Skip to main content

tv   Senate Subcommitee Hearing on Corporations Data Breaches  CSPAN  November 5, 2019 2:31pm-3:34pm EST

2:31 pm
interns drafting replies to constituents, which would have been unthinkable ten years ago. so i think that i agree with matt. the problem is the resources being available to this, to member offices. for us as a vendor, we've raised prices, i don't know, $35 a month over the last ten years of our crm, even though the cost of hiring when you're retaining programmers has just kind of gone through the roof. so those are just challenges. we have a lot of these little pains here and there because there's limited resources for member offices. >> terrific. with that, i'd like to thank all of our witnesses for their testimony today. you took what could be a dry subject and made it actually pretty interesting. i also want to thank the select committee staff for their hard work in putting together these hearings and the budget committee for allowing us to use their room.
2:32 pm
and thank you for transcribing all that we're doing. and thank you to c-span for covering us. without objection, all members will have five legislative days within which to submit additional written questions. >> just a few moments left in this testimony. we'll go live now to capitol hill for a senate subcommittee hearing on data breaches and cybersecurity. among the witnesses is the vice president for microsoft. this is live coverage on c-span3. >> for two invited witnesses who apparently don't share your commitment to discussing this issues. one is for tiktok. if you don't know what tiktok is, you should. it's a chinese-owned social media platform so popular among teens that mark zuckerberg is reportedly spooked. for facebook, the fear is lost social media market share. for the rest of us, the fear is somewhat different. a company compromised by the
2:33 pm
chinese communist party knows where your children are, knows what they look like, what their voices sound like, what they're watching, and what they share with each other. tiktok claims they don't store american user data in china. that's nice, but all it takes is one knock on the door of their parent company based in china from a communist party official for that data to be transferred to the chinese government's hands whenever they need it. tiktok claims they don't take direction from china. they claim they don't censor. in fact n a letter submitted today to this committee, tiktok said this. no governments, foreign or domestic, direct how we moderate tiktok content. tiktok does not remove content based on sensitiviti sensitivit to china or others. that's what they say.
2:34 pm
without objection, i'll enter the whole letter into the report. but that's not what former employees of tiktok say. today "the washington post" is reporting that tiktok's chinese parent company imposed strict rules on what could appear on the app, in keeping with china's restrictive view of acceptable speech. former employees said company officials based in beijing had the final call on whether flagged videos were approved. the former employee said their attempts to persuade chinese teams not to block or penalize certain videos were routinely ignored. out of caution, about the chinese government's restrictions. one former bite dance manager, that's tiktok's parent company, said this. they want to be a global company, tiktok, and numbers wise, they've had that success, but the purse is still in china. the money always comes from
2:35 pm
there, and the decisions all come from there. that's sure a different story than the one tiktok has told this committee in this letter. and that's a problem. tiktok should answer for these discrepancies. they should answer to the millions of americans who use their product with no idea of its risks. they should have been here today, but after this letter to this committee, they must now appear, under oath, to tell the truth about their company and its ambitions and what they're doing with our data. the threat isn't just to children's privacy. it's a threat to our national security. we don't know what china can do with this kind of social data in aggregate, what it tells china about our society. they can see who we talk to, what we talk about, where we congregate, what we capture on video. not all of tiktok's users are just kids. some work in government or for the military. others are celebrities or work for major american companies in
2:36 pm
positions of influence. what does it mean for china to have a window into such users' social live? why would we leave that window open? the other empty chair belongs to a company that has helped open china's window on american consumers, apple. we're accustomed in hearings like this one to hearing about apple as a good corporate citizen. it encrypts its messages. it limits its own data collection from users and gives them privacy controls. but apple's business model and business practices are increasingly entangled with china, a fact they would rather we not think too much about. china is essential to apple's bottom line, both on the supply and the demand sides of their business. apple's investments in chinese production have helped build the scientific and manufacturing capacity of america's greatest geopolitical rival. but chinese demand is even more critical. to service that demand, apple is risking compromise with
2:37 pm
authoritarianism. the company hosts its chinese users' icloud data in china as part of a joint venture with a chinese government-controlled entity, gcbd. apple frequently talks about encryption, but where are those encryption keys for the data stored? china. apple says it has control of those keys, but who knows what that means. and apple isn't here to tell us. if you've got family in china or business contacts there, you cannot count on i message encryption to keep your interaction secure from chinese authorities. if you're a uighur or chinese dissident or a protester in hong kong, apple's corporate values won't do much to protect you. in the midst of the hong kong democracy protests, now in their 22nd week, apple pulled an app from its store that helped protesters and citizens stay safe during violent police crackdowns. why? because beijing pushed for it. just a few days later, tim cook
2:38 pm
