Skip to main content

tv   Senate Subcommitee Hearing on Corporations Data Breaches  CSPAN  November 6, 2019 3:29am-4:32am EST

3:29 am
american hostages held. , negotiating with iran, wrestling with the ghost of history. a front row seat from here in
3:30 am
3:31 am
>> the committee will come to order. thank you all for being here. i'd like to thank the ranking member senator white house and the collaborator it's great to be here and doing this together. i was just saying i told him that it would be nice to have the answers because he's a tough questioner and he will take you to task. i'd like to thank the witnesses for your attendance and also highlight two empty chairs today which i say that he invited witnesses who apparently don't share your commitment to discussing the issues. one is for tiktok. if you don't know what tiktok is, you should. it's a chinese owned social media platform so popular among
3:32 am
teenagers mark is reportedly spoofed. for facebook the fear is lost to social media market share and for the rest of us it is somewhat different. a company compromised by the chinese communist party knows where your children are, what they look like, with their voicewhat theirvoices sound like watching and what they share with each other. they claim they don't store american user data on china. all it takes is one knock on the door of their parent company from a communist party official from the government hands. tiktok claims they don't take direction from china or censor in fact in a letter sent to just today to this committee, tiktok said both governments foreign or domestic direct how the moderate
3:33 am
content. they do not remove content based on sensitivities related to china or other countries and we wouldn't do so if asked. that's what they say and without objection i will enter the whole letter into the record. buit is and what the employees say. today the "washington post" is reporting that tiktok's chinese parent company imposed stricter rules on both code appear in keeping the restrictive view of acceptable speech. former and he said company officials based in beijing had the final call on whether these videos were approved. the former employees at the attempts to persuade the team not to block or penalize certain videos were routinely ignored. out of caution about the chinese government's restrictions. one former manager of tiktok's
3:34 am
parent company said they want to be a global company and numbers wise they have had a success. the purse is still in china and it always comes from the air and decisions all come from there. that is a different story than the one they told the committee in this letter and that is a problem. they should answer for these discrepancies. they should answer to the millions of americans who use their product with no idea of its risks and they should have been here today but after this letter to the committee, they must now appear under oath to tell the truth about the company and its ambition and what they are doing with our data. it isn't just for children's privacy but it's a threat to national security. we don't know what china could do with this data in aggregate and what it tells about the
3:35 am
society. they can see who he talked to, what we talk about, what we congregate and capture on video. not all of the users are kids, some work in government or for r the military. others are celebrity or work for other companies and positions of influence. what does it mean for china to have a window? why would he leave that window open? the other belongs to a company that has helped open the window on american consumers, apple. we are accustomed to hearings as a good corporate citizen that encrypts its messages and limits its own data collection from users and give them privacy controls, but the business model and practices are increasingly entangled with china effect we would rather not think too much about. it's essential to the bottom line is on the supply and demand side of the business the
3:36 am
investment in chinese production have helped build scientific manufacturing capacity of the greatest geopolitical rival. the chinese demand is even more critical and to service the demand, they are risking compromise with authoritarianism, the hosted the users data is part of a joint venture with the chinese government controlled entity. they frequently talk about encryption but there are those stored? china. apple said they have control over them but who knows what that means and they are not here to tell us. if you have family or business contacts you cannot count on the encryption to keep your interactions to or from the authorities and if you are a chinese dissident or protester in hong kong, the corporate values won't do much to protect you in the midst of the
3:37 am
democracy protest now in their 22nd week, they pulled an apple from the store that helped citizens stay safe during the police crackdowns because they pushed for it. a few days later tim cook was appointed to chair the board. if you are the user you cannot be confident that the chinese government isn't reversed engineering the platform and the privileged access to it with a joint venture with apple. we see two sides of the same claim when it comes to the data security. the danger of the chinese platforms and trade it to the u.s. market and the danger of american technical company operations in china. that's one of the most important subjects we can discuss, how does the industry entanglements with china in peril our data security. i look forward to the witness's testimony, thank you for being here and now senator white
3:38 am
house. >> i welcome all of the witnesses that are here. i have a fairly long history and i can remember when the senate had pretty much close to zero interest in privacy and data they have more data than the most intrusive government in the history of humankind and they pay virtually no attention. i'm delighted that that wall has come down and we now see the risk from the huge aggregations of the private data.
