the FBI testify, maybe in a classified setting, they could speak to that. I think there is a big difference between, let's say, a Russian hacker and a Chinese hacker. Chinese hackers are less likely to target the financial sector because, frankly, we are their number one debtor, and, frankly, we are their number one consumer. That being said, I don't think it is the case when it comes to Russian-speaking hackers in Eastern Europe. Mr. Gonzalez of Ohio. Right. And then you also talk about a dark wallet as a platform where jihadists can avoid your customer regulations and launder money. My question is, technologically, do we have the ability to shut down something like a dark wallet? Is that technologically possible? Mr. Kellermann. I wouldn't be an advocate of, let's say, shutting it down. I would just challenge the developers of these platforms to at least, when called upon, to know who your customer is when called upon, and to be able to freeze the assets associated with anything that has been proven to be part of a criminal or terrorist conspiracy using cyberspace. I think the FBI, the Secret Service, and the intelligence communities do have the capacity to do more interesting things, but, then again, I am just a watcher on the wall, sir. I don't have that much expertise vis-a-vis dark wallets. Mr. Gonzalez of Ohio. Okay. But your gut is that we do have the capability of being more aggressive with respect to how we go after these individuals or we monitor, to be specific. With my last minute, another thing you talk about is the international e-forfeiture fund, which I think is really interesting and probably something I want to investigate with you maybe offline when we have more time. But, just with the minute that I have left, structurally, how would you envision that being set up? Who would be a part of it? And how would it sort of be managed? And I know that is a lot for 50 seconds, but give it your best shot. Mr. Kellermann. We need to incent developing countries to play ball with us. As we both know, and as most--all of us know for that matter, the most significant entities, transnational organizations and organized crime syndicates within these sovereign boundaries of those countries, don't necessarily have to play ball, and they are just as powerful as the government. So how do you incent the government to play ball? I think by giving them a percentage of the forfeited assets associated with the investigation. That is why I open it up to an international lens, because most of cybercrime emanates from outside of the United States. I think probably the Bank of International Settlements might be well-suited to do this, because they already facilitate so much in our financial sector between the tier 1 financials. Mr. Gonzalez of Ohio. Great. Thank you for your insight. We will reach out after this for more depth. Thank you, Mr. Chairman. I yield back. Chairman Cleaver. Thank you. The Chair now recognizes the gentleman from California, Mr. Sherman. Mr. Sherman. Thank you, and thanks for putting on this virtual hearing. My first question is for Mr. Kellermann. Included as one of the subjects of today's hearing is a bill that I introduced, the Internet Fraud Prevention Act, which addresses the issue of business email compromise and especially real estate wire fraud. And the way it typically works in a real estate situation is, you are dealing with somebody who saved their money to buy a house. This would be the one time in their life that they actually send $50,000 or $100,000 somewhere. And you hack their email account, know that they are, in fact, buying a house, and you convince them that when they are supposed to wire that downpayment, it is supposed to go to account number ``12345'' in order to get to their escrow agent, when, in fact, the escrow agent or the attorney involved has a different account number. And the reason this occurs is when you are supposed to wire money in this country, you only wire it to a number and not to the name of the entity that you are trying to send the money to. In the U.K., they are implementing a payee matching system where, when you wire money, you are going to wire it to an account number that has to be in the name of whom you actually intend to get the money, and the U.K. regulator believes this will reduce this kind of fraud by 90 percent. My bill would require the Federal Reserve to perform a cost-benefit analysis for implementing a similar program in the United States. Would you agree that this is a good approach in order to focus on this issue and prevent people from wiring money to the wrong account? Mr. Kellermann. I do. I do think that it necessitates a cost-benefit analysis. But that being said, any obstacle that we can put in the way of a fraudster is an obstacle worth having. My mom is a real estate agent, so I hear about this a lot. Mr. Sherman. Thank you. Ms. Senn, the next one is for you. I am the Chair of our Investor Protection, Entrepreneurship, and