was appointed to chair the board of a chinese university's school. if you're an american user of an ios you can't be confident that the chinese government isn't reverse engineering the platform through their privileged access to it via their joint venture with apple. with apple and tiktok, we see two sides of the same coin when it comes to data security, the danger of chinese tech platforms' entry into the u.s. market, and the danger of american operations in china. that's one of the most important subjects we can discuss at today's hearing. how does the tech industry's entanglement with china imperil our data security? i look forward to the witnesses' testimony. thank you for being here. now senator whitehouse. >> thank you, chairman. i welcome all of the witnesses who are here. i have a fairly long history with this issue in the senate, and i can remember when the senate had pretty much close to
2:39 pm
zero interest in privacy and da data so long as the data was held in private sector hands. we would get quite animated about any data that our national security apparatus might have access to, when by contrast, private platforms had more data on americans than the most intrusive governments in the history of humankind and we paid virtually no attention to it. i'm delighted that wall has come down and that we now see the risks from the huge aggregations of private data in private hands as significant. so i'm delighted this is a topic. i've also been involved in a lot of the efforts for cyber legislation. at one point, we made a lot of progress on a bipartisan bill focusing on critical
2:40 pm
infrastructure. my republican coordinates were senator kyle, senator mccain, who was then chairman on armed services. so it was a pretty high-level operation. we made a lot of progress. we had a considerable number of conversations in the skiff where there wasn't a whole lot of news and noise to be made. a lot of good hearts with people from the private sector and from our defense and intelligence agencies. and when push finally came to shove, the republican leader went to the floor and said no cyber bill is coming without repeal obamacare attached to it. so that ended that effort. then along with chairman mccaul, i was the co-chair of the csis report for the incoming president, which is a very helpful and thoughtful bipartisan cyber analysis. and when president trump came
2:41 pm
in, i looked at tom bossert, who i think is a very well-versed, honorable professional in the cyberspace, great technician, and i looked at an attorney general who had come out of the senate and a dni who had come out of the senate. i thought, great, we got a great opportunity here between the substantive knowledge of bossert and political savvy in the senate of sessions and coats to get a real bill going. and of course, as you know, all of that has fallen apart. none of them work for the administration any longer, and i honestly couldn't tell you who i should go talk to in the administration about cyber legislation, so low is their apparent level of interest. so i hope that we're finally in a good space to start doing some real work here. i have remarks that i'd like unanimous consent to put into the record. i want to make a procedural
2:42 pm
point here. in the committees, particularly the judiciary committee, we ordinarily operate one of two ways. we either say this is going to be a bipartisan hearing and work together and agree on all the witnesses. it's a consensus panel. and the shape of the hearing is agreed to beforehand. or you don't go that way and do a partisan way and there's a kind of informal rule that, you know, one side gets so many witnesses, the other side gets the opposite. the minority doesn't think its views are being fairly expressed by the majority witnesses. they can call witnesses of their own, and you get a divided panel, but they're often interesting. this is a bit of a hybrid. until last week, we had bipartisan agreement on two panels. all of that changed rather rapidly. i'm not going to get too excited about all of this because the chairman has expressed an interest in trying to make sure that the administration witnesses, who we had scheduled, will be rescheduled.
2:43 pm
i hope that is true. and the panel that actually is here is a panel that was agreed to in bipartisan fashion, but i do believe if we're going to be doing these bipartisan hearings, then we should see that through all the way through the hearing and not follow the bipartisan path down until the week before and then change to having sudden, unexpected changes made. so i just want to flag that, mr. chairman. because i think you and i have done good work and good hearings before. i want to make sure that our ground rules as chair and ranking member for these hearings are clear with each other. i'm delighted to go forward with this hearing. i appreciate where ayour leader this area. i just want to be very cautious about the hybrid. we're a bipartisan hearing until at the last minute we're not way of doing business. thank you. >> thank you, senator whitehouse. thank you for your long work on this issue. the senator is alluding to the
2:44 pm
common goal we both share, which is to have government administration officials come and testify to this committee. that is a goal that i share and that i look forward to doing with senator whitehouse. we hope for their full cooperation. now let me turn to introduce the witnesses. mr. tom bird is corporate vice president of customer security and trust at microsoft. there he leads engineers, lawyers, policy advocates, project managers, business professionals, data analysts, and cyber crime investigators. mr. burt joined microsoft in 1995 and has held several leadership roles in the corporate, external, and legal affairs drpt. mr. will carter is deputy director of the policy program for strategic and international studies. his research focuses on cyber and technology policies, including artificial intelligence, surveillance and privacy, data localization, cyber conflict and deterrence, financial sector cybersecurity, and law enforcement and technology, including
2:45 pm
encryption. ms. carrie fredrik is a fellow at the national security program for the center for new american security, cnas. before joining cnas, she helped create and lead facebook's global security counterterrorism analysis program. she was also the team lead for facebook headquarters' regional intelligence team. prior to facebook, she served as a senior intelligence analyst for a u.s. naval special warfare command and spent six years as a counterterrorism analyst at the department of defense. -- as heritage's first senior fellow for technology, national security, and science policy, his research focuses on the intersection of technology and national security with particular interest in artificial intelligence, autonomous weapon systems, space, and intelligence issues. prior to joining heritage, mr. kitchen was national security adviser to senator ben sass. thank you all for being here. in keeping with the tradition of the committee,ly swear you in.