3:39 am
i've also been involved in a lot of the efforts for the cyber legislation. at one point we made a lot of progress when the bill focused on critical infrastructure. my republican coordinates for senator kyl, senator mccain who has been the chairman of the armed services sai so it was pry high-level operation. we made a lot of progress and had a considerable number of conversation where there wasn't a whole lot of news and noise to be made that with people from the private sector and the defense and agencies and when push came to shove, the republican leader went to the floor and said no cyber bill is coming without the cyber bill attached to it.
3:40 am
so that ended that effort and then along with the chairman i was the cochair of the report for the incoming president which is a very hopeful and thoughtful bipartisan cyber analyst is. when the president trump came and i looked at the very well-versed honorable professional in the cyber space, great technician and i looked at and attorney general to come out of the senate and the upgrade we have a great opportunity here to the political savvy to get the real bill going and of course as you know all of that has pulled apart and none of them work for the administration any longer and i couldn't tell you why i shouldn't talk to the administration about the legislation as their appearance level of interest.
3:41 am
i hope that we are in a good space to start doing some real work here. in closing i have remarks i would like consent to put in the record. i want to make a procedural point. in the committees we ordinarily operates one of two ways. operate one of two ways. say this is good to be bipartisan work together and agree on the witnesses of the consensus panel into the shape of the hearing is agreed to beforehand or you don't go that way but there's a kind of informal rule on t ground rulesr with each other. i'm delighted to go forward and appreciate your leadership in this area and i want to be very cautious about the hybrid. thank you for your work on this
3:42 am
issue and the senators eluting to the common goal which is to have administration officials testifying in the committee and that is a goal i share and look forward to doing it legal for the full cooperation. now let me turn to introduce the witnesses. the corporate vice president of security and trust microsoft. there he leads engineers, lawyers, policy advocates, managers, business professionals, data analysts. he joined microsoft in 1995 and filled several roles in the legal affairs department. mr. carter's deputy director of the program at the center for strategic and international studies. his research focuses on international cyber security policy issues including artificial intelligence, and privacy, data localization,
3:43 am
financial sector cyber security and law enforcement technology including encryption. a fellow at the national security program at the center for the new american security studies. before joining, ms. frederick helped create and lead the global security counterterrorism analysis program analyst team lead for the headquarters regional intelligence team in california and prior to this book served as an intelligence analyst and spent six years in the counterterrorism at the department of defense. senior technologsenior technolor the heritage foundation as the first senior fellow for technology, national security and science policy his research focuses on the intersection of technology and national security, the particular interest in artificial intelligence, autonomous weapon systems and intelligence issues and prior to joining cummings was the national security adviser to senator ben zacks. thank you for being here and i
3:44 am
will swear you in the fourth week of testimony. if you would please rise and raise your right hand. do you swear or affirm the testimony ithattestimony is thee whole truth and nothing but the truth, thank you. now we will hear your opening statements. thank you for the opportunity to testify today. i will comment on the work to combat criminal and nationstates cyber attacks and how we must work together in new ways to combat these attacks. the frequency and the success continues to grow and it's estimated the global financial impact last year was a trillion dollars and the nationstate attacks continue to increase in number and sophistication and impact. for more than a decade, microsoft has fought back.
