11.08.17

Cantwell Questions Equifax, CEOs on Massive Data Breaches, Encourages Vigorously Pursuing Cybersecurity Measures

Cantwell: Private, public sectors need to work together to protect consumers’ data

Equifax hack exposed personal information of 3 million Washingtonians

WASHINGTON, D.C.  – At a hearing today of the U.S. Senate Committee on Commerce, Science, and Technology, Senator Maria Cantwell (D-WA) questioned the CEOs of several companies that have failed to protect consumers from massive data breaches, including Equifax and Yahoo!. The senator highlighted the importance of cybersecurity and drilled down on how the companies can bolster their cybersecurity hygiene, the ‘locks on the door’ that keep cyber intruders at bay, to better protect consumers’ sensitive information.

“The issue of cybersecurity is here. It’s a national security issue. It’s a consumer issue. It’s a future issue on identity theft and the ability for individuals to protect things they hold dear,” said Cantwell.

Cantwell also suggested that companies and the federal government must work in concert on cybersecurity: private companies must put in place their own robust security measures, while the government must do more to counter state-owned bad actors and invest in critical security infrastructure.

“We need companies to follow a cyber hygiene regimen with great, religious fervor. I believe that we have to help do our part too. Because if state-owned actors are going to continue to hack, we need to do something,” the senator continued. “We have to, at the federal level, up our game and make sure that we’re making investments to help on critical infrastructure and certainly we should be addressing this issue on an international basis.”

The witnesses at today’s hearing included:

  • Mr. Paulino do Rego Barros, Jr., Interim Chief Executive Officer, Equifax, Inc.
  • Mr. Richard Smith, Former Chief Executive Officer, Equifax, Inc.
  • Ms. Marissa Mayer, Former Chief Executive Officer, Yahoo!, Inc.
  • Ms. Karen Zacharia, Deputy General Counsel and Chief Privacy Officer, Verizon Communications, Inc. (parent company of Yahoo! since 2017)
  • Mr. Todd Wilkinson, President and Chief Executive Officer, Entrust Datacard Corp.

A transcript of Senator Cantwell’s questions and the witnesses’ answers is below.

Senator Cantwell: Thank you, Mr. Chairman, and thank you for holding this hearing.

We’ve had several larger Commerce Committee hearings on cybersecurity—certainly had some in the Energy Committee and I think Homeland Security has had some; I think the Armed Services Committee has had some.

I think now is the time for us to be very serious about passing legislation as we did out of the Senate that would help us fight the issue of cybercrime and particularly help strengthen our critical infrastructure against state actor attacks, as Ms. Mayer mentioned.

But these aren’t the only things that are being attacked: our networks at nuclear power plants, pipelines, a whole variety of things. And as we continue to grow the economy of the Internet of Things—the hearing we just had, I guess that was yesterday—we also heard about how more devices and more connectivity means more data entry portals for people to attack.

So I hope our committee will join in the efforts to get cybersecurity legislation over the goal line this year. I think it’s not too soon to act.

I too want to bring up that there’s 3 million Washingtonians who were impacted by the Equifax, according to my information. It’s my understanding Mr. Barros that a patch was available that was not implemented, like a basic hygiene issue wasn’t followed. Is that correct?

Richard Smith, former CEO of Equifax: That is correct.

Senator Cantwell: Why can’t Mr. Barros answer that question. Because he doesn’t know?

RS: He was not in the position at the time.

Senator Cantwell: OK.

Paulino do Rego Barros, Jr., Interim Chief Executive Officer, Equifax, Inc.: I came to the position six weeks ago. And this is my understanding. My understanding is the same as being deposed here by Mr. Smith. What happened is a combination of human error and technology. I defer to him because he actually lived through this process.

Senator Cantwell: What was the technology error if a patch was available and it wasn’t implemented by an employee? And the reason I’m asking you about this—and I understand the dual role here—but my point is this: we have to do both.

The issue of cybersecurity is here. It’s here. It’s a national security issue. It’s a consumer issue. It’s a future issue on identity theft and the ability for individuals to protect things they hold dear.

So we have to do both. We have to, at the federal level, up our game and make sure that we’re making investments to help on critical infrastructure and certainly addressing this issue on an international basis. What do we need to put into place on an international basis to get people on the same page in fighting cyber crime—we have to do that.

But at the same time we need to make sure that everybody gets hygiene and that the hygiene of your day-to-day business and even your home computer and everything else is going to be a critical aspect of the world that we now live in.

So I want you to know and be able to speak to the fact that one individual failing to put a patch in place caused this much damage.

PB: We have a done, since I got to this job, my first priority has been to harden our security systems. We have done a comprehensive review of the process, including our patching capabilities including our tools, updating our tools, making sure that they are detecting processes much more up-to-speed at this stage. We have changed the policies to make sure that we have redundancies and closed loops in place in order to improve the accuracy and precision of our execution.

Senator Cantwell: Do you think it’s good enough to have voluntary safeguards for the industry or is it time for something more stringent?

PB: I understand the safeguards that we have. I think they provide a scope and we have complied to the scope before. The industry is ahead of that in many perspectives in deploying new tools, using new tools. We definitely welcome the conversation.

Senator Cantwell: I would say that we need something more at this point in time. That if, on the hygiene issue, one employee was able to miss something as critical as this and put so much data at risk, then we need something to make sure that this is implemented.

Anybody else on the panel want to answer that question? Mr. Wilkinson?

Mr. Todd Wilkinson, President and Chief Executive Officer, Entrust Datacard Corp: The vulnerability that we’re speaking of, not that you want the specifics of it, was called the Apache Struts. We were aware of it in March, we became aware of it in March publicly. This is a zero day vulnerability. These types of vulnerabilities are serious and they happen more often than we’d like to speak about.

When we become aware of zero day threats, our need to react to those kinds of threats is quick and has to be conclusive. This is something that we’re going to continue to see. It’s not new and it’s going to continue to happen.

This concept that you continue to speak about Senator of “cybersecurity hygiene” is a very important one because—I liken it a little to locks on doors. We can speak for a bit about the fact that no matter what we do there’s some vulnerability in our ecosystem, there’s still some possibility that we’ll be breached.

But some of these best practices are frankly just like locks on your front door. Just because that’s not going to protect you against all crime, you still put a lock on your front door. Good cyber hygiene includes reacting quickly to zero day threats.

Senator Cantwell: Exactly. That is my point exactly. Thank you so much for that, because you just explained that you have to have… OK we have our national labs working day and night against the unbelievable amount of attacks that are happening every single day. We have all of this effort that we’re now going to try to do both in getting a skilled workforce that this committee had a hearing on…

But we need companies to follow a cyber hygiene regimen with great, religious fervor. I believe that we have to help do our part too. Because if state-owned actors are going to continue to hack, we need to do something. But we need the companies to follow a hygiene and be very religious about it.

Thank you, Mr. Chairman. I know that my time is up.

###