2:46 pm
if you would rise and raise your right arm, hand. if you'd repeat after me. do you swear or affirm the testimony you're about to give the committee is the truth, the whole truth, and nothing but the truth so help you god? thank you. all right. now we'll hear your opening statements. mr. burt, we'll start with you. >> chairman holly, ranking member whitehouse, and members of the committee, thank you for the opportunity to testify today. in my comments, i'll focus on the work that microsoft does to combat criminal and nation state cyber attacks. i'll discuss why government and the private sector must work together in new ways to combat these attacks. the frequency and success of cyber crime exploits continues to grow. it's estimated that the global financial impact last year was a trillion dollars, and nation state attacks continue to increase in number, sophistication, and impact. for more than a decade, microsoft has fought back. but we've learned we best protect our customers when we
2:47 pm
work collaboratively with government and others in the private sector. government has law enforcement and intelligence resources that the private sector cannot match. but the private sector has access to data and technological resources that governments cannot match. so we must work collaboratively to finds innovative solutions. today microsoft's digital crimes unit, truly unique in the private sector, combats business email compromised crime and continues to lead the world in our efforts to shutdown criminal bot nets. working closely with law enforcement and private sector partners, we've now taken down 17 bot nets, rescuing close to 500 million devices from these criminal networks. law enforcement faces unique challenges in combatting these borderless crimes. that's why we were strong supporters of the cloud act, which modernized how cross-border data can be accessed appropriately by law enforcement.
2:48 pm
we applaud the agreement recently announced between the united states and the united kingdom implementing the cloud act, and we encourage the department of justice to continue their efforts to negotiate and conclude additional cloud act agreements. despite our past success, we have not seen law enforcement partner with us on recent bot net takedowns. we're concerned that the reward in recognition structures in our law enforcement agencies do not today provide the incentives to devote more and stronger resources to activities that protect victims but do not yield in arrests and convictions. we hope congress will provide new incentives for law enforcement to prioritize the disruption and dismantling of criminal networks. in addition, we see increasing nation state attacks causing significant harm to citizens and enterprises around the world. we've used the bot net disruption techniques that we pioneers to disrupt these nation state malign actors who are
2:49 pm
intent on destroying democracy. we've disrupted groups operating from russia, china, iran, and north korea. and we will continue to do this important work. disruption is important, but so is improving cybersecurity hygiene. unpatched systems are exploited by our adversaries, so we strongly promote the prompt installation of security updates. we advocate for use of multifactor authentication, and we develop cutting edge ai security services like microsoft defender atp and azure sentinel. we can combat and we can defend, but we also need to reduce how many attacks are launched against our civilians and enterprises. long-term solutions for protecting cyberspace require clear and binding international commitments that define acceptable online nation state behavior. this problem cannot be solved by governments or the private
2:50 pm
sector acting alone. multistake holder solutions are essential to combat what is necessarily a multistakeholder problem. that's why last year microsoft was proud to join in supporting the paris call for supporting the paris call for trust and security in cyberspace, a voluntary commitment to nine foundational cybersecurity principles, including protecting from cyber-attack critical infrastructure, elections, the public core of the internet and intellectual property. the paris call has been endorsed by more than 65 governments and over 500 enterprises and organizations. unfortunately, the united states has not yet endorsed the paris call. for the sake of the security of american citizens those around the world endangered by escalating and sophisticated attacks online microsoft continuing to encourage the united states to join this landmark multistakeholder commitment. the private sector and government must work together to
2:51 pm
invent 21st century solutions to these uniquely 21st century threats. microsoft stands ready to do our part. thank you and i look forward to your questions. >> thank you, mr. burt. mr. carter. chairman hauly. thank you for the opportunity to participate in this hearing on this important topics. threats to frieft and sensitive data remain one of the most important risks. companies collecting and using data face growing threats from malicious cyberactors and restrictive government policies. the lack of u.s. leadership on global issues of cybersecurity, data governance and digital law enforcement has put companies in a difficult position. between the need to secure data against lawful and unlawful abuse and need for "access hollywood." dangerous are growing fast. it's kboengs as more lives move on connected devices pro liver
2:52 pm
eight creating new vulnerabilities. offenser cybercapabilities are a must-have in the arsenal of even small governments and a tliefgt gray market in offensive cybercapabilities has grown up to feed the need. both obama and trump administration haves a lack of resolve to enforce consequences on nation states violating norms of behavior and initiate cyber-attacks. cybercrime has become epidemic. cis estimated in 2018 that the cybercrime cost $$600 billion. 1% of gdp. up 35 frers process somehow 2014 appear and malicious activity is largely consequence free. only 0.3% of reported cyber-attacks in the united states result in arrest and cybercrime is massively underreported crime. cyber-attacks are one of many threats to private and sensitive data. in many ways the more troublesome challenge tor u.s. companies is growth of lawful exploitition a of data and
2:53 pm
technology by governments. countries wish to enforce laws and protect citizens as they define the goals and expect companies doing business in the countries to enable them to do so. but problems arise for companies when countries lack appropriate governance mechanism to prevent abuse of the data. when cultural differences between li lead the clashes between the platform and the global populations they serve appear when governments intentionally utilize commercially available text willtology for malicious repressing. u.s. companies and u.s. government have developed a raenl of technologies and policies to combat the challenges. companies utilize technical solutions to render data in"access hollywood"able to kwo government processes. the u.s. government has protected data through the electronic communications privacy act. preventing disclosure of data to foreign governments unless that government submits a mutual legal assistance request through the u.s. government.
