tv Senate Subcommitee Hearing on Corporations Data Breaches CSPAN November 8, 2019 10:19am-11:26am EST
>> data secured expert shared their concerns over the chinese social media app tick-tock as well as apples cooperation with the chinese government regarding the storage of chinese customers of data. the witnesses were part of a hearing of the senate judiciary subcommittee on crime and terrorism. represents from both tik tok and apple declined to appear at this hearing.
>> [inaudible conversations] [inaudible conversations] >> the committee will come to order. thank you all for being here. i would like to thank ranking member whitehouse, my friend and collaborator. it's great to be here at doing this together. i was just saying to him, i told him i would tell you it would bt nice to them in his edges because he's a top question. he will take you to test.
i would like to thank the witnesses for their attendance today. i would also like to highlight two empty chairs today, which i say for -- saved for two and find witnesses who apparently don't show your commitment to discuss these issues. one chair is for tik tok. if you don't know what tik tok is, you should. it's a chinese owned social media platform so popular among teenagers that mark zuckerberg is reportedly spooked. for facebook, that fear is lost social media market share. for the rest of us, the fear is somewhat different. a company compromised byif the chinese communist party knows where your childrenws are, knows what you look like, with their voice assembly, what they're watching and what they share with each other.ik tik tok claims they don't store american user data in china. that's a nice, but all it takes is one knock on the door of their parent company, based in
china, from a communist party official of that data to be transferred to the chinese governments hands, whenever they need it. tik tok claims they don't take direction from china. they claimed they don't censor. in fact, inct a letter submitted day to this committee, tik tok said this, no government, foreign or domestic, moderate how we -- tik tok does not remove content based on sensitivities related to china or of the countries we have never been asked by the chinese government to remove any content, and we would not do so if asked. that's what they say. without objection i will enter the whole letter into the record. but that's not what former employees of tik tok say. today the "washington post" is reporting that tik tok's chinese parent company impose strict rules on what could appear on the app in keeping with china's restrictive view of acceptable speech.
former employees said company officials raised in beijing had the final call on whether flagged videos were approved. the former employees said their attempts to persuade chinese teenagers not to block or penalize certain videos were routinely ignored. out of caution about the chinese governments restrictions. one former manager, tik tok's parent company said this, they want to be a global company, tik tok, and numbers wise they've had that success. but the purse is still in china. the money always comes from there, and the decisions all come from there. that issue a different story than the one tik tok has told this committee in this literature and that's a problem. tik tok should answer for these discrepancies. theyns should answer to the millions of americans who use the products with no idea of its
risks. they should have been hereo tody but after this letter to this committee, they must now appear under oath to tell the truth about their company and its ambitions and what they're doing with our data. the threatit isn't just to children's privacy. it's a threat to our national security. we don't know which i can do with this kind of social data in aggregate, what it tells china about our society. they can see who we talk to, what we talk about, where they congregate, will be captured on video. not all of tik tok users are just kids. some work in government or for the military. others are celebrities or work for major american companies,, positions of influence. what does it mean for china to have a window into such users socialize? why we believe that window open? the other empty chair belongs the company that is help open china's window on american consumers, apple. we are accustomed to things like this one to hearing about apple
as a good corporate citizen. it encrypts its messages. limits its own data collection from users. it gives them privacy controls. but apples business model and practices are increasingly entangled with china. the fact they would rather not think too much about their china is essential to apples on applying both on the supply and the demand side of the business. apples investment in chinese production have helped build the scientific and manufacturing capacity of america's greatest geopolitical rival. but chinese demand is even more critical to apple's future and to service that the man apple is risking compromise with authoritarianism. the company hosts is chinese users icloud data in china as part of a joint venture with a chinese government controlled entity, g cbd. how quickly talks about encryption but where are those encryption keys for the data stored? china.
