Improving Small Business Cyber Security Act of 2016
Floor Speech
BREAK IN TRANSCRIPT
Mr. CHABOT. Mr. Speaker, I move to suspend the rules and pass the bill (H.R. 5064) to amend the Small Business Act to allow small business development centers to assist and advise small business concerns on relevant cyber security matters, and for other purposes, as amended.
The Clerk read the title of the bill.
The text of the bill is as follows: H.R. 5064
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE.
This Act may be cited as the ``Improving Small Business Cyber Security Act of 2016''. SEC. 2. ROLE OF SMALL BUSINESS DEVELOPMENT CENTERS IN CYBER SECURITY AND PREPAREDNESS.
Section 21 of the Small Business Act (15 U.S.C. 648) is amended--
(1) in subsection (a)(1), by striking ``and providing access to business analysts who can refer small business concerns to available experts:'' and inserting ``providing access to business analysts who can refer small business concerns to available experts; and, to the extent practicable, providing assistance in furtherance of the Small Business Development Center Cyber Strategy developed under section 5(b) of the Improving Small Business Cyber Security Act of 2016:''; and
(2) in subsection (c)--
(A) in paragraph (2)--
(i) in subparagraph (E), by striking ``and'' at the end;
(ii) in subparagraph (F), by striking the period and inserting ``; and''; and
(iii) by adding at the end of the following:
``(G) access to cyber security specialists to counsel, assist, and inform small business concern clients, in furtherance of the Small Business Development Center Cyber Strategy developed under section 5(b) of the Improving Small Business Cyber Security Act of 2016.''. SEC. 3. ADDITIONAL CYBER SECURITY ASSISTANCE FOR SMALL BUSINESS DEVELOPMENT CENTERS.
Section 21(a) of the Small Business Act (15 U.S.C. 648(a)) is amended by adding at the end the following:
``(8) Cyber security assistance.--The Department of Homeland Security, and any other Federal department or agency in coordination with the Department of Homeland Security, may leverage small business development centers to provide assistance to small businesses by disseminating cyber security risk information and other homeland security information to help small business concerns in developing or enhancing cyber security infrastructure, cyber threat awareness, and cyber training programs for employees.''. SEC. 4. CYBER SECURITY OUTREACH FOR SMALL BUSINESS DEVELOPMENT CENTERS.
Section 227 of the Homeland Security Act of 2002 (6 U.S.C. 148) is amended--
(1) by redesignating subsection (l) as subsection (m); and
(2) by inserting after subsection (k) the following:
``(l) Cybersecurity Outreach.--
``(1) In general.--The Secretary may leverage small business development centers to provide assistance to small business concerns by disseminating information on cyber threat indicators, defensive measures, cybersecurity risks, incidents, analyses, and warnings to help small business concerns in developing or enhancing cybersecurity infrastructure, cyber threat awareness, and cyber training programs for employees.
``(2) Definitions.--For purposes of this subsection, the terms `small business concern' and `small business development center' have the meaning given such terms, respectively, under section 3 of the Small Business Act.''. SEC. 5. GAO STUDY ON SMALL BUSINESS CYBER SUPPORT SERVICES AND SMALL BUSINESS DEVELOPMENT CENTER CYBER STRATEGY.
(a) Review of Current Cyber Security Resources.--
(1) In general.--The Comptroller General of the United States shall conduct a review of current cyber security resources at the Federal level aimed at assisting small business concerns with developing or enhancing cyber security infrastructure, cyber threat awareness, or cyber training programs for employees.
(2) Content.--The review required under paragraph (1) shall include the following:
(A) An accounting and description of all Federal Government programs, projects, and activities that currently provide assistance to small business concerns in developing or enhancing cyber security infrastructure, cyber threat awareness, or cyber training programs for employees.
(B) An assessment of how widely utilized the resources described under subparagraph (A) are by small business concerns and a review of whether or not such resources are duplicative of other programs and structured in a manner that makes them accessible to and supportive of small business concerns.
(3) Report.--The Comptroller General shall issue a report to the Congress, the Administrator of the Small Business Administration, the Secretary of Homeland Security, and any association recognized under section 21(a)(3)(A) of the Small Business Act containing all findings and determinations made in carrying out the review required under paragraph (1).
(b) Small Business Development Center Cyber Strategy.--
(1) In general.--Not later than 90 days after the issuance of the report under subsection (a)(3), the Administrator of the Small Business Administration and the Secretary of Homeland Security shall work collaboratively to develop a Small Business Development Center Cyber Strategy.
(2) Consultation.--In developing the strategy under this subsection, the Administrator of the Small Business Administration and the Secretary of Homeland Security shall consult with entities representing the concerns of small business development centers, including any association recognized under section 21(a)(3)(A) of the Small Business Act.
(3) Content.--The strategy required under paragraph (1) shall include, at minimum, the following:
(A) Plans for leveraging small business development centers (SBDCs) to access existing cyber programs of the Department of Homeland Security and other appropriate Federal agencies to enhance services and streamline cyber assistance to small business concerns.
(B) To the extent practicable, methods for the provision of counsel and assistance to improve a small business concern's cyber security infrastructure, cyber threat awareness, and cyber training programs for employees, including--
(I) working to ensure individuals are aware of best practices in the areas of cyber security, cyber threat awareness, and cyber training;
(ii) working with individuals to develop cost-effective plans for implementing best practices in these areas;
(iii) entering into agreements, where practical, with Information Sharing and Analysis Centers or similar cyber information sharing entities to gain an awareness of actionable threat information that may be beneficial to small business concerns; and
(iv) providing referrals to area specialists when necessary.