3:45 am
but we have learned the best protect our customers when we were collaboratively with the government and others in the sector. the government has law-enforcement resources the private sector cannot match but the private sector has access to the site and the technological resources governments cannot match so we must work collaboratively. today microsoft digital crime unit truly unique in the private sector conducts business e-mail compromise crime and continues to lead the world in the efforts to shut down criminal but that's working closely we have now taken down 17 rescue includes 2,500,000,000 devices from these criminaletwos. law-enforcement faces unique challenges in combatingse that's why we were strong supporters of the cloud act which modernized how the data
3:46 am
can be accessed appropriately by law enforcement. we applauded the agreement announced between the united states and united kingdom implementing the act and encourage the department of justice to continue their efforts to negotiate and conclude additional cloud act agreements. despite the past success, we have not seen law-enforcement partner on the takedowns if you're concerned to rewaryouared recognition structures and the agencies do not today provided the incentives to devote more n. we hope congress will provide new incentives to prioritize the disruption and dismantling of criminal networks. in addition, we see increasing nations stayed attacks causing harm to citizens and enterprises around the world. we have used the disruption techniques that we pioneered to disrupt these actors intent on
3:47 am
destroying democracy. we have disrupted the groups operating in russia, china, iran and north korea and we will continue to do this important work. descriptiothe description is imt so is improving cybersecurity hygiene. unpatched systems are exploited by our adversaries so we strongly promote prompt installation of security updates. we advocate for the use of the multi-factor authentication and develop cutting-edge security services like microsoft. we can combat and defend that feels the need to reduce how many attacks are launched against our civilian enterpris enterprises. long-term solutions for protecting cyberspace require clear and binding commitments that are acceptable to the behavior. this problem cannot be solved by government or the private sector
3:48 am
acting alone. multi-stakeholder solutions are essential to combat what is necessarily a multi-stakeholder problem. that's why last year microsoft was proud to join in supporting the call for trust and security in cyberspace, a voluntary commitment to mine foundational security principles including from cyber attack, critical infrastructure, elections, the public core of the internet and intellectual property. the call has been endorsed by more than 65 governments in over 500 enterprises and organizations. unfortunately the united states is not yet an obstacle. for the sake of the security of american citizens, those around the world endangered de-escalating of the attacks online, microsoft continues to encourage the united states to join this landmark multi-stakeholder commitment. the private sector and government must work together to
3:49 am
invent 21st century solutions to the uniquely 21st century threats. microsoft stands ready to do our part. thank you and i look forward to your questions. >> distinguished members of the subcommittee, thank you for the opportunity to participate on this important topic. threats remain one of the most important risks facing the nation. companies that collect and use data face threats from malicious cyber actors and restrictive government policies. the lack of u.s. leadership on global issues of cybe cybersecu, data governance into digital law enforcement has been in a difficult position caught between the need to secure data against lawful and unlawful of use and demand of access to data. they are growing fast. the attack is more of their lives move online and proliferate has created vulnerabilities that can be exploited by malicious actors
3:50 am
and the cyber capabilities have become as tabs in the arsenals of the government. and the gray market and the capabilities has grown up to need that. both administrations repeatedly demonstrated a lack of resolve to impose meaningful consequences on the nationstate violates the behaviors and engage in cyber attacks against the u.s.. cybercrime has also become an epidemic. in 2018, csi has estimated the cost was more than $600 billion. nearly 1% of gdp. of 35% from 2014. the cyber activities are largely consequence free. only 0.3% of the reported cyber attacks in the united states result in an arrest in cyber crime is a massively underreported crime, the attacks are one of many threats to private and sensitive data into the challenge for the companies is the growtcompanysince the grl exploitation of the data by governments. countries wish to enforce the
3:51 am
law and protect the citizens as they defined both of the goals and expect companies to do business to enable them to do so. the problems arise when they lack appropriate government mechanisms and when they lead to the technology platforms in the global populations they serve into thand the government inteny utilized commercially available technologies from the oppression and exclusion. u.s. companies and u.s. government developed a range of technologies and policies to combat the challenges. they utilize technical solutions like unrecoverable encryption for the data to be an accessible even with the legal order. u.s. government has also helped companies protect data for example for the electronic communications act prevents companies from disclosing the contents of communication stored in the united states to the government on this at the mutual legal assistance request in the u.s. government. this approach has the
3:52 am
significant costs and trade-offs. implementing the solutions to prevent the companies from disclosing the data is great except it can also prevent them from providing data to serious crimes and terrorism. the rollout of the encryption on facebook messenger for example will hurt many of the tools ineffective and requiring new strategies to combat child porn. policies like encryption mandated retention requirements of the companies preserve their accesaccess today that can leado worse security outcomes for everyone. when governments are not able to access the meme many of them turn to cyber attacks to fill the gaps. the government must play a role in addressing the threats of the data security both lawful and unlawful around the world. as the senator mentioned in 2015 he chaired a cyber task force to strengthen security for the united states. the key recommendations remain within today. incentivizing and regulating the adoption of the cyber security