apple says it has control of those keys but who knows what that means, and apple isn't here to tell us. if you have family in china business contacts there, you cannot count on encryption to keep your interactions secure from chinese authorities can. if you're a week or a chinese dissident or a protester in hong kong, apple's corporate values will not too much to protect you.on in thehe midst of hong kong democracy protest, now in the 22nd we come apple pulled at from its store the top protesters and citizens stay safe during violent police crackdowns. why?he because beijing push for it. just a few days later tim cook was appointed to chair the board at the business school or if you're an american user of an ios you can't t be confident tht the chinese government isn't reverse engineering the platform due to their privilege access to it via their joint venture with apple. with apple and tiktok we see two sides of the same coin when it
comes to data security, the danger of chinese tech platforms entry into u.s. market and the danger of american tech companies operations in china. that's one of the most important subjects we can discuss at today's hearing, , how does the withindustry entanglement china imperil our data security? i look for to the witnesses testimony. thank you for being here and now senator whitehouse. >> thank you, chairman. i welcome all of the witnesses who are here. i have a fairly long history with this issue in the senate and i can remember when the senate had pretty much close to zero interest in privacy and data, so long as the data was held in private sector hands. we would get quite animated about many data that our national security apparatus might have access to. when, by contrast, arrive at
platforms had more data on americans in the most intrusive governments in the history of humankind, and we paid virtually no attention to it. i'm delighted that that wall. hs come down and that we now see the risks from the huge aggregations of private data in private hands as significant. so delighted this is a topic. i've also been involved in a lot of the efforts for cyber legislation. at one point back we made a lot of progress on a bipartisan bill focusing on critical infrastructure. my republican coordinates were senator kyle who was is numbero on the republican side, senator mccain who was then chairman on the armed services, so it was a pretty high-level operation. we made a lot of progress. we had a considerable number of conversations where there wasn't
a wholele lot of news and noiseo be made, but a lot of good hearts and sincere work with people from the private sector and from our defense and intelligence agencies. and when push finally came to shove, the republican leader went to the floor and said, no cyber bill is coming without repeal to obamacare attached to it. that ended that effort. then along with chairman mccaul i was the culture of the report for the incoming president, which is a very helpful and thoughtful bipartisan cyber analysis. and when president trump came in i looked at tom bossert who i think is a very well-versed, honorable professional in the cyberspace, great technician, and i looked at an attorney general who would come out of the senate and the bee and i had come out of the senate and i thought great, we opportunity between the substantive knowledge of tom bossert and g political savvy in the senate
sessions and coats to get a real bill going. and, of course, as you know all of that has fallen apart. none of them work for the administration of any longer and i honestly couldn't tell you who i should t go talk to in the administration about cyber legislation, so low is their apparent level of interest. i hope we are finally in a good space to start doing some real work here. in closing i have remarks and i would i like to ask an incentive to put them in the record. i want to make a procedural point year -- ask unanimous consent -- particularly in the judiciary committee, we ordinary operate one of two ways. i do say this will be a a bipartisan and the work together and we agree on the witnesses, there are consensus panels and the shape of the hearing is agree to before hand, or you don't go that way. you got a partisan way, kind of
an informal rule that one side pic so many witnesses, the other gets the opposite. the minority doesn't think its views of being fairly expressed or they can call witnesses of their own and you get a the fight panel but often very interesting. this is a bit of a hybrid. until last week we had bipartisan agreement on two panels, and all of that changed rather rapidly. i'm not going to get too excited about all this because the chairman has expressed an interest in trying to make sure that the administration witnesses whom we have scheduled will be rescheduled, and hope is true. the panel that actually is here is a panel that was agreed to in bipartisan fashion, but i do believe if we're going to be doing is bipartisanwe hearings then we should see that through all the way to the hearing and not follow the bipartisan path down until the week before and
then change to having sudden unexpected changes made. i just want to flag that, mr. chairman, because i think you and w i have done good work befe and of what to make sure our ground rules for the chair and ranking member for these hearings are clear with each other. i am delighted to go forward with this hearing. i appreciate your leadership in this area and i just want to be very cautious about the hybrid. we are a bipartisan hearing into the last minute we are not, waiting business. thank you. >> thank you for your lawn work on this issue and the sender is alluding to a common goal of both share which is g to have government was senator whitehouse putter, administration officials testify in this committee, and that is a goal that i share and i look forward to doing with senator whitehouse, and we hope for their full cooperation. now let me turn to introduce the witnesses. mr. tom burt as corporate vice
president of customer security and trust at microsoft. elite engineers, lawyers, all certificates, project managers, business professionals, data analysts and cybercrime investors to manage cybersecurity. he joined microsoft in 1995 and is held several roles in the corporate external and legal affairs department. mr. william carter steph curry director of thehe technology policy program at the center for strategic and international studies. his research focuses on international cyber and technology policy issues including artificial intelligence, surveillance to privacy, data localization, cyber conflict and deterrence combine agile sector cybersecurity and law enforcement and technology including encryption. ms. cara frederick is a fellow of the technology and national security program at the center for a new american security, see nas. before joining cns she helped create a late facebook's global security counterterrorism analysis program. she was also the team lead for facebook headquarters rachel intelligence team in menlo park,
california. write a facebook she served as a senior intelligence analyst for u.s. naval special warfare command and spent six years at the counterterrorism analyst at the department of defense. mr. klon kitchen is a serum technology research fellow at the heritages foundation. as their first senior fellow protect old compassion security and science policy to his research focuses on the intersection of technology and national security with particular interest in artificial intelligence, autonomous weapon systems, space and intelligence issues. prior to that he was national security adviser to senator ben sasse. thank you all for being here. in keeping with the tradition of the committee i will swear you in before beginning test one. please raise and rise -- please rise and raise your right hand. [witnesses were sworn in] >> thanknd you. and now we'll hear your opening statements. mr. burt, we will start with
you. >> chairman hawley, ranking member whitehouse and members of the committee thank you for the opportunity to testify today. in my comments oh focus on the work that microsoft does to combat criminal and nationstate cyber attacks and i will discuss what government and the private sector must work together in new ways to combat these attacks. the frequency ofmb success that cybercrime exploits continues to grow. its estimate the global financial impact last year was $1 trillion. nationstate attacks continued increase in number, sophistication and impact. for more than a decade microsoft passport back. we have learned we best protect our customers when we worked collaboratively with government and others in the private sector. government has law enforcement and intelligence resources that the private sector cannot match but the private sector has access to data and technological resources that governments cannot match. so we must work collaboratively to find solutions.
