By Matt Schwartz

The House Small Business Committee recently held a hearing entitled, “Small Business Information Sharing: Combating Foreign Cyber Threats.” The hearing focused on the federal government’s engagement with the private sector on the issue of cybersecurity information sharing and heard testimony from the FBI’s Deputy Assistant Director of the Cyber Division Howard Marshall and DHS’ Deputy Assistant Secretary of the Office of Cybersecurity and Communications Richard Driggers.

In his opening remarks, Chairman Steve Chabot (R-OH) emphasized the committee’s commitment to finding ways to improve cybersecurity for small businesses, many of which lack the resources to implement a full-scale cyber defense program. The Chairman noted that the global nature of our economy exposes small businesses to threat actors from around the world, some of which are state-sponsored and highly sophisticated.

Both witnesses warned that a majority of businesses are ill-prepared to manage the current cyber threat ecosystem. Mr. Marshall observed that the FBI is seeing rapid year-over-year increases in the volume of stolen files, noting that the most common attack vector is business email compromise, specifically via spear phishing.

The witnesses also used their testimony to offer updates of their respective offices’ cyber outreach efforts. Mr. Driggers highlighted the key role small businesses play in securing critical infrastructure and shared that DHS is working to close the gap in public-private information sharing. Mr. Driggers added that DHS, which serves as the hub for automated threat indicator sharing, expects the volume of threat indicators to increase as trust between information sharing entities and DHS continues to grow.

House Small Business Committee Ranking Member Nydia Velázquez (D-NY) joined Chairman Chabot in offering a solution to quickly bridge this “trust gap”: their recently introduced bill, the Small Business Advanced Cybersecurity Enhancements Act of 2017 (H.R. 4668). The bill would amend the Small Business Act to establish a central small business cybersecurity assistance unit at the Small Business Administration (SBA) in addition to regional small business cybersecurity assistance units within each Small Business Development Center (SBDC). The cybersecurity assistance units would be tasked with receiving threat indicators from small businesses and sharing them with the federal government, providing a more accessible interface for small businesses than what currently exists.

A key provision of the bill ensures small businesses that share information with their SBDCs receive the same protections and exemptions provided in the Cybersecurity Information Sharing Act of 2015 (CISA). This means small business sharing entities would receive the same strong liability protections as long as they “scrub” any personally identifiable information included within the threat indicator before sharing. H.R. 4668 would also provide liability protections for the cybersecurity defensive measures small businesses share through the process set up by the bill, ensuring that small businesses are not unfairly punished under federal or state laws for falling victim to certain cyberattacks.

ACT | The App Association had the opportunity to advise the House Small Business Committee on the challenges small businesses face in information sharing. In November 2017, App Association President Morgan Reed provided compelling testimony on this issue at the Small Business Committee’s hearing titled, “Federal Government and Small Businesses: Promoting Greater Information Sharing for Stronger Cybersecurity.” During the hearing, Morgan advocated for better incentives to encourage small business information sharing, such as liability protection and more user-friendly information sharing processes, two improvements H.R. 4668 seeks to provide.

The App Association strongly supports this bill and will continue to advocate for its passage through the House, as well as for the introduction and passage of a Senate version of the legislation.