3:53 am
practices increasing penalty on playability for those that fail to protect data or products in addressing resource gaps for the fundamental research workforce development can help to advance cybersecurity around the world and creating serious consequences is also essential. we must empower law enforcement to effectively combat cyber crimes and to demonstrate the political will to impose penalties on the nationstates that engage in the cyber activities. even when it was a strain on complex activity relationships. u.s. government must also take the lead developing the governance framework for the world. last year we produced a report called low hanging fruit evidence-based solutions to the challenge which outlined a series of recommendations to streamline collaboration between companies and governments and facilitate access to data making it easier to access and utilize data that is available and with appropriate safeguards to reduce the pressure to pursue harmful policies like the data localization and eight, data
3:54 am
requirements and hacking and puts a spotlight on those that intentionally exploit the data to marginalize their citizens. thank you for the opportunity to testify and i look forward to your questions. >> distinguished members of the subcommittee thank you for the opportunity to testify today. i am here because the contacts t between the free open societies and closed regime's is playing out on the digital front and our data will make all o the difference. when i worked at the tech firm in silicon valley, the same way and we could do more in one day than others could accomplish in a week. much of that impact was the result of the volume and variety of data at our fingertips and what we could do with it. my experience with the collection and analysis as a member of the u.s. intelligence community similarly impressed
3:55 am
upon me the advantage of data security but also what can happen when the vulnerabilities are exploited. many people are working in america to get all of this right and it's imperative that we do so. the context of the work is before us. technology is being repurposed to undercut its original winterizinpotential. .. further, authoritarian regimes continue at to attack with tools created with free societies. russia is infuriating its complaint of cyber hacking and attacks against united states and europe. iran is following through. north korea effort has not beta.
3:56 am
and even as these tactics spread around the gold under global the technology is involving enabling sophisticated assaults. synthetic media, machine language model with the potential to generate false information at scale and automated spearfishing to the more difficult situations to come. the united states a system of checks and balances is a bulwark against the technology within our own borders. properly pride our democratic system offers a set of institutions and practices to act as guardrails on the internal use of the technology. that relying on the system is no longer enough. americans are confronting deep systemic risks using platforms operating in and owned by companies in countries with a history of cyber espionage and transfer. private chinese technology company's ability to resist the government is highly circumscribed at best. you import to series national laws and standards that are broadly written and often compel
3:57 am
the companies to comply with government requests for data. russia also has a data localization requirement in a similar scenario is likely to play another regimes. further, we should explore the implications of combining and correlating a massive data set two populations around the globe. china already has a president of synchronizing biometric and behavioral data for political and social control. the integrated joint operations platform and much discussed social credit system are evidence of this. china is also exporting its values embedded in the technology itself to the world. it is unclear whether tiktok continues under the content moderation of fibroid 2019. still, instead of importing the values of censorship and control to the u.s., we should be exporting our values of transparency to them. this is all occurring against a backdrop of a digital
3:58 am
environment growing more complex. for instance, technical signatures are becoming less conclusive when it comes to attribution as result when russia hijacked an iranian cyber espionage last month. this makes it that much more difficult to go back there attacks against her own system and respond accordingly. solutions are overdue, a democratic society does not establish the rules of the road for a data security and privacy protection, authoritarians will do it for us. congress with inter-agency of communing intercommunication technology the likelihood of systemic risk. lawmakers should sign data protection especially for sensitive biometric data and incentivize transparency in the government and private sector. for private companies they play critical role. a sustained access to a high volume and variety of personal data with high commercial value
3:59 am
within ordinance control. american tech companies should therefore adopt a set of rules, norms and guiding principles for the use of the technical globally. that will not tip the scale in favor of repression. american private companies, should treat u.s. national security as their own comparative. thank you, i look forward to your questions. >> thank you chairman holly and recommend white house and the members of the subcommittee. when i was in the united states intelligence committee our mission was to collect, to understand, predict and to shape human behavior and events. those in government call this intelligence. technology companies called this market research. data analysis, segmentation or service provisioning. but in reality, the age of the
4:00 am
economy, were all in the intelligence business now. the pool information of sensors in the data and the exponential growth in capacity are combining to reduce unimagined possibility for human thriving and agonist but these positive outcomes are not the only thing that is being crated. cybersecurity risk are combined with aggressive hostile to create an environment that you understand and that fewer are prepared for. china is a simple concern in this regard. for decades, countries like china and russia have pursued a deliberate strategy of using their foreign policy and intelligence communities to copy into steel market technologies. these strategies are starting to produce meaningful results with several foreign tech companies legitimately rivaling u.s. tech leaders in both innovation and