2:54 pm
but this approach has significant costs op tradeoffs. implementing technical solutions preventing companies from disclosing at a time dart to governs to prevent abuse is great except it prevents company from providing data that could the prevent sr. crimes and terrorism. the rollout of end to end encryption on facebook merge messenger will will render many tools to combat child pornography on messenger ineffective requiring new strategies. and policies like data localization backup encryption mandates and data retention requirements companies pursue to preserve akds to dat can lead to worse outcomes for everyone. when governments can't access through lawful means many turn to cyber-attacks to fill the gaps. the u.s. motivate must play a role in tracing threats to data security unlawful and lawful around the world. as senator whousz mentioned in 2015 he chaired a cyberpolicy task force for the 45th president is strengthen security. it's recommendations remain
2:55 pm
relevant today. inenincentivizing and cyberhygiene increasing penalties and liability for companies fail to protect data or sell insecure products and addressing resource gaps tlor fundamental reaches and development can advance cybercurate apprehend the world. creating serious consequences for malicious actor is essential. we must empower law enforcement to effectively combat cybercrime, and we must demonstrate the political there to consistently engage penalties on nation whites with cybercrime. even when it puts a strain on economic recommendations. the u.s. government muftd take the lead in developing a functional framework for the world. last year we produced a report called low hanging fruit evidence based solutions to digital challenge which outlining a serious of recommendations to streamline cooperation between companies and governments. and facility lawful appear appropriate access the data. in appropriate circumstances and with appropriate safeguards can
2:56 pm
reduce the pressure to enkrpgs mandates, data res tension requirement and government hacking and put the spotlight on companies that intentionally exploit data to monitor marginalize and oppress citizens. i thank you for the opportunity to testify and look forward to questions. >> thank you, mr. carter. ms. fredrick. >> chairman hawley. ranking member whitehouse -- there we go. distinguished members of the subcommittee thank you for the opportunity to testify today. i am here because the growing contest between free open societies and closed repressive regimes is playing out on the digital frant and our data will make all the difference. when i worked at big five tech firm in the silicon valley the saying went we can do more in one day than others in a we can. much of the outized impact was the result of the volume and variety of data at our finger tips and what we could do with it. my experience with digital and o intelligence collection and analysis as a member of the u.s.
2:57 pm
intelligence community similarly impressed upon me the great advantage of data security but also what can happen when data vur vulnerabilities are exploited. many talented emwork in america to get it right and it's imperative we do so. the context of our work is before us. technology is being repurposed abroad to undercut the original liberalizing potential. the chinese government uses digital systems to enable pervasive surveillance and exacerbate gross human rights abuses by targeting and uyghurs in china. the consequences of the abuses do not stop in mainland china. beyond the borders countries are adopting chinese technology to strengthen their own brendon of technical ill liberalism. further authoritiarian regimes attack democracy z. russia is invigorating campaign of cyberhacks against the united states and europe. iran is following suit.
