Statement of the Hon. Judy Chu on 21st Century SBA: An Analysis of SBA’s Technology Systems
Washington, July 22, 2020
I am pleased to be holding this important hearing today to learn more about the Small Business Administration’s information technology (IT) systems, IT modernization efforts, and cyber security strategy.
SBA has counted on its technology systems to implement the programs that help entrepreneurs launch and grow their small business. And millions of small businesses have relied on them over the past few months to access the assistance they need to survive the Coronavirus pandemic.
I would like to thank Mr. Guy Cavallo, the Deputy Chief Information Officer for SBA, for being here today to discuss SBA’s efforts to modernize its systems and address some of the technical issues that have hampered the rollout of economic relief programs.
Ineffective IT systems have been a persistent problem at SBA. While significant progress has been made to upgrade the systems in recent years, the magnitude of the pandemic has demonstrated the need for more modern systems that are faster, safer, and more efficient at delivering services to America’s small businesses.
Six months after the first confirmed case in the U.S., our country remains in the grips of the Coronavirus pandemic. Small businesses have relied on Congress and SBA to help them survive the necessary state-ordered public health lockdowns, restrictions on operating capacity, and significant revenue losses resulting from our fight to contain this virus.
This crisis has made it necessary for unprecedented numbers of small businesses to rely on your agency’s technology to access loan applications, connect to their local resource partners, find translated resources, and answer their urgent questions in a timely manner. However, several technical issues have arisen during the pandemic, making it both frustrating and difficult for small businesses to receive the relief they need in a timely manner.
This Committee acknowledges the toll that this unprecedented level of activity has taken on SBA’s systems, and we commend you and your staff for working around the clock to fix several of the issues. The Coronavirus has placed a historic burden on SBA, and we in Congress must ensure that you have the resources you need to assist the American people. But many of these system weaknesses have been known for years and should have been addressed and modernized long before this pandemic. In fact, some of these issues were brought to SBA’s attention as early as 2014 by the Government Accountability Office.
According to the Committee on Oversight and Government Reform’s IT scorecard, SBA has made improvements to its IT infrastructure overall, but is still scoring a “D” on cyber security. This is particularly concerning given the cyber security breach that occurred with the EIDL application.
In late March, SBA detected a vulnerability in the EIDL application, which allowed applicants’ personally identifiable information to be viewed by other applicants. Even more troubling, the individuals that were potentially affected were not notified until mid-April – nearly 20 days after the data breach. And the notification was simply a paper letter. The Committee heard from several recipients who were inquiring whether it was a scam or a verifiable document. At the time, SBA had failed to make any public announcement about the breach, again showing a lack of transparency that has been a consistent concern for the Committee throughout the COVID-19 pandemic. Affected businesses lost their place in the queue, were forced to reapply, and then were shut out of the program when SBA inexplicably limited applications to only agricultural businesses. We recognize that your office was not directly involved in those decisions, but they demonstrate the tremendous downstream impacts faced by small businesses that were affected by that initial IT system failure.
Other problems that arose during the pandemic were related to SBA’s loan processing system, E-Tran, which is a legacy system that SBA has planned to replace in an effort to modernize SBA’s IT infrastructure.
Issues concerning E-Tran are not new; in 2014 the GAO reported that “SBA may be unprepared for a large volume of applications to be submitted quickly following future disasters, which could result in delays in loan funds for disaster victims.” And in this report, SBA stated that E-Tran would be replaced by 2015.
However, in 2020 SBA is still relying on the same system. Shortly after the launch of the Paycheck Protection Program (PPP) portal, the system was inundated by applicants, causing it to go offline for four hours. The system then crashed again a second time when the PPP portal reopened in late April. While we recognize that SBA quickly increased bandwidth to address the system crashing both times, the agency cannot rely on a system that is incapable of meeting high demand in a crisis.
The Committee plans to explore what steps must be taken to improve SBA’s IT systems moving forward in order to prevent these issues from reoccurring should Congress authorize further small business assistance as we continue to fight the virus, or if a natural disaster should strike and compound the stress on SBA’s systems. It is imperative that SBA’s technology systems be modernized to meet the demands of the 21st Century.
With that, I look forward to hearing from Mr. Cavallo on the changes SBA plans to implement to its technology systems and what he needs from Congress in order address these technical failures to ensure the SBA IT infrastructure is fully prepared in the future.