today microsoft digital crimes unit truly unique in the private sector combats this is e-mail compromise crime and continues to lead the world in our efforts to shut down criminal botnets. working closely with law enforcement and private sector partners we have not taken down 17 botnets, resting close to 500 million devices from these criminal networks. law enforcement faces unique challenges in combating these borderlessss crimes. that's why we were strong supporters of the class act which modernize cross-border data can access appropriately by law enforcement. we applaud the agreement recently announced between the united states and the united kingdom implementing the cloud act and we encourage department of justice to continue their efforts to negotiate and conclude additional cloud act agreements. despiteag a pass success we have not seen law enforcement partner with us on recent botnets takedowns. we are concerned reward and
recognition structures in our law enforcement agencies do not today provide the incentives to devote more and stronger resources to activities that protect victims but do not yield arrests and convictions that we hope congress will provide new incentives for law enforcement toen prioritize the distraction and dismantling of criminal networks. in addition, we see increasing nationstate attacks causing significant harm to citizens and enterprises around the world. we have used the botnet distraction techniques that we pioneered to disrupt these nationstate maligned actors who are intent on destroying democracy. we have disrupted groups operating from russia, china, iran, and north korea, and will continue to do this important work. disruption is important but so is improving cybersecurity hygiene.e. unpatched systems are exploited by our adversaries, so we
strongly promote a prompt installation of security updates. updates. we advocate for use of multifactor authentication and we develop cutting edge ai security services like microsoft offender atp. we can combat and we can defend, but we also need to reduce how many attacks are launched against our civilians and enterprises. long-term solutions for protecting cyberspace require clear and binding international commitments that define acceptable online nationstate behavior. this problem cannot be solved by governments or the private sector acting alone. multi-stakeholder solutions are essential to combat what is necessarily a multi-stakeholder problem. that's why last year microsoft was proud to join in supporting thee paris call for trust and security in cyberspace, a voluntary commitment to nine foundational cybersecurity
principles, including protecting from cyber attack, critical infrastructure, elections, the public core of the internet, and intellectual property. the paris call has been endorsed by more than 65 governments and over 500 enterprises and organizations. unfortunately the united states has not yet endorsed the paris call. for the sake of the security of american citizens, those around the world endangered by escalating ssas get a tax online, microsoft continues to encourage the united states to join this landmark multi-stakeholder commitment. the private sector and government must work together to invent 21st century solutions to these uniquely 21st century threats your microsoft stands ready to do our part. thank you, and i look forward to question. >> think, mr. burt. mr. carter. >> chairman hawley, ranking member whitehouse, distinguished members of the subcommittee, thanks for the opportunity to in
today's hearing on this importantn topic. threats to private and sensitive data remain one of the most important risks facing our nation. companies that collect and use data face growing threats from both malicious cyber actors and restricted government policies. the lack of youth leadership on global issues off cybersecurity, data governance digital law enforcement have put the companies a difficult position between secure data and the demands of global governance for access the data. cyber threats are growing fast. the attacks affect more of our lives as we move on life and connected devices proliferate is renewable of those they can be exploited by malicious actors. offense at cyber cube of those have become must have an arsenal of smallll national governments and the thriving gray market and offensive cyber king abdullah's has grown up to feed that need. both theha obama and trump administration's have demonstrated a lack of resolve to impose meaningful consequences on nationstates that violate norms of state
beavers and engage in cyber attacks against the u.s. cybercrime has also become an epidemic. in 2018 csis estimated cybercrime cost the global economy more than $600 billion nearly 1% dollars nearly 1% of gdp. up 35% from 2014. malicious cyber activities are largely consequence free. only 0.3% of reported cyber attacks in the united states result in an arrest and cybercrime is an underreported crime. cyber attacks are one of many threats to private and sensitive data. in many ways the more troublesome chums for u.s. companies is the growth of lawful exportation of technology and dated by governments. countries wish to enforce the laws of protect their citizens as they define both of these goals and expect companies to do business in the cards to enable them to do so. problemsck arise when countries like appropriate governance mixes to prevent abuse oft that data. when cultural defensively to clashes between values of western technology platforms and the global populations they
serve, and whe government intentionally utilize commercially available technology from malicious surveillance, repression and exclusion. u.s. companies and u.s. government has developed a range of technologies u and policies o combat these challenges. companies utilize technical solutions like unrecoverable encryption to render their data and accessible to governments, even with ait legal order. the u.s. government has also helped companies toco protect da for example, to electronic communications privacy act which prevents u.s. companies from disclosing the contentmp of his medications stored in the tray to a foreign government unless that government submits a mutual legal assistance request to the risk of it. this process and if it can cost and trade-offs. it's been technical solutions to prevent companies from disclosing data to governments tore prevent abuses great except they it can also prevent companies from providing data that can -- the rollout of him to end encryption on facebook messenger, for example, will render many of the tools currently used to combat child pornography on messenger