4:01 am
market capitalization. if left unaddressed, this could pose a challenge not only to the economic security but also the greater national security. in january 2020, for example, a new chinese sidin secured logo d effect and companies operating in the country will have no place left to hide. the new law is part of beijing's year-long effort to expand the surveillance programs and rooted in a cybersecurity overhaul adopted in 2016. next year, all companies including foreign owned companies, must arrange and manage their computer networks so that the chinese government has access to every bit and byte of data that is stored on transits over or in any other way touches chinese information infrastructure. put simply, the chinese government will have lawful and
4:02 am
technical access to all digital data within its borders and perhaps large volumes of data beyond those borders. companies have long known that the intellectual property or ip, trade secrets and communications are highly sought by the market competitors in asia and by the chinese government in particular. many of these risks are some but accepted as the price of doing business in china. those risks that are deemed unacceptable are mitigated by security technologies and networking strategies that have critical information from prying eyes. >> all of these technologies and strategies under the new law will be illegal. for example, this currently place for companies operating in china to set up private networks and which are data and communication stored and sat when the encrypted pipe the outsiders -- >> these dpms have an underlying
4:03 am
encryption to prevent access from the chinese government will no longer be allowed. there will be no truly private or encrypted messaging in china, no confidential data, no secrets. no exemptions. if the company operates in china, it will be required to operate in such a way as to provide the countries intelligence and law enforcement authorities on federate visual access. the days of paying the it text for access to the world's fastest growing market are over. this access will not cost you everything. imprecisely the chinese plan. to put a simple, our long-term economic and an international security must account for and rollback a sustained campaign of cyber enabled economic warfare, the likes of which will take a leap forward in just two months.
4:04 am
i provided ample fine inflammation in my summative testimony and i'm happy to answer your questions to the best of my ability. >> thank you. thank you to all the witnesses, i'd like to start with tiktok if we could and what they're doing with all the data there there collecting from american users. i want to get it on the record that tiktok is collecting a lot of data in terms of service, i will quote, it collects contac t details in your location. it collects third-party social network providers and technical and behavioral information about your use of the pot for pride in it collects information contained in the messages you send through the tiktok platform and information from your phonebook. that is a lot of data. it's pretty comparable to the daba harvesting machine like facebook and google are scooping up. tiktok says they store american user data here or in singapore
4:05 am
not in china, but let me address this question, that doesn't necessarily mean the fact that they store the data here or in singapore does not mean that beijing cannot get to it. is that right? >> the greater question is that the law applies to the parent company. that is essentially the problem. there is a parallel in china which tiktok ever since the 50th investigation came to light, has made the moves to extricate their dealings and what goes on in china and to do so explicitly in the alpine china is basically like the parallel version of tiktok but existing in china. they have showed the themselves by saying everything in tiktok is u.s. or western friendly nation based in stored in the
4:06 am
u.s. but by dance, the 2017 acquisition is what is being investigated, that is a problem and something we need to think about and it would be the parent company in china. >> bite dance is the parent company of tiktok and it's a chinese based company. they are subject including the 2017 national intelligence law which requires chinese organizations and companies to cooperate with state intelligence work. that's the designation and the law. is that right? >> that is correct, as a chinese company the parent company is reasonable to assume that any individual information included information of american users can be harvested and excluded. one other point, technically it must be true. a lot of the development of this application is done in china
4:07 am
still. even the operating company. have to be able to push from chinese development into the u.s. market if they want to have an updated increasing capable technology. the idea that they can somehow meaningfully, technically warding off information from china does not make sense operationally. >> that's a really important point. much of the app is developed into the content of what's used in developing china is pushed to users here in the united states, the parent company is a china-based company excepted to the restrictions or having their doors open anytime by the chinese communist party under chinese law. in today's washington post article, the leverage of the government, the chinese government has over the people who have access to the data, that's what's relevant, do you
4:08 am
agree with that? the ability of beijing to go to bytedance there. company and say you are required under chinese law to give us access to all the data, that means that bytedance could take american users data and taken to beijing is offered as a. >> without a doctor. >> me talk about the ways that tiktok or other chinese company could abuse this data. am i right in thinking that the thomas weapons systems rely on artificial intelligence and able to interpret and identify imag images. >> that is true. >> if china obtains images of our servicemen and women through social media or the opium attack, could that have relevance to how they train their a.i. and a thomas weapons? >> absolutely. one of the criticisms that china has developed up until this point is centric perhaps they were able to upgrade, this would be a way of addressing the delinquency.