(c) An analysis of--
(I) how Federal Government programs, projects, and activities identified by the Comptroller General in the report issued under subsection (a)(1) can be leveraged by SBDCs to improve access to high-quality cyber support for small business concerns;
(ii) additional resources SBDCs may need to effectively carry out their role; and
(iii) how SBDCs can leverage existing partnerships and develop new ones with Federal, State, and local government entities as well as private entities to improve the quality of cyber support services to small business concerns.
(4) Delivery of strategy.--Not later than 180 days after the issuance of the report under subsection (a)(3), the Small Business Development Center Cyber Strategy shall be issued to the Committees on Homeland Security and Small Business of the House of Representatives and the Committees on Homeland Security and Governmental Affairs and Small Business and Entrepreneurship of the Senate.
(c) Definition.--The term ``small business development center'' has the meaning given such term in section 3 of the Small Business Act (15 U.S.C. 632). SEC. 6. PROHIBITION ON ADDITIONAL FUNDS.
No additional funds are authorized to be appropriated to carry out the requirements of this Act or the amendments made by this Act. Such requirements shall be carried out using amounts otherwise authorized.
It is an honor to serve as chairman of the House Small Business Committee. It affords me the special opportunity of hearing directly from the very men and women who help drive our economy--America's small-business owners.
At a hearing several months ago, a small business owner shared his personal experience with a serious cyber attack. He said:
I logged into our bank accounts, and to my utter horror, I found that my balance was zero. This was a payday, and I was terrified that the paychecks that were issued that day would not clear. We were supporting a number of families, many of which live paycheck to paycheck and could not have made it without the paycheck we issued that day. I was also very worried about our business' reputation since a restaurant nearby had just bounced their paychecks, and the company never recovered from the bad publicity they received from not making their payroll.
Stories like this show the real-world consequences of cyber attacks. Small businesses are at serious risk from a growing number of cyber threats.
There is no doubt that the information technology revolution has provided small businesses with new tools and opportunities to compete in the global economy. However, technology changes mean hackers are coming up with more and more sophisticated methods to go after intellectual property, bank accounts, Social Security numbers, and anything else that can be used for financial gain or for a competitive edge.
In 2015, the average amount stolen from small business bank accounts after a cyber attack was over $32,000; and according to a recent report by Verizon Enterprise Solutions, a shocking 71 percent of cyber attacks occurred in businesses with fewer than 100 employees.
It is absolutely critical to both the economic and national security of this country that our small businesses have all of the necessary cyber tools to protect themselves from cyber attacks. Small businesses lack the resources to combat cyber attacks. The Federal Government needs to step up its game when it comes to protecting the cybersecurity of small businesses and individuals. That is why I support H.R. 5064, the Improving Small Business Cyber Security Act of 2016.
This legislation will help small businesses that face cyber threats by providing access to additional tools, resources, and expertise through existing Federal cyber resources by allowing the Department of Homeland Security and other Federal agencies to provide assistance to small businesses through the Small Business Administration's non- Federal partners, the Small Business Development Centers, or SBDCs. This increased coordination will lead to greater cyber support for small businesses.
I commend Mr. Hanna for his hard work on this legislation. He has done a great job as chairman of his subcommittee. Unfortunately, he announced his retirement, and he will be leaving us after this term. He has really done a tremendous amount of work for small businesses all over the country because he, himself, has been a successful small- business person; so he knows what the challenges are, and he has tried to put them to work in his years here in the House in helping small businesses all across the country. After all, 70 percent of the new jobs that are created in the American economy are created by small businesses, so they are absolutely critical. Again, I commend Mr. Hanna for his hard work on behalf of these folks.
I urge my colleagues to support H.R. 5064.
Mr. Speaker, I would, first of all, like to thank my colleague, Ranking Member Velazquez, for, once again, working in a bipartisan and cooperative effort. That is one thing on the Small Business Committee we always try to do, and we have a very good working relationship. I want to thank the gentlewoman for continuing that on this bill and bills in the past and, hopefully, bills in the future as well.
Relative to cybersecurity attacks, we have seen the United States under a legion of attacks in recent years. They happen virtually every day. The Federal Government itself has been hit a number of times. The Office of Personnel Management had 20-plus-million personal individuals who had their files hacked in the government. We have seen the Postal Service, we have seen the State Department, and we have even seen the White House hacked. So it is a big problem.
Now, this happens to large corporations. We have had some of the largest corporations who have really taken it on the chin, and literally it cost them millions of dollars. Corporations like Target and you name it, they have really been hit. They generally have the resources that they can recover from this. As detrimental as it is to their business, they survive.
When this happens to small businesses, it may virtually be the death knell for them. You may have families who no longer have their source of support because the business just can't take a hit like this.
In my opening statement, I mentioned the person who knew the restaurant down the street that it happened to them. The businessowner wanted to pay his employees, and he couldn't pay them because his balance was zero. So this is a serious threat.
The small business community needs help. This is a step in the right direction. Representative Hanna, whom we have all praised, really does deserve the praise because he took this and worked very hard to get this bill to the point where we are here tonight. Hopefully we are going to pass the bill.
So I think this is a great piece of legislation. H.R. 5064 would offer much-needed cybersecurity support to America's small businesses. It would also better coordinate the Federal Government's overall strategy in helping small businesses to thwart cyber attacks.
I would urge my colleagues to support this bill.
I yield back the balance of my time.
BREAK IN TRANSCRIPT
Source