ineffective requiring new strategies to combat child pornography.o policies like data localization, encryption dandies and requirements the compass for pue to preserve access to data can leadad to worse sigrid outcomes for everyone. when governments are unable to access data to lawful means many turn to cyber attacks to fill thoseem gaps. ae u.s. government must play leading role in addressing the many threats to data security both lawful and unlawful around the world. as senator whitehouse mentioned, in 2015 he chaired to cyber policy task force for the 45th present to strengthen cybersecurity for the united states. its key recommendations remain relevant today. incentivizing and were necessary regulating the adoption of basic cybersecurity practiced and cyber hygiene, increasing penalties unlike those forpr countries that fail to protect data or so insecure products and addressing resource gaps to support for fundamental research and workforce deponentng cannot advance cybersecurity around the world. creating cisco sequential phone malicious malicious actors is essential. we must of our law enforcement
to effectively combat cybercrime and demonstrate the political will to impose penalties on nationstates that engage in malicious activity. even when it puts a strain of complex security relationships. the u.s. government must take the lead in developing a functional as a stable data governance framework. last year we produce a report called low hanging fruit evidence-based solutions to the digital evidence challenge which outlined recommendations to see my cooperation between companies and government and facilitate appropriate access to data. making it easier for governments to access data that is available and appropriate circumstances andnd with appropriate safeguar, cannot reduce the pressure to pursue harmful policies like data localization, encryptionn methods, data retention requirements and government hacking. i thank you for the opportunity to testify at a look forward to your questions. >> thank thank you, mr. carter. ms. frederick.
[inaudible] >> distinguish those of theem subcommittee, thank you for the opportunity to testify today. i am here because growing contest between free open societies and closean repressive regimes is playing out on the digital front and our data make all of the difference. at a big tech firm in silicon valley the same when we can do more in one day and others can accomplish in a week. much of themp outsized impact ws the result of the volume and variety of data at our fingertips and what we could do with it. my expense with digital intelligence collection and analysis as a abuse intelligence community and pressed upon meet the great advantage of the data security but what can happen when data vulnerabilities are exploited. many talented people are working in america to get all of this right and it is imperative we do so. the context of our work is before us. technology is being repurposed
abroad to undercut its original liberalizing potential. the chinese government uses digital systems to enable pervasive surveillance and exacerbate gross human rights abuses by targeting and persecuting uighurs throughout china. the consequences of these abuses did not stop in mainland china. beyond china's borders countries are adopting chinese technology to strengthen their own brand of technical illiberalism. further, , authoritarian regimes continue to attack democracies with the tools created by free societies. russia is invigorating its campaign of cyber hackingng and information tax against the united states and europe. iran is following suit. north korea's efforts have not yet abated. even as these tactics spread around the globe, the technology behind it is evolving. even more sophisticated assaults. synthetic meaty, realistic bots, machine language models with the potential to generate false information at scale and automated spearfishing fortes of the difficult challenges to
come. yet the united states is a system of checks and balances is a bulwark against the perverse technology within our own borders. properly applied the democratic system offers a set of institutions and practices to act as guardrails on our internal use but relying on the system is no longer enough. americans are confronting deep systemic risk when using platforms operating in an owneds by compass in countries with a history of cyber espionage and tech transfer. private chinese technology companies able to resist their government is highly circumscribed at best. due in part to a series of national laws and standards that are broadly written and ultimately compel these companiesen like tik tok's bytedance to comply with a ritual custody to rush has data localization requirement in a similar snip is likely play out in otheras regimes. further, , we should explore the implications of combining and correlating massive data sets are populations around the
if . democratic societies do not establish the rules of the road for our data security and privacy protections, authoritarians will do it foroc us. congress should mandate interagencyy reviews of information and communications technology against the criteria that encompasses the likelihood of systemic risk. lawmakers should entrench data protections for sensitive biometric data and incentivize transparency within the government and the private sector. for private companies play a critical role. there's sustained and unfettered access to high volume and variety of personal data with high commercial value gives them inordinate control. american tech companies should adopt a set of rules, norms and guiding principles for the use of the technology globally and for interfacing with authoritarian regimes that will not tip the scale in favor of repression. american private company should create u.s. national security as their own strategic imperative.