Capital Markets Subcommittee, as my colleagues know, and I am concerned about the threat of cryptocurrency-based fraud. In 2019, just a few months ago, in December, the NASAA identified cryptocurrency as one of the top 5 threats to investors in 2020. Today in your testimony, you note that among the schemes being identified by your organization, this COVID- 19 Enforcement Task Force, many involve cryptocurrency or promote investments that are outside the stock market. The SEC has resisted identifying cryptocurrencies, at least Bitcoin and Ethereum, as securities, and so they say, ``Hey, it is not our business, it is not a security, we have an `S' in our name, that stands for security,'' and of course they apply the Howey test, I believe that a lack of an SEC registration requirement makes cryptocurrencies attractive to those who have investment scams. What do you think Congress can do, and what can the States do to correct this system where, if investors want to invest in a real company that really is providing jobs, they have the protection of the SEC and the State commissioners as well, but, for cryptocurrency, they don't get much protection? Ms. Senn. Thank you, Congressman Sherman. We do have a regulatory framework in place under the Howey test to regulate investments in cryptocurrency. And on a State level and through NASAA, back in 2018, we initiated a cryptocurrency sweep, and it was a massive public awareness campaign where we notified the public that, hey, guys, these things are out here, they are initial coin offerings, they are investment-related, be aware there are lots of fraudulent offerings, as with any currency as well, but especially in the crypto space, because people don't understand it. Investors are still learning the digital assets if they want to invest properly in that. But we have a regulatory framework for investment in cryptocurrency. I do believe that, collectively, the States can be more proactive in promoting the types of frauds that are prevalent-- Mr. Sherman. If I can interrupt, the SEC clings to this idea that Bitcoin and Ether are not securities, and, therefore, they don't have jurisdiction. Do the State securities commissioners believe they have jurisdiction in those who are selling Bitcoin and Ethereum? Ms. Senn. If the cryptocurrency is being offered as an investment, or with a view toward an investment--yes, sir. I know. Mr. Sherman. If every-- Ms. Senn. We also have many transmitters laws. Mr. Sherman. Everybody who buys Bitcoin is buying it with the prospect of it going up. Every cryptocurrency enthusiast who hears a rate, and invests in it, believes it is going to go up. I believe my time has expired, so I yield back. Ms. Senn. I am in agreement. Chairman Cleaver. The Chair now recognizes Representative Rose from Tennessee. Mr. Rose? We will move on to Mr. Taylor from Texas. Mr. Taylor. Thank you. I really appreciate you putting this hearing together, and I think it is important information. I am reminded of something that Frederick the Great said long ago: ``He who defends everything defends nothing.'' Part of the issue here I think in this whole discussion is prioritizing resources. And I have heard a lot about where we need to prioritize resources and not prioritize resources. And I guess something that I have been thinking about is in--and I know there has been a mention of the AML/BSA program that financial institutions pursue in trying to find anti-money- laundering and, with the Bank Secrecy Act, trying to find problems in terms of prioritizing. I guess I will just kind of ask a broad question: Have you seen people wasting resources, wasting the effort, or they are trying to do the right thing, but they are headed down the wrong path in terms of what they are doing? I will throw that out, just experiences from the field. What have you seen that you think, gosh, that is a waste of time and effort? Mr. Coleman, do you want to take a crack at that? Mr. Coleman. Congressman, fortunately, I have not experienced that in cybersecurity. Most of the time it is the exact opposite in terms of trying to help people understand the urgency of investing or taking action throughout normal times, let alone a disaster. Jon Check from Raytheon, whom I work with, often talks about how bad actors will take advantage of a disaster, manmade or natural, a situation like we are in now, Congressman. And so getting companies, businesses, individuals to act during those times is difficult enough, let alone during peacetime. So, no, I haven't necessarily seen where people are going down the wrong path or wasting time. Actually, it is the opposite in terms of trying to encourage them to go forward. Mr. Taylor. Anybody else want to take a stab at that one and talk about prioritization and making sure resources are being used intelligently? Mr. Jaffer. Congressman, I think one place that you might look is oftentimes, you see a company go out and buy every tool they can out there. And they put a