2:58 pm
north korea's efforts have not yet abated. and even as these accurate tactics spread around the globe the technology is evolving. enable even more sophisticated assaults. synthetic media, realist iks b.o.t.s machine language models with a potential to generate false information at scale and automated spearfishing are a foretaste of the difficult challenges to come. yet the united states system of checks and balances is a the bullwork against the perversity of the technology in the our borders. our system offers institutions and practices to act as guard rails on our internal use of technologies but relying on this system is it no longer enough. americans are confronting deep systemic risk when using platforms operating in and owned by companies in countries with a history of cyberespionage and forced tech transfer. private chinese technology companies aability to resist government is highly circumcircumcise described at best due no part to aers soo of national laws and standards nar
2:59 pm
broadly written and ultimately compel the companies like tiktok parent bite dance to compete for data. russia has a data requirement and a sla similar snor isically to reply play out in other regimes. further we should combine massive the data sets for populations around the globe. china has a precedent of synchronizing biometric appear bafrm data for plilkt political and social control. the integrated joint operations platform and much discussed social credit system are evidence of this. mcis also exporting values emobeyed are bedded in technology itself to the world. the it's unclear whether ticket, inc, ic tint continueses the censership after updating the privacy policy in february of 2019. still, instead of importing the values of case censership to the u.s. weshtd export ourvilles of openness and transparency to them. this is all occurring against
3:00 pm
the back drop of a digital environment growing more complex. for instance, technical signatures are becoming less conclusive when it becomes to attributesition using as we saw when russia high shaujd a iranian espionage operation last month. making it more difficult to combat attacks against our systems and respond accordingly. solutions are overdue. . if democratic societies do not establish the rules of road for data security and private briefcy protections authoritiarians will do it for us. congress should mandate inner agency import reviewsen of tv technology against a criteria encompassing the likelihood of systemic risk. the lawmakers should enshrine data protection are especially for biometric data and incentivize transparency within the government and private sector. processor for private companies play a critical role. the sustained and unfuterred access to high volume and variety of data gives them
3:01 pm
inordinate control. american tech companies should adopt a set of rules norms and guiding principles for the use of technology globally and for interviewsing with authoritiarian regimes that will not tip the scale in favor of repressing. american private companies should treat u.s. national security as their own strategic the imperative. thank you i look forward to the questions. >> thank you ms. fredrick. mr. kitchen. >> thank you for the tune to testify before you. when i was in the united states intelligence community, our mission was to collect, understand, to predict and to shape human behavior and events. those in government call this intelligence. technology companies call this market research. data analysis. audience segmentation or service provisioning. but in reality in the age of the
3:02 pm
so-called knowledge economy we're all in the intelligence business now. the proliferation of sensors, the deluge of digital data and exponential growth in computation alcapacity bitcoin to previously unmadalynn possibility for human thriving and happiness with you but the positive outcomes are not the only thing being created. general cybersecurity risks are now combine withing increasingly aggressive hostile foreign actors to create an iermt voo few understand and that even fewer are prepared for. china is a central concern in this regard. for decades countries like china and russia have pursued a deliberate strategy of using foreign policy and intelligence communities to copy and to steal american technologies. these strategies are starting to produce meaningful results with several foreign tech companies now legitimately rivally u.s.
3:03 pm
tech leaders in both innovation and market capitalization. if left unaddressed, this could pose a challenge not only to our economic security but also our greater national security. in january, 2020, for example, a new chinese cybersecurity law will go into effect and companies operating in the company will have no place left to hide. the new law is part of beijing's yearslong effort to expand domestic surveillance programs and rooted in a massive cybersecurity overhaul adopted in 2016. next year all companies, including foreign-owned companies, must arrange and manage their computer networks so that the chinese government has access to every bit and byte of data that is stored on, transit's over or in any other way touches chinese information infrastructure. put simply, the chinese
3:04 pm
government will have lawful and technical access to all digital data within its borders and perhaps to large value volumes of data beyond the borders. companies have long known their intellectual property or i.p., trade secretsen and even communications are highly sought by market competitors in asia and by the chinese government particularly. many of these risks are simply accepted as the price of doing business in china. and those risks deemed unacceptable are mitigated by security technologies and networking strategies that attempt to hide critical information from prying eyes. all of these technologies and strategies under the new law will be illegal. for example, it is current commonplace for companies operating in china to set up virtual private networks or vpn on which the data is stored and swent encrypted pipe that outsider can't krk or intercept. the vpns and underlying
3:05 pm
incontraception to the degree preventing access by the chinese government will no longer be allowed. there will be no truly private or encrypted messaging in china. no confidential data, no trade secrets, no exemptions. if a company operates in china it will be required to operate in such a which as to provide the country's intelligence and law enforcement authorities unfettered digital access. the days of paying the i.p. tax for access to the world's fastest growing market are over. this access will now cost you everything and the precisely the chinese plan. to put it simply, our long-term economic and national security must account for and rollback a sustained campaign of cyberenabled economic warfare, the likes of which will take a giant leap forward in just two
3:06 pm
months. i have provided amplifying information in had my submitted testimony and happy to answer your questions to the best of my abilities thank you. >> thank you, mr. kitchen and thanks to all of the witnesses. i'd like to start with tiktok if we could and what they're doing with all of the data that they are collecting from american users. for one thing i want to get ton the record that tiktok is collecting a lot of data. it's terms of service i'm quoting now. that it collects contact details, content you create, and your location, it collects still quoting from third party social network providers and technical and behavioral information about your use of the platform. and it collects information contained in the messages you send through the tiktok platform. opinion and information from your phone book. that's a lot of data. pretty comparable to what the massive data harvesting machines like facebook and google are scooping up. now, tiktok says that they store american user data either here
3:07 pm