thank you, and i look forward to question. >> thank you, ms. frederick. mr. kitchen. >> thank you, chairman hawley, ranking member whitehouse and subcommittee. when i was in the united states intelligence community, our mission was to collect, toen understand, to predict and to shape human behavior and events. those incoming call this intelligence. technology companies called this market research, data analysis, audience segmentation, or service provisioning. what in reality in the age of the so-called knowledge ofge economy, we're all in the intelligence businesss now. the proliferation of sensors, the delusion of data and expansion growth and capacity are combining to produce -- these positive outcomes are not
the only thing thatut is being created. general cybersecurity risks are now combining with increasingly aggressive hostile foreign actors to create an environment that few understand and that even fewer are prepared for. china is a central concern in this regard. for decades, countries like china and russia have pursued a deliberate strategy of using their foreign policy and intelligence communities to copy and to steal american technologies. these strategies are starting to produce meaningful results with several for tech companies noul legitimately rivaling use tech leaders in both innovation and market capitalization. if left unaddressed, this could pose a a challenge that only to our economic security but also our greater national security. in january 2020, for example, a new chinese cybersecurity law will go into effect and
companies operating in the country will have no place left to hide. the new law is part of their year-long effort to expand its domestic surveillance programs and is rooted in a massive cybersecurity overall adopted in 2016. next year all companies, including foreign owned companies, must arrange and manage their computer networks so the chinese government has access to every bit and byte of data that is stored on, transits over, or in any other way touches chinese information infrastructure. put simply, the chinese government will have lawful and technical access to all digital data within its borders and perhaps large audience of dataap beyond its borders. companies have long known that their intellectual property, or iv, their trade secrets and even there communications are highly sought by their marketing competitors in asia by the
chinese government particularly. many risk or except as a price for doing business in china. those risks that are deemed unacceptable are mitigated by security technologies and networking strategiess that have high critical information from prying eyes. all of these technologies under the t new law will be illegal. for example, it is currently, place a company operating in china to set virtual private networks on which their data and communications stored and an encrypted pipe that outsiders cannot crack or intercept. these dpms and underlying encryption to the degree to prevent access by the chinese government will longer be allowed. there will be no truly private encrypted messaging in china no confidential data, no trade exemptions. if the company operates in
china, it will be required to operate in such a way as to what the countries intelligence of offers and authoritiesa, unfettered digital access. the days of paying the ip tax over. this access will now cost you everything. this precisely is the chinese plan. to put it simply, our long-term economic and national security must account for and rollback a sustained campaign of cyber-enabled economic warfare, the likes of which will take a giant leap forward in just two months. i have provided ample point information in my submitted testimony and i'm happy to answer your questions to the best of my abilities. >> thank you. thanks to all of the witnesses. i would like to start with tiktok if we could and what they're doing with all of the data are collected from american users. for one thing i want to get in on the record that tiktok is collecting a lot of data, i mean
a lot. it's terms of service date, i will call, that it collects content details, content you create and your location. it collects still quarter, from third-party social network providers and technical and behavioral information about your use of this that collects information conveyed in the messages you send through the tiktok platform and information from your phone book. that's a lot of data. it's pretty comparable to what the massive data harvesting machines like facebook and google are scooping up. tiktok says they store american user data either here or in singapore, not in china. ms. frederick, let me address this question to you. that doesn't assuming the fact that tiktok allegedly stores the data here or in singapore, that doesn't assuming beijing can't get to it, is t that right? >> so i think the greater question here is the fact that
the laws that apply to the parent company, bytedance can serve as essential ofco the thee is a parallel app in china tiktok ever since the investigation came to light has potentially made some moves to thought of extricate their dealings with what actually goes onex in china, and to do so explicitly. the app in china is a parallel version of tiktok but existing in china. theyey b attempted to shield themselves by saying hey, everything that people use tiktok is u.s. or western friendly nation based and stored in u.s. and that kind of thing. bytedance, the 2015 acquisition of -- what is being invested, right now that his problem. that's something we we need to think about,at the law that woud apply to tiktok's parent company bytedance in china.