lot of them on the shelves and they don't utilize them. So one thing that we can do is really encourage companies to identify the best out there in the field and buy that capability, use that capability. And if you are not going to use it, don't buy it. If you don't have the capacity to take care of it right now, don't invest in it at this time. I think it prioritizes that, and that way is a sensible approach for institutions. I also want to associate myself with Mr. Kellermann's remarks earlier about providing carrots to industry to take advantage of cybersecurity protection, and so I think that giving tax incentives is the right way to go. A different approach would be to regulate and to tell people exactly what to do and what not to do. The problem with that in my mind is that it creates a check-box mentality, and in a field where things are changing so rapidly, sir, I think it is a mistake to require the type of regulations that would be very specific and detailed and ultimately cause people to just check the box and not actually gain on security gains. Mr. Taylor. In my own experience, I was on a bank board for 12 years, and we acquired a product which automated the verification of checks that were written fraudulently. And so, by automating that, we were able to reduce resources in that effort and actually be more effective. We actually saw reduction in our fraud at our bank. But we also were then able to put more resources into other counter-fraud efforts. And so I think making the right investment, as you say, a part of that is knowing where the efficiency is to be gained and then, in turn, understanding where we can actually go get those efficiencies. And I look forward to working further on this issue. Cybersecurity is increasingly becoming a concern in our country because we are automating more, and the more we automate, the more we turn to systems and computers to do things, the more stuff is on the web, the more vulnerable we become or the more we have to defend it. With that, Mr. Chairman, I yield back. Chairman Cleaver. The gentleman yields back. The Chair now recognizes the gentleman from New Jersey, Mr. Gottheimer. Mr. Gottheimer. Thank you so much, Chairman Cleaver and Ranking Member Hill, for calling this hearing, and to all of our witnesses for being here today. TransUnion, one of the big three credit bureaus, runs a weekly survey that shows that 29 percent of consumers say they have been targets of digital fraud related to COVID-19. On top of that, AARP's Fraud Watch Network recently reported that there has been a steep increase in scams targeting the elderly and other vulnerable communities. These nefarious actors, both domestic and international, are using the pandemic and preying on people's fragile states in these uncertain times to target their hard-earned retirement accounts, their unemployment checks, and other savings. Ms. Senn, from your perspective of working directly to prevent cybercrime as the Chair of the Cybersecurity Committee for the NASAA, do you agree that seniors are disproportionately the victims of cybercriminals? And what challenges do law enforcement run into while trying to prevent this population from falling victim to frauds and scams? Ms. Senn. Thank you, Congressman. Yes, seniors are disproportionately targeted. They hold most of the nation's wealth. You work your entire life so that in your golden years, you hopefully can sustain the rest of your life with the retirements that you have saved. Criminals know that. That is where the money is. You have heard the studies where, as you age, your cognitive function declines, and your financial judgment is part of that. And so, seniors are more vulnerable to financial fraud because of that, the weakening in their financial judgment. Through NASAA, our North American Securities Administrators Association, we have developed a model law to report the suspected financial exploitation of seniors, and, through that law, which 27 States have passed--yesterday was Elder Abuse Awareness Day, and we were pleased to announce that--we have reports coming in. So we can review--I have a stack of them on my desk here of the types of frauds that seniors are being exposed to. And especially now, during the COVID-19 pandemic, seniors are at home, they are being isolated, they are away from their friends and family who normally check on them to see how things are going and ensure that they are not online surfing the internet and being solicited by fraudsters. And so, it is critical during this time to reach out to your friends and family, check on them, make sure that things aren't unusual, red flags--I could talk about those all day-- but to continue to report suspected financial exploitation. I want to mention one thing about the financial industry, because we regulate on the State level the small businesses. And I know you guys are talking at a macro level, but on a micro level, we see the trickle down. I sit down with the victim