4:09 am
>> because of the sheer amount of data and imagery we get of western users. >> yes, sir. >> this a be the final question. how can we ensure tiktok or other chinese tech companies aren't trojan horses that are gathering data on americans and sending information back to china to be collected and gathered and used for the beijing government purposes. >> so you're asking how we can assure that, i'm not sure we can. the law that i described simply requires access and anyone who thinks that a chinese company even if they have an american portion of the company can look at the government in beijing and tell them no that's a fundamental misunderstanding of how the government in beijing works. >> thank you very much. senator whitehouse be executor men. one of the things that is a stress test to see how good it is of performing an assigned task of providing cybersecurity,
4:10 am
i'm reading us recent survey of 1500 business leaders by microsoft and marsh found 37% of firms believe the industry standards are effective at preventing cyber attacks, the same survey found no confidence that they can prevent cyber threats and 22% had no confidence they could respond to cyber events. at the time of the stress test framework? >> senator, i think two things about the survey one that was performed by marsh in collaboration with microsoft. one thing we saw which you think is a positive development is between 2017 when we did it the first time in the most recent survey, we seen the number of people in the enterprises that were surveyed were aware of the risks that they face in the need to take steps has increased significantly. that is a good thing.
4:11 am
>> not enough. >> it's not enough absolutely. the framework we believe were one of the contributors working with it on that and we believe the framework is actually a very useful framework -- >> companies should be assessing their cybersecurity maturity. it's one of the things that we regularly assess our cyber security maturity as a company relative to the framework and i know from discussions with others around industry in general that increasing companies are adopting and using it. >> be quick my time is short. >> it's very complex, this framework is complicated and if you don't have a big it staff it be hard to implement. that's what we but with others in the industry and simpler tools for small and medium-size business to apply a simple version of the framework. >> mr. carter, between the
4:12 am
desire of the private sector and not reputational harm when they been hit by cyber attack and the over classification that the federal government indulges in, how complete do you think the picture is that the american public gets of which are country and company are under cyber attack? >> i think the picture is very incomplete partly because there are a lot of disincentives to accurate reporting partly because there are no clear mechanisms for consolidation of that reporting partly because many are obvious to the victims. and partly because in many cases the information that is shared and auto mice to the point that is largely used for understanding the threat environment that we face. >> back to you, you guys were the leaders in botnet takedowns, i was fighting to get the department of justice to do more back then when you first complaint was filed, i was
4:13 am
telling chairman, were both recovering lawyers, what a joy it was to read the complete because it existed and be when he got to count six or something like that there was account of trespass channels which is a doctrine from the medieval english common law that i probably slept there in my foundation of the property law class, but clearly microsoft has been a leader in fighting them for a long time, what more could the department of justice do now to continue the process of constant weed cutting that needs to take place -- is there any good use for a botnet? >> or is it a week, what marsh we do to weed whack them. >> almost all our weeds.
4:14 am
there are some for research purposes that can be identified. in our view, almost all botnets that meet the standard are weeds that need to be eradicated. there's two things we like to do with the department of justice and law enforcement to improve. one we need more strategic coronation when i meet with leaders across law enforcement and then told his community, dhs we always talk about public partner ship but are not doing enough to realize that. it's an area were were committed and no if we can meet strategically to identify, what are the key botnets in the most serious ones, how can we join together in a collaborative way to do something about that. that would be step one. >> it's a full smart supplier for some evildoer. >> it's an evildoer who has managed in fact thousands or millions of computers with their malware -- >> they can coordinate cybercrime across all the computers without their victims even knowing that the computers
4:15 am
have been infected. the second thing for the department of justice and fbi to have the right incentives in the right priorities paid to reducing botnets to attack botnets even when they cannot necessarily get handcuffs on the perpetrator because they're living in countries with no extradition or the other challenges we face. disrupting the botnets alone and stopping the criminal enterprises is in itself an important thing to do. >> finally if i may go on, i've been arguing for quite some time should pursue a coalition of the willing to create international cybersecurity norms. i think the obama administration made a mistake try to bring the russians and chinese into a productive discussion on the subject. it's a little bit like trying to bring burglars into a productive discussion on home security.