or in singapore, not in china but miss fredrick let me address this question to you. the fact that they allegedly store the data here or in singapore that doesn't necessarily mean that beijing can't get to it. is that right? >> so i think the greater question as it is the fact that the laws that apply to the parent company byte dance. that is essentially the. problem. there is a parallel app in china which tiktok ever since the cfius investigation came to light has potentially made moves to extricate their dealings with what goes on in china and to do so explicitly. the doen app in china is basically like the parallel version of tiktok but existing in china. they have attempted to shield themselves by saying hey everything that people use on tiktok is u.s. or western friendly nation-based and stored
3:08 pm
in the u.s. that kind of thing. but byte dance, the 2007 acquisition of music cli is being vepgted in cfius right now. that's the problem that's something we need to think about, the law that klon discussed would apply to tiktok's parent company byte dance in china. >> byte dance just so the facts are clare, the byte dance is the parent company of tiktok, located in china. it's a chinese-based companies. they are subject to the laws mr. kitchen you were talking about in including the 2017 national intelligence law which requires chinese resisting ohs and companies to cooperate with state intelligence work. that's the designation in the law. is that right, mr. kitchen in. >> that's right correct, zblier as a chinese parent the kparnt company it's completely reasonable to assume that any individual's information including the information of american users on the service can be harvested and exploited. and just one other point, techically this must be true. a lot of the development of the
3:09 pm
application is done in china still. even if it has an american kind of front company or operating company. and so they have to be able to push updates from chiebz development into the u.s. market if they want to have an updated increasingly capable technology. and so the idea that they can meaningfully technically kind of warden off this information from china doesn't make sense operationally. >> i think an important point. much of the app is developed and the content much of what's used in the app is developed in china pushed to users here in the united states. the parent company is a china-based company. they are subject to these restrictions or frankly subject to having the doors opened at any time by the china's communist party under china's law. as alex stamos puts in the "washington post" article, the leverage of the government, meaning the chinese government it has over the people who has access to the data, that's whaels relevant. do you agree with that, mr. kitchen? in other words the ability of
3:10 pm
beijing to go to byte dance, the parent company and say you are required under chinese law to give us access to all that data. means byte dance could scoop up american users data and make that available to beijing. is that fair to say. >> that's without a doubt true. >> let me talk talk about some of the way that is ticket be or other companies could abuse this kind of data. mr. kitchen am i right in thinking that autonomous weapons systems rely on artificial intelligence rely on weapons system release on that dat. >> yes. >> if if he obtains data on the service men or women or the opm attack could that have relevance how they train the autonomous weapons. >> absolutely. one of the criticisms of some of the image recognition that china is developed up to this point is that it was sino centric. not able to operate in western environments as they might. this would be a way of addressing that delinquent zbli
3:11 pm
because of the sheer amount of data and frankly imagery they get of western users. that is that what you are saying mr. kitchen. >> yes, sir. >> this will be the final question for you. how can we ensure tiktok or other chinese company aren't troenlen horses gathering data on americans and sending the information to china to be gathered and collected and used for beijing government purposes? you're asking me how we can assure that? i'm not sure we can. the law that i described simply requires access. and anyone who thinks that a chinese company even if they have an american portion of the company can look at the government in beijing and tell them no, that's a fundamental misunderstanding of how the government in beijing works. >> thank you very much. senator whitehouse. >> thank you, chairman. one of the things that i've been pushing for is for kind of a stress test of the framework to see how good it is at actually performing its assigned task of
3:12 pm
providing critical z cybercurate i'm reading a survey by the 1,500 business leaders by microsoft and mar be found only 37% of firms believe that soft industry the the industries believe that thement 19% of firms had had no confidence that they could prevent cyberthreats and 13% had no confidence that this they could respond to cybernurts. mr. burt is it time to stress test the nst network. >> two things about that survey performed with microsoft and mash be. one of the things which we think is a positive development between 2017 when we did the first time and then the recent survey we have sienna the number of people these enterprises that were surveyed that are aware of the risks that they face and the need to take steps has increase the significantly. and that's a good thing.
3:13 pm
>> but it is not enough. >> more needs to be done absolutely. the nst framework. we were we were one of the contribute toes the nsht framework. we believe it's actually a very useful framework for. >> beats having nothing before. >> and companies should be assessing cybersecurity maturity. we do. it's one of the things we regularly assess cybersuitor security the maturity as a company are relative to the framework. i know from discussions around the industry? general increasingly companies are aadopting and use going. >> thank you. >> i would say one thing important. >> be quick because my time is short. >> it's very complex. the nst framework is complected if you don't have a big i.t. staff it can be hard to implement. >> that's correct. >> that's which why we belt in industry with other simply simpler tools for small appear medium size businesses to apply a simpler version of the nsp framework but we immediate are
3:14 pm
attention more attention tad. >> mr. are the canner between the desire of the private sector and not to suffer reputational harm when hit by a cyber-attack and the overclassification that the federal government indulges in how complete do you think the picture is that the american public gets to the extent which you which our companies and country are under cyber-attack. >> i think the picture is very incomplete. partly because there are a lot of disincentives to accurate reporting by companies partly because there are no clear mechanism for consolidation of the reporting. partly because many types of attacks aren't obvious to victims and partly because in many cases the information that is shared is anon myselfed to the point that it's largely useless in understanding the threat environment we face. >> back to you, mr. burt. you guys were the leaders in botnet takedowns. i was fighting to get the department of justice to do more
3:15 pm
on botnet back then when your first complaint was filed. i was telling chairman hawley the we're both recovering lawyers -- what a joy it was to read that complaint, a because it existed and b because when you got to count, i don't know 6 or something like that there was a count of trespass to chattels, which is a doctrine from the medieval english common law that i probably slept through in my foundations of property law class. but clearly microsoft has been a leader in fighting botnets a long time. what more could the department of justice be doing now to continue the process of constant weed cutting that needs to take place to strip -- first, is there any good use for a botnet? or is it a weed? and second what more should we do to weed whack them? >> almost all botnets are needs, senator whitehouse.