investors and talk with them about the frauds that have impacted them, and some of them have been ripped off of their entire life savings, and it is a problem for all of us-- Mr. Gottheimer. What do you think States--if I could just follow up on that--what do you think States can do, what should we equip States to do to be able to fight back and protect vulnerable populations from fraud? Are there things you would recommend? Ms. Senn. Congressman, yes. I mentioned in my opening remarks and in my written testimony, we--NASAA supports the Senior Investor Pandemic and Fraud Protection Act, and I believe that is legislation that you are interested in, which would allow States to apply for a grant. And I know we do a great job with the limited resources that we have, but, sir, we can do better. For example, in Alabama, we are able, through a small grant, to hire a victim service officer to assist our financial abuse victims, mostly seniors, with reporting and to provide that human element. So it is critical, yes-- Mr. Gottheimer. Ma'am, I am glad you mentioned the legislation that I have drafted. The Senior Investor Pandemic and Fraud Protection Act does a lot, I think, that would really help in that effort to allow qualified States to apply for these grants, to be able to hire and train investigative staff, which seems like that would make a difference, whether it is purchasing technology and equipment or developing other materials to fight fraud. And I am going to ask unanimous consent, Mr. Chairman, to submit a series of letters from industry and consumer groups in support of this draft legislation into the record. Chairman Cleaver. Without objection, it is so ordered. Mr. Gottheimer. Thank you so much. I can't tell how much time I have left. Mr. Chairman, how much time is that? It is not coming up. How long? Chairman Cleaver. One minute. Mr. Gottheimer. One minute. So I will just say, as the world races to find a cure for COVID, Iranian and Chinese hackers have waged cyber attacks targeting American companies, universities, and research institutions, the pharmaceutical company Gilead Sciences, and the World Health Organization (WHO). Mr. Jaffer, in the time we have left, how vulnerable is our financial sector to state-sponsored hacking at this time? Mr. Jaffer. I think state-sponsored hacking is the biggest threat to our financial sector because of the capabilities they can bring to bear. If you think about what nation-states have, they have almost unlimited resources, both human and monetary, to throw at a problem. So, any single private-sector company, whether it is JPMorgan Chase or a small community bank like you were talking about, they simply don't have the resources to be able to go up against that kind of a threat. That is why we have to bring them together in a collective defense fabric, one bank with another, large banks with small banks, all coming together collectively to defend one another in this scenario. You just can't beat a nation-state at their own game. Mr. Gottheimer. Thank you, Mr. Jaffer. Ms. Senn, thank you for your answers. And thank you, again, to the chairman and the ranking member and our witnesses. I yield back. Chairman Cleaver. Thank you. The gentleman from Tennessee, Mr. Rose, is now recognized for 5 minutes. Mr. Rose. Thank you, Chairman Cleaver and Ranking Member Hill, for yielding and for holding this hearing today. I also want to thank our witnesses for their testimony and for their expertise. As the COVID-19 pandemic continues to impact our country, fraudsters and cybercriminals have seized the opportunity to prey on vulnerable Americans. They have exploited this crisis to infiltrate our institutions and are a systemic threat to our financial system. The number of cybersecurity complaints in the last 4 months has spiked to as many as 4,000 incidents a day. Ms. Senn, would you please outline to what extent we are seeing an increase? That is, is it exponential, or does it compare to fraud seen in the wake of other natural disasters? Ms. Senn. Thank you, Congressman. In my opinion, it is exponential. I can speak from my perspective here in Alabama and for other States that we have seen a dramatic, 50 percent uptick in the number of financial exploitation reports that are coming in during this time. Like I mentioned earlier, I have a stack of them on my desk, because primarily, seniors are at home alone. The computer is a source of social--it is a social platform. People are online more. They are ordering food and other items online. Shopping online is a tremendous source of fraud. They are being inundated with pop-up things, and people just don't know how to sort through BS and get to the legitimate sites. And our brokerage firms, you all mentioned small businesses, a lot of them are working from home. And so, we are working to ensure that controls are in place for the small businesses that we regulate on the financial side. Mr. Rose. Thank you. Cyber threat actors have been taking