>> so bytedance is the parent company of tiktok. bytedance is located in china. it's a chinese-based-based company. they are subject to which her tight butt including the 2017 national intelligence law which requires chinese organizations, companies to cooperate with state intelligence work. that's the designation in the law. is that right, mr. kitchen? >> that's correct. as a chinese company, the parent company is completely reasonabls to assume that any individuals information including information ofny american users can be harvested and exploited. just one otherin thing. technically this must be true. a lot of the development of this application is done in china still, even if it has an american front company or operating company. they have to be able to push updates from chinese development into thech u.s. market if they want to have an updated increasingly capable technology. so the idea theyin can somehow meaningfully, technically warden off this information from china
doesn't make sense operationally. >> that's an important point. so much of the app is developed in the content, which is in the efficacy of an china, is pushed to users here and the united states, the parent company is a china-based company. their subject to these restrictions or subject having the doors opened the doors open anytime that the chinese comes party under china's law. as it was put in today's "washington post" article 11 of the government means the chinese government that has over the people who have access to the data, that's what's relevant. do you agree with that? in other words, the p building f beijing to go to bytedance and say you are required under china's law to give us access to all of this data. that means bytedance could scoop up american users data and make that available to beijing. is that fair to say? >> that's without a a doubt tr. >> let mers talk about the ways tiktok of the chinese companies could use this data.
mr. kitchen, a right in thinking that autonomous weapon systems rely on artificial intelligence and they are able to interpret and identify images, correct? >> that's true. >> if china obtains images of our servicemen and women either the social media something like the opm attack, could that have relevance to have a training that i and their autonomous weapons? >> absolutely. in fact, one of the criticism of the image recognition china has developed is that it was seen as center, that perhaps there were not able to operate in western alliances as it might. this would be a way of addressing that the link which it. >> because of the sheer amount of data and a imagery they will get of western users come is that what you're saying. >> was yes, sir. >> my final question for you. i can reach tiktok part of the chinese tech companies are not trojan horses that are gathering data on americans and then sending that information back to china to be collected and gathered and used for the beijing governmentd purposes?
>> you're asking how we can assure that? i'm not sure we can. the law i described simply requires access, and'm anyone wo thinks aib chinese company evenf you have an american portion of the company can look at the government in beijing and tell them no, that's a fundamental misunderstanding of how the government in beijing works. >> thank you much. senator whitehouse. >> thank you, mr. chairman. .. business leaders by microsoft and marchant 37% of firms believe soft industry standards are effective at preventing cyber attacks. and 19% of firms had, quote,
no-confidence they could prevent cyber threats and 22% had no confidence they could respond to cyber events. is it time to stress test the framework. >> two things about that survey, performs from collaboration with microsoft. one of the things we saw that we think is a positive development is from 2017 when we did at the first time in the most recent survey, we have seen a number of people in these enterprises that were surveyed that are aware of the risks they face and the need to take steps has increased significantly. it is not enough and more needs to be done. we were one of the contributors working on that. we believe this framework is a very useful framework.
and companies should be assessing their cyber security. our cyber security as a country relative to the framework and i know from discussions with others around industry, one thing is important here. >> be quick because my time is short. this is complicated and if you don't have a big it staff it can be hard to implement and that is why we have built together with others, simpler tools with small and medium-sized businesses. >> the desire of the private-sector not to suffer reputational harm when hit by cyber attack and over classification the federal government indulges, how do you
think the picture is the american public at the extent to which our country and companies are under cyber attack? >> the fixture is very incomplete. there are a lot of disincentives to accurate reporting. and they were not obvious to the victims. in many cases the -- it was largely to the threat environment we faced. >> you were the leaders of takedowns. i was fighting to get the department of justice done. when your first complaint was filed, recovering lawyers, what a joy it was to read that complaint and you have got to count 6 or something like that,
a trespass to channels which is a doctrine from the medieval common-law, and they were fighting but net for a long time. what more could the department of justice be doing to continue the process of constant weed cutting that needs to take place. is there any good use for a botnet or is it a weed? what more should we do to weed whack? >> almost all botnets are weeds. there are some for research purposes and some that could be identified. almost all botnets that meet that standard are weeds that need to be eradicated. there are two things we would like to do to improve this area. one is we need more strategic