3:16 pm
there are some for researches and purposes and others. but those can be identified. in our view almost all botnets meeting that standard are weeds and need eradicated. there is two things we would like to do with the department of justice and law enforcement to improve this area. one is we need more strategic coordination. when i meet with leaders across law enforcement in the intelligence community, d.h.s. here we talk about public private partnership but we aren't doing enough to realize that. and this is an area where we are committed and we no that if we could meet strategically to identify are what are the key botnets, the most impactful and serious ones, how can we join together and in collaborative way do something about that? that would be step done. >> a botnet in a nutful is a force multiplier for some doer. >> an evil doing who managed to infect thousands or millions of computers with their malware. >> and can deploy those computers. >> and they can toward are coordinate cybercrime across all computers without the victims even knowing that their
3:17 pm
computers have been infected. and the second thing we need is for the department of justice and fbi to have the right incentives and the right priorities paid to reducing botnets to attack botnets, even -- dsh even when they can't necessarily get handcuffs on the perpetrators because they are living in countries with no extradition or the other challenges that we face in this space. just disrupting the botnet alone and stopping those criminal enterprises is in itself an important thing to do. >> and finally if i may go a moment. >> yes you may. >> i've been argue rg for quite some time that we should pursue a coalition of the willing to create international cybersecurity norms. i think the obama administration made a mistake trying to bring the russians and chinese into a productive discussion on this subject. it's a little bit like trying to bring a couple of burglars into a productive discussion on home security. forget them. i would consider that it would
3:18 pm
be wise for us to as a nation try to set norms with countries that share our values in a secure and safe internet. and to that end i'm wondering if you believe that the cybercurate tech accord that the private sectored entered into and the the the private sector peace eliminated that need or whether this is a pursuit government should engage in. >> it's absolutely a pursuit government should ij naj in the psychiatric curate tech accord is a group that microsoft initialingly set up but now we have over 120 companies from around the globe who work together to endorse key principles of cybersecurity for customers but also to articulate the view of the tech community on key issues about cybersecurity policy and appropriate norms. the cyberpiece institute is a newly established non-profit to be based in again eve iaaf going to do work not happening in
3:19 pm
elsewhere in the government or private sector to bring transparency to the impact and -- of nation state cyber-attacks. the harm, human harpt harm that the nation state hiesh sooish attacks cause and the work to increase resiliency around the world to let attacks those are both important. but what you said is absolutely right. the unts must join with like minded countries to establish norms of behavior. if we can isolate the countries refusing to abide by the rules so much the better. at least we have that isolation clear. but we need the united states to play a stronger diplomatic role. there is two pending united nations efforts under which. one initially respondered by the united states but one by russia. they're working side by side to try to establish norms of conduct for cyberspace. and we are working on both of those processes to try to ensure that they are productive and result in useful outcomes. but those are both areas we need
3:20 pm
the united states to be actively engaged in pushing for the norms. >> maybe even with international sanctions to back up the norms. mr. chairman, thank you for letting me go on beyond my time this is a good hearing. >> absolutely. i have just a few more questions. mr. kitchen, let me come back. i have become increasesingly concerned about the willingness of some american companies now talking about tiktok chinese based companies but american companies to store data and the tools necessary to read that data in chf. and i want to think about apple for a second providing cloud services in china. for a long time apple stored encontraception skis in the united states but beginning last carrier it moved its incontraception keys to china for the data stored there. let me ask you what i think are simple question encryption keys are what you need to read things like protected emails and text messages. is that right? >> that's correct. >> so if you have the encryption keys you can read private communications stored in the cloud. is that -- have i got that
3:21 pm
right. >> that's correct. >> no routers wrote that aloft because any moved to mc. chinese authorities have far eastier access to text messages, email and other data stored in the cloud. do you agree with that? and can you talk to us about the implication sns. >> yes, i think the short answer is i do agree with that. there is a distinction to be made. the apple -- the action apple took was it moved the encontraception keys associatewood chinese users of the icloud capabilities. it's not all use are. it's chinese and that's in kpliengs with the chinese law as you mentioned senator of data localization. that being satisfied in your opening statement you raise add good point that by having the unfettered access or the significant access that they likely joy they will gain greater insight into the inner working of apple's i clouds accounts and the broader technological capabilities which could allow them to do more in terms of collecting outside of the borders. that's a very real concern.