advantage of the crisis to undermine the U.S. Government, to prod systems for weaknesses, and stoke fear and confusion. Professor Jaffer, where are a majority of these cyber attacks originating from, and what has been their main target? Mr. Jaffer. Thank you, Congressman. Obviously, the vast majority of cyber attacks that come against our country are coming from a combination of nation- states and fraudsters. So it depends on what we are talking about. If we are talking about major attacks on our banking system or the like, we have seen that come from countries like North Korea, and from Iran. We saw the 2016 and the 2012 attacks on our banking system by Iran, and those continue apace. Our government is targeted by all manner of nation-states and patriotic hackers and the like. I don't really believe in patriotic hackers. Those are simply nation-states acting through proxies. At end of the day, if we are really going to defend this nation when it comes to cyberspace, we have to realize that we have put the private sector on the front lines unlike any other scenario. We don't expect Target and Walmart to defend against Russian Bear Bombers coming across the horizon, yet today in cyberspace we expect exactly that of JPMorgan, Citibank, Walmart, Target, and every mom-and-pop institution, whether it is a bank or a bakery, to defend against the Russians, the Chinese, and the Iranians. That is simply an unsustainable scenario, and we have to bring the nation together. Large banks have to protect small banks. Large corporate institutions have to protect other smaller corporations. We have to take a supply chain mentality to this. And that is something that the government single-handedly can bring together and create that joint collaborative environment that the Cyberspace Solarium Commission talked about in order to make that happen. It requires us to move and act in real time. We can't simply wait and have the conversation a day or two later. By that time, your systems are down, sir. Mr. Rose. Picking up there, Professor Jaffer, have we given our law enforcement agencies and the criminal justice system the tools that we need to give them to combat this 21st Century challenge? Mr. Jaffer. Thank you for that question, Congressman. We have historically given a lot of the tools that our government needs. One of the challenges we face today, though, is that we have a debate in this country about the right authorities for police, the right authority for our intelligence community. You see the expired provisions of the USA Patriot Act. We are now in a pre-9/11 era when it comes to protecting ourselves against foreign nation-state threats and terrorist threats. The same is true of cybercriminals. Those same authorities we used are gone. And the fact that we haven't been able to come together as a country and reauthorize those provisions which are--one of which is controversial, two of which are absolutely noncontroversial, is really a concern. And we really have to come together and provide authorities and add authorities, as we are doing with the Secret Service, and resources to really address these threats. It is a hard thing to do in a time we are spending a lot of money on restarting our economy, but it is something we have to do if we are going to protect it in the long-term, sir. Mr. Rose. Quickly, one follow-up question. I have always felt like we probably were not getting to the easiest place to cut off the threat, so the providers of access to the internet. Do you think we have enough and a robust enough set of tools in that arena to combat crime in the cyber era? Mr. Jaffer. The providers do a lot today to take spam off the network and the like. Could we empower them with more capabilities, more authority, frankly, more information from the government? Absolutely. The truth is that we have been talking about the government giving classified information to the private sector to defend itself for the better part of almost a decade and a half. We have never really acted in a serious way. That is on the intelligence community on one side. But it is also on industry, because the industry has to show the government where the attack is from. And so, we have to create that shared situational awareness, but both sides have to play, and the government has to give more classified information to industry and in a form they can actually use it, sir, and that is the most important thing. It is one thing to pull somebody in a room and say, ``Here is a bunch of secrets.'' Walk out, you can't say anything about it. It is different to give them the actual information and let them use it to defend themselves. Chairman Cleaver. Thank you, Mr. Jaffer. Mr. Rose. Thank you. I yield back. I think I have ran out of time, but the clock disappeared. Chairman Cleaver. Yes. Well, this is your gift for the day. Mr. Rose. I yield back. Chairman Cleaver. Ms. Wexton of Virginia, you have 5 minutes. Ms. Wexton. Thank you, Mr. Chairman. And thank you