coordination. when i meet leaders across law enforcement, intelligence community and dhs we talk about public-private partnership but we aren't doing enough to realize that and this is an area where we are committed and if we could meet strategically to identify the key botnets, how can we join together in a collaborative way? that would be -- >> a botnet in a nutshell is a force multiplier for some evildoer. >> and evildoer who managed to impact thousands or millions of computers with their malware and they can coordinate cybercrime without their victims knowing that their computers have been infected. the second thing we need is for the department of justice and fbi to have the right incentives and priorities paid to reducing botnets to attack
botnets even when they can't necessarily get handcuffs on the perpetrators because they are living in countries with no extradition or the other challenges we face. just disrupting the botnets and stopping those criminal enterprises is in itself an important thing to do. >> finally, something for the moment. i have been arguing we should pursue a coalition of the willing to create international cyber security norms. the obama administration made a mistake trying to bring the russians and chinese into a productive discussion on this subject, like trying to bring a couple burglars into a discussion on home security. forget them. i would consider it would be wise as a nation to set norms with countries that share our values and to that end i wonder if you believe the cyber security tech accord the
private-sector entered into and the cyber peace institute the private-sector has also stood up eliminate that need or whether this is the pursuit government should still engage in. >> it is absolutely a pursuit government should engage in. the cyber security tech accord is a group of microsoft initially set up but now we have 120 companies around the globe who work together to endorse key principles of cyber security for their customers but also to articulate the view of the tech community on key issues about cyber security policy is appropriate norms. it is a newly established nonprofit to be based in geneva that will do work that is not happening elsewhere in government or the private sector to bring transparency to the impact of nationstate cyber attacks. the human harm these nationstates cyber attacks cause to increase resiliency around the world to these attacks. those are both important but what you said is absolutely
right. the united states must join with other like-minded countries to establish enforceable norms of nationstate behavior and if that means we can isolate countries that refuse to abide by those rules so much the better. at least we will have that isolation clear but we need the united states to play a strong diplomatic role. there two pending united nations efforts underway, one sponsored by the united states and one for russia. and to establish norms of conduct for cyberspace and we are working on both those processes to ensure they are productive and result in useful outcomes but those are both areas the united states needs to be engaged in pushing for these norms. >> even with international sanctions to back up the norms. thank you for letting me go on. this is a good hearing.
>> a few more questions. let me come into you. i'm increasingly concerned about the willingness of some american companies, we are talking about tiktok, to store data and the tools necessary to read that data in china. think about apple for a second which provides cloud services in china. for a long time apple stored encryption keys in the united states. they moved in corruption keys to china for the data stored there. encryption keys, what you need to read things. >> that is correct. if you having corruption keys you can read private communications stored in the cloud. >> because apple chose to move encryption keys, and text
messages, email or other data stored in the cloud. do you agree with that and can you talk about the implications? >> the short answer is i do agree with that. there is a distinction to be made. the action apple took, the chinese users, and in compliance with the chinese law as you mentioned. you raise a good point, by having unfettered access, the significant access they likely joy, and the apple i cloud account and technological capabilities. they allow them to do a great deal more. that is a real concern. >> how does chinese access to corruption keys for data stored in china affect an american, to family member in china. >> it can be captured.
>> the communication string at issue. if you have an american sending information to friends and family members and business associates, nobody can get to it, that is not necessarily true since encryption skis -- am i correct about that? >> if there is any chinese note within that loop and compromise the network. >> you alluded to this in your last piece of testimony. would you trust any sensitive data being stored in china? would it concern you if your location data is restored in china or email data. >> i assume they have much more data. i don't like that. high don't think that is okay.
any person has to make a recognition -- the real change, they are becoming sufficiently big to where it is a problem. until this point it has been theoretical. now we are developing computational capability to exploit this information in ways that are meaningful to the chinese and us citizens. >> would you say apple and companies like them are compromising interest in data security by storing the data itself in china as well as the encryption keys? >> i will make two points. any company complying with china cyber security laws are making decisions that affect more than their bottom line. these decisions are risking our own national security. china imprisoned, tortured and killed religious minorities and political dissidents and compliance companies to do this at scale.
operating according to the laws where you do business it is only rational to the degree those laws are just. and they are just following the law in nazi germany, that does not excuse them from the consequences of their actions. >> i'm struck by what you just said that beijing is using compliance companies to carry out repression, that sums it up. >> if i may ask two questions. the opm hack is very significant and highly relevant, could you give a minute on what the opm hearing hack was and what it discovered about you. and who did it.