4:16 am
forget them, i would consider it would be wise for us as a nation, try to set norms with countries that share our values with a secure internet and i'm wondering if you believe the cybersecurity the private sector entered into in the institute that the private sector has stood up to eliminate the need or pursuit the government should engage in. >> it's a pursuit they should engage in. the cybersecurity is a group that microsoft initially set up but now we have over 120 companies around the globe who work together to endorse key principles of cybersecurity for the customers but also to articulate the view of the community on key issues about cybersecurity policy and appropriate norms. the cyber peace institute is a nonprofit to be based in geneva that will do work that is not happening elsewhere in the private sector to bring transparency to the impact of
4:17 am
nation states cyber attacks. the harm, the human harm that the cyber attacks are and work to increase resiliency around the world to these attacks. those are both important. what you said is absolutely right, the united states must join other like-minded countries to establish an enforceable norms of nation state behavior, if that means we can isolate those countries to abide by the rules, so much the better. at least will have isolation clear, but we the united states play a stronger diplomatic role, there's two pending united nations efforts underway, one sponsored by the united states and one sponsored by russia, the working side-by-side to try to establish norms of conduct for cyberspace. and we are working on both of those processes to ensure they are productive and result in useful outcomes.
4:18 am
those are both areas where we need the united states to be actively engaged in pushing for the norms. >> maybe with international sanctions to backup the norms. >> thank you for letting me go on all my time. >> i have a few more questions. only, too, i become increasingly concerned about the willingness of american companies, tiktok the american companies to store data in the tools necessary to read the data in china and i want to think about apple for a second which provides cloud services in china, a longtime apple store encryption keys into the united states the beginning last year in moved it over to china for the data that is stored there. let me ask you what are simple questions, encryption are what you need to be things like protected e-mails and text messages is all right? >> that is correct. >> if you have the encryption keys, you can read private communications that are stored
4:19 am
in the cloud, is that right. >> that is correct. >> they say because apple chose to move encryption keys to chi china, chinese authorities will have far easier access to text messages, e-mail another data stored in the cloud, do you agree with that and can you talk to us about the application? >> i think the short answers i agree with, there is a distinction we made. the actionable took, it moved encryption keys associated with chinese users of the capabilities. it's not all users, it's chinese, as you mentioned, data localization. that being said in her opening statement you raise the point that by having the access or the significant axis that they enjoy, they will gain greater insight into the interworking of apple and icloud account. which could allow them to do a great deal more with collecting outside the border. >> that is a concern.
4:20 am
>> let me ask you this, how does chinese access to encryption keys for data stored in china by apples chinese users, how does that affect an american who sends an e-mail or text to a family member in china or friends in china or business contacts. >> it can be captured. >> in other words, it could potentially -- the fact that the keys are stored in try to cope with the whole communication string at issue. if you have an american here sending information to friends, family members, business associates whatever, the fact that is encrypted and nobody can get to it, that is not necessarily true sense encryption key are stored in china for china user data, my correct about that. >> that's correct. if there is any chinese within the loop it compromises the entire network. >> let me ask you this, you alluded in your last testimony, would you trust any tentative data being stored in china, would it concern you if you
4:21 am
location data was stored in china or e-mail data? >> as a member of the intelligence community i assume they have much of my data. and i don't like that. so no, i don't think that is okay, i don't think any person has to make a recognition that is likely the case in the real change now is these governments in the capabilities themselves are becoming sufficiently big to where that's a problem, up until the point is been theoretical. now were developing the capability to exploit the information in ways that are meaningful to the chinese and u.s. systems. >> would you say that apple and companies like them are compromising american interest in data security by storing the data itself as well as encryption keys? >> all make two points, any company that is complying with
4:22 am
china suit country security laws affect more than the bottom line. these decisions are not risking our own national security. china imprisons and tortures and kills religious minorities and using companies to do this at scale. now operating according to the laws of the country where you do business is only rational to agree those laws are just. but let's remember there were plenty of people who were following the law in nazi germany and that does not excuse them from the consequences of their actions. >> i'm really struck by what you said that beijing is using compliant companies to carry out repression at scale. that i think sums it up. anything further? >> i may ask two questions, you mentioned the opium hack, i think the opm hack is very significant and highly relevant to the hearing.