to the witnesses for being with us today. This is a really fascinating and obviously a very timely discussion. One of the pieces of legislation that we are considering today is a bill that I am working on, the COVID-19 Restitution Assistance Fund for Victims of Securities Violations Act, which would create a fund at the SEC to provide restitution payments for individuals harmed by COVID-19-related securities fraud if they don't otherwise receive full restitution. Ms. Senn, I was pleased to hear you reference this bill in your opening remarks. Do you agree with this approach? Do you think that this is a positive piece of legislation? Ms. Senn. Overwhelmingly yes, Congresswoman. As a long-time prosecutor, 10 years of financial crime, I have spent many long hours on the topic of victims who will never see another cent of the money that was stolen from them by fraudsters. And, in Alabama, there is not a recovery fund for victims of financial crimes. And so, yes, Alabama and NASAA overwhelmingly support the establishment of this fund. Ms. Wexton. And you say in your testimony that victims of investment scams often have a hard time recovering their losses. Can you explain why that is, and what are some of the challenges that they faced in recovering their losses? Ms. Senn. Yes, ma'am. As my distinguished colleagues on the panel have mentioned several times, that money goes overseas, and we see it in the bank records. We coordinate regularly with our Federal partners. The FBI can provide us with the exact location, but we can't go out and get it. As Congress is aware, there are certain threshold requirements. Due to the limited resources, we have to allocate them properly. So, we can't go after Ms. Jones' $50,000 that she put as a down payment on her house. Maybe that came from a brokerage firm. It is just not possible to spend the money to go out and get that. And so, those people oftentimes have seen entire retirement accounts dissipated, and they have nowhere to turn. They don't have friends and family to look after them. So they turn to public welfare, and it is a sad situation. But victims of financial fraud need a recovery fund. Ms. Wexton. It is very sad that someone's entire life savings wouldn't be enough to go and recover it as best we can. But do you have any suggestions or thoughts about what other actions Congress can take to uncover and prosecute those who would commit fraud in this way? Ms. Senn. Yes, ma'am. As mentioned earlier, the States come together, we coordinate, and we communicate. If there is a fraudster in one State, we have internal communications where we ensure that our resources are being allocated properly so that we can go after these folks. And we are also coordinating with our Federal counterparts, the SEC, CFTC, FBI, and DOJ. But we all have limited resources. I know, on the State side, particularly with the financial fraud that we are seeing, everybody needs more money for technology. I am listening to my panelists, and I am shaking my head in agreement, yes, especially the smaller businesses. The cybersecurity protocols 20 years ago were nothing in comparison. You tried to make sure your computer was updated occasionally. And so, it is overwhelming to small businesses across the State, so I mention those things, money as always. Ms. Wexton. Great. Thank you so much, to all of you. With that, I will yield back, Mr. Chairman. Ms. Senn. Thank you. Chairman Cleaver. The gentlelady yields back. The Chair now recognizes Mr. Lynch from Massachusetts. Mr. Lynch. Thank you, Mr. Chairman. First of all, I want to thank you, Mr. Chairman, for holding this hearing, and also Ranking Member Hill. I want to thank our witnesses. They have all been terrific, and I really appreciate their testimony. Mr. Chairman, I don't have many more questions, but I sort of handle a similar topic over on the House Oversight and Reform Committee, where I chair the Subcommittee on National Security, and we sort of overlap. And one of the earlier questions was what evidence do you have as to the nature of some of these cyber intrusions. So, we have submitted a request to our intelligence agencies to do a classified briefing when we get back into D.C. And I was wondering if, Mr. Chairman, you would cosign that request and we would do a joint classified briefing so that we can get into some of the details of this that we cannot discuss in this forum, which is unclassified? But that is my one request. And it would be expanded not only to the cyber hacks, but, also, there is evidence that foreign actors are also online, exacerbating and disrupting some of the discussions around us reforming our criminal justice system and the brutal murder of George Floyd in Minneapolis. They have been piling on, on top of that issue, too, and we would like to drill down and see what actions some of these malign actors overseas, both government-wise but also individual hackers, have influenced that debate as well. So, that is all I have. I