>> i will discuss this as reported in the news. the chinese were responsible for infiltrating and exploiting a number of databases held by the office of personnel management, and they were able among other things to ask filtrate what is called the 86 form in the government gives you everything about ourselves. they've got fingerprinted a host of other things. this information is hard to scope just how that information couldn't be used in terms of a counterintelligence threat. you could look at the individuals who have been processed, how they have been
allowed into the intelligence community. it was your objective to place a spy within that community, you would have the ability to determine the perfect legend for that person. how do you optimize them to get in with as little difficulty as possible? if you want to build a profile for people in that community, you can do that. you made ourselves feel better than certain agencies weren't involved, you can use that to discover who they were, if you were under the state department cover operating overseas but not in the database. these are the obvious kinds of things. the broader problem is this goes into a broader strategy, the thousand grains of sand strategy building a mosaic of
insight and awareness that is a catastrophic national security concern. >> it is an american company with access to personal data. they are trying to monetize that. and the foreign government directly, the service of providing information they offered. they say trust us, we will do it and hit all people you want to hit. what are the strengths on an american corporation and the front corporation for a foreign government. >> the restraints it efficient. there is not enough
transparency. we don't have granularity to what these american companies are necessarily collecting. i alluded early on to the ball work that prevents abuse. the system we have in place that is critical to make sure it isn't exploited. facial recognition is a huge topic in this area. the problem is we haven't figured it out yet. that is what i mean by the rules of the road haven't been set. us government doesn't really have that much transparency into the behavioral data and everything american companies are sucking up. you work together, public-private partnerships are critical in this way. we need to help you all draft legislation that puts constraints on this but that means data matters and there should be value for your data
propagated throughout the american populace. we need to do better in that regard. >> willful blindness seems to be a theme among our platforms. they don't want to ask the questions because they don't want to hear the answers. facebook doing something as obvious as selling political advertisements and accept payment in rubles. you would think somewhere in the genius's apparatus somebody might have thought i am selling political ads and my whole country, the payment is denominated in rubles. what might that mean? they didn't try to look? they didn't want to look? they wanted to cash the rubles and move on and improve their genius strategy in trying to prevent foreign interference in our elections, they went all the way, a shell corporation.
facebook doesn't even require that the shell corporation vying political advertisement is behind it. if you were to set up boris and natosha llc with a phony delaware shell corporation facebook would happily sell you political advertising time. and this business of trying to figure out how to create incentives, it is at stake, something worth our attention. >> thank you to all the witnesses for being here. we stand adjourned. [inaudible conversations]
>> live coverage on c-span2 will continue with acting national counterterrorism center director russell travers talking about the trump administration's counterterrorism policy. we have that live from the washington institute starting at 12:30 eastern today. live on c-span, democratic presidential candidate joe biden holds a rally at the new hampshire state house after filing candidacy paperwork, watch live coverage at 1:00 eastern on c-span. donald trump will deliver remarks at a black voices for trump rally live at 3:00 eastern on c-span. we see live events online, c-span.org or listen with the free c-span radio apps. watch the c-span network's live
next week as the house intelligence committee holds the first public impeachment hearing. the committee led by chairman adam schiff will hear from three state department official starting wednesday at 10 am eastern on c-span3, top us diplomat in ukraine william taylor and deputy assistant secretary of state george kent will testify. friday 11:00 eastern on c-span2, former us ambassador to ukraine will appear before the committee. follow the impeachment inquiry live on the c-span networks, online, c-span.org, or listen live with the free c-span radio apps. c-span.org making it easier for you to watch c-span's coverage of the impeachment inquiry in the administration's response. if you miss any live coverage go to our impeachment inquiry page, c-span.org/impeachment or video on demand.
we added a tally from the associated press showing where each house democrats stand on the impeachment inquiry against donald trump. follow the impeachment inquiry on our webpage, c-span.org/impeachment, your fast and easy way to watch c-span's unfiltered coverage anytime. sunday night on booktv at 9:00 eastern on "after words," former speaker of the house newt gingrich with his latest book trump versus china. >> i don't think the chinese have any great planning in the next 20 or 25 years to try to take us on militarily in a traditional sense but i do think they are trying to build the kind of cyber capabilities and this is where huawei is an extraordinary national asset for them and i think they are trying to build the capability in space, both of which have global implications. >> at 10:00 eastern, journalism
professor pamela newkirk talks about her book diversity inc.. >> i'm not are pessimistic about white america's ability to see past the fiction of african-americans, the centuries old demeaning images of people and how that has as much to do with lack of diversity. >> watch booktv every weekend on c-span2. up next, how artificial intelligence will impact national security. foreign affairs experts including obama administration defense undersecretary michelle flournoy and anders rasmussen discussed the growth of ai. the national security commission on artificial intelligence is the host of
this one our discussion. [applause] >> thanks, chris. can you hear me? by the way, staff for this commission is so good. [applause] >> they produce 120 questions for me to interrogate this panel with. this is a 10 hour session, not a one hour session. i am thrilled to be with this panel, old friends and new friends are with me on stage. to my left is andrea thompson, the former undersecretary for arms control. and 25 years in service, time