4:23 am
could you give a minute on what the opm hack was and what it discovered about you and other government workers. >> and who did it. >> i'm going to discuss this as reported in the news. >> it was publicly reported in the news and is been identified that the chinese were responsible for infiltrating and exploiting a number of databases that were held by the office of personal management the federal government hr organization. and they were able to among other things x will treat what is called the express 80 form which gives you everything about ourselves, they got fingerprints and a whole host of other things. this information is hard to
4:24 am
scope this tele-information couldn't be used. in terms if you thought about as a counterintelligence that, you can look at the individuals who have been processed with the fs-86 and how they been allowed to enter into the intelligence community and if it was your objective to place a spy within the community, you would have the ability to determine what is the perfect legend for that purpose. how do we optimize them so they can get in with as little difficulty as possible. you now have the information. if you want to build a profile on the type of people in the community. you can do that. there was original -- remainder cells feel better by saying certain agencies were involved but again their absence, you can use that to discover who they were by exclusion, if you're under state department covert operating overseas but not in
4:25 am
the database, guess what, they know who you are. so these are just obvious kinds of things. the broader problem, this is going to a broader strategy with the chinese strategy. they're building a mosaic of insight and awareness that is a catastrophic national security concern that we have not dealt with. >> if an american company has access to enormous amounts of personal data of an american like google or facebook, and they're trying to monetize that. what are the constraints on them doing business with either a foreign company that front for the government or foreign government directly and selling as they would to any other customer, the information that they offer or the service of providing information as they offer. sometimes they don't tell the customer the information they do say trust us, we'll do it will
4:26 am
hit all the people you want to hit. what are the restraints on an american corporation doing that with a foreign government or front corporation for foreign government. >> the problem here, the restraints are deficient. there is not enough transparency, right now we don't have granularity into what these american companies are necessarily collecting. i alluded early on into the work that prevent abuse, the system we have in place that is critical to make sure the data by americans is not exploited, facial recognition is a huge topic. the problem we have not figured it out. that's what i mean but the rules of road have not been set, u.s. government does not have that much transparency into the behavioral data, the biometric content and everything american companies. that is a problem.
4:27 am
we need to work together with public-private partnerships are critical in this way and we need to help draft legislation that puts a proper constraint on this. basically says data matters, there should be value your data that is propagated throughout the american populace. i think we basically need to do better in that regard. >> i think willful blindness seems to be a theme, they don't want to ask the questions, they don't want to hear the answers, when facebook is doing something as obvious of selling potable advertisements and accept payment in google, you would think summer and the genius apparatus, somebody might have thought, i'm selling political ads in my home country and the payment is dominated in rubles.
4:28 am
what might that mean. that they did not care to look, didn't try to look they didn't want to look, they wanted to cash him and move on. and then when they improved their genius strategy and trying to prevent foreign interference in our election they went all the way to making you create a corporation. facebook does not even require that the corporation is buying the potable advertisement, it's who's behind it. so if you were to set up boris and natasha llc as a phony delaware corporation, facebook would happily sell you political advertising time even though it be obvious to an ordinary person that something is up. this business is trying to figure out how you create the incentive so blindness is not a successful business model for the security, it's something worth our attention. i thank you for the hearing.
4:29 am
>> thank you to the witnesses for being here. will standard drink. [inaudible conversations] [inaudible conversations] [inaudible conversations] [inaudible conversations]
4:30 am
[inaudible conversations]or micd
4:31 am
former acting fbi director andrew mccabe discuss u.s. intelligence and election security from the national press
4:32 am
club. >> thank you very much. this is a great turnout, i am flattered if there something else important in washington, d.c. tonight, i think you know what i'm talking about. [laughter] thank you for coming. i am dean of the policy of government at george mason university. and respond to the michael hayden center for intelligence policy and international security that has put on a number of wonderful programs over the past few years and we will continue to do so. i look very much forward to this special event and for those of you who do not know, george mason

22 Views

info Stream Only

Uploaded by TV Archive on