would love to have you join us. I think it is one of the common interests between our committees, and it is also bipartisan. It is shared among our colleagues. In closing, I do want to say that I fully endorse the Realignment Act that has been put forward by Mr. Heck and Mr. Williams, and I am happy to support that, and I will yield back. Thank you, sir. Chairman Cleaver. Thank you, Mr. Lynch. We look forward to working with you to see what--and I would ask Mr. Perlmutter as well, and Ranking Member Hill to sit down with you. I think we should work together on this issue. The Chair now recognizes the Chair of the Full Committee, the gentlewoman from California, Chairwoman Waters. Chairwoman Waters. I would like to thank you for convening this hearing on the cybersecurity threats and electronic fraud issues that have proliferated during the COVID-19 pandemic. Persistent cyber attacks on our financial system are not new. I don't know if you have had this discussion this morning, but I am concerned that some minority communities, and particularly those with higher limited-English-proficient populations, are more vulnerable to predatory practices and scams during the COVID-19 pandemic. For example, in the last financial crisis, consumer groups reported that borrowers with limited-English-proficiency paid thousands of dollars to scammers for foreclosure prevention help that never materialized, with cybersecurity complaints to the FBI increasing from 1,000 per day to 4,000 daily, which scams have been predominantly targeting seniors, minorities, and individuals with limited English proficiency during this pandemic. What can financial regulators and advocacy groups do to better protect and educate consumers in these communities against such threats? I would like to address this to all of our witnesses. Any one of you can start with a response to this if you have any information or advice about what is happening as this fraud is targeted toward these minority communities. Mr. Coleman. Chairwoman Waters, this is Kelvin Coleman with the National Cyber Security Alliance. I will start by saying that with the nation being over 360 million Americans in 50 States and 6 territories, the National Cyber Security Alliance has been very successful in using force multipliers for trusted community groups to spread our message about cybersecurity awareness and education. I think this is the perfect opportunity to do that as well. So, utilizing and speaking with organizations that are trusted and embedded in those communities to carry our message forward, because oftentimes, these are low-hanging-fruit solutions that we can recommend to people. I know Amanda and Jamil and Tom are talking about some pretty sophisticated products and processes that the U.S. Government can look at. But when it comes to the average citizen, we need to be talking about more basics, like password protection, making sure that they are patching their systems, that they are up-to-date. And so, I would advocate utilizing those existing embedded community groups to really, again, use them as our force multiplier to get the message out there to them. Chairwoman Waters. Ms. Senn? Ms. Senn. Chairwoman Waters, I will add to Kelvin's comment that the States--we have discussed this--have provided translators in the communities in some of our States, because they know the communities, our State securities regulators understand their communities' needs, and they are able to partner with private industry to host workshops and investor education events and have folks there to translate. Chairwoman Waters. Thank you very much for that response. And I just want to say to the chairman, I thank you so very much. This is a subject that is going to get a lot of attention based on our new normal. So, thank you very much. I yield back the balance of my time. Chairman Cleaver. Thank you, Madam Chairwoman. Let me, at this time, thank all of the witnesses for their very helpful, insightful testimony. Without objection, I would like to offer letters of support for this hearing provided by the FACT Coalition; the National Association of Federally-Insured Credit Unions; a submission for the record by the Washington, D.C.-based think tank Third Way; and a number of letters of support for legislation to reauthorize and funding the Senior Investor Protection Grant Program. Without objection, it is so ordered. The Chair notes that some Members may have additional questions for this panel, which they may wish to submit in writing. Without objection, the hearing record will remain open for 5 legislative days for Members to submit written questions to these witnesses and to place their responses in the record. Also, without objection, Members will have 5 legislative days to submit extraneous materials to the Chair for inclusion in the record. With that this hearing is now adjourned. [Whereupon, at 1:44 p.m., the hearing was adjourned.] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]