3:22 pm
>> thank you for that. let me ask you about this. how does chinese access to enkremgs keys for data stored in the usebers how do does that affect an american sending a email or messages to those in china. >> it can be captured. >> in other words, it -- it could potentially -- the fact that the keys are stored in china could put the whole communications string at issue, right, if you have an american again here sending information to friends, fireman members, business associates what have you, that whole i messages alone the fact that it's encrepted nobody can get to it that's not true since the encryption see are skis are stored in china for mcuser data am i correct about that. >> if there is know chinese node within the lup it compromiseding the sbar new york. >> you alluded to in your last testimony. would you trust any sensitive data stored in china? in other words would it concern
3:23 pm
you if your location data was stored in china or email data? >> as a member of the intelligence kmupt after the opm pac i assume they have much much my dat data. i don't like that. no i don't think that's okay. i think any person has to make a recognition that is likely the case. and the real change now is that these governments and the technological capabilities themselves are becoming sufficiently big to where that's a real problem. unup until this point it's theoretically. now we are developing the computation alcapability to exploit this information appear in ways meaningful to both the chinese and u.s. citizens. >> would you say that apple and companies like them are compromising american interests in data security by storing both the daft itself in country in china as well as the encryption keys in. >> so if i might i'll make two
3:24 pm
points. any company complying with china's cybercurate laws are making stigss affecting more than their bottom line. these decisions are now risking our own national security. china imprisoned and tortures and kills religious minorities and political disdents and using compliant companies to do this at scale. now operating according to the laws of a country where you do business is only rational to the agree are dree degrees that the laws are just. s let's rememberpeople are plenty were is it of people were following the law in nazi germany and does not excuse them from the consequences of actions. >> i'm really struck by what you just said that beijing is using compliant companies to carry out repressing at scale. that is -- that i think really sums it up. anything further, more senator whitehouse. >> if i may ask two questions. first, mr. kitchen you mentioned the opm hack. i think the opm hack is very significant appear highly relevant to the hearing.
3:25 pm
for the sake of the hearing record could you give a minute on what the opm hearing hack -- the opm hack was and what it discovered about you and other government workers. >> and who did it. >> so i'm going to discuss this as it was reported in the news. >> correct. >> it was publicly reported in the news and has been identified that the chinese were responsible for infiltrating and exploiting a number of data bases that were held by the office of personnel management, the federal government's hr organization. and they were able to among other things exfill trait what's called the sf 86 form, which is people who worked in the intelligence community and government we fill out a 100 page report giving you everything about ourselves. they got fingerprints and a whole host of other things.
3:26 pm
this information -- it's hard to scope just how that information con couldn't be used in terms of if you thought it about it as a counterinterrelation is intelligence threat you could look at individuals who had been processed with the sf 86, how they had been allowed to enter into the intelligence community and if it was your objective to place, you know, a spy within that community, well you would have the ability to determine what is the perfect legend for that person how do we opt myself them to get in with as little difficulty as possible. you now have that information. if you wanted to simply build a profile on the types of people in that community, you could do that. now, there was some original -- we made ourselves feel better bay by saying certain agencies weren't vochd in that information. but the absence you can use that discover who they were by exclusion. if you're under a state department cover operating
3:27 pm
overseas but not in that database, guess what with, they know who you are. sthees are just some of the obvious things. but the broader problem is that this this is going to a broughter strategy the cheyennes chinese are operating called the thousand grains of sand strategy building a mosaic of insight and awareness that is a straesk national security concern we haven't dealt with. >> miss fredrick if an american company has access to enormous amounts of personal data of an american, google oh or facebook and trying to monetize that, what are the constraints on them doing business with either a foreign company that fronts for the government or even a foreign government directly and selling as they would to any other customer the information that they offer or the service of providing information that they are offer? because sometimes they don't tell the customer the
3:28 pm
information. they just say trust us we'll do it and hit all the people that you want to hit. what are the restraints on an american corporation doing that with a foreign government or with a front corporation for a foreign government? >> so the problem here the restraints are deficient. there is not enough transparency. we don't have grant lart into what the american companies are necessarily collecting. and i alluded early on to the bullwork that prevents abuse, the system we have in place that's critical to make sure that this data by americans isn't supplied ptd facial recognition is a huge huge topic in the area. the problem is we haven't figured it out yet. that's what i mean by the rules of the road haven't been set. the u.s. government doesn't really have that much transparency into the behavioral data, the biometric content. everything that even american companies are sucking up. that is a problem. i think we basically need to
3:29 pm
work together, public, private partnerships are critical in this way and we need to draft -- or help you all draft legislation that puts the proper constraints on this. that basically says data matters, that there should be value for your data that is propagated throughout the american populous. i think we need to do better in that regard. >> mr. chairman, i think willful blindness seems to be a theme among our platforms. they don't want to ask the questions because any don't want to hear the answers. when facebook is doing something as obvious as selling political advertisements and accepts payment in rubles, you'd think that somewhere in the genius's apparatus somebody might have thought hmm i'm semg political ads in my home country and the payment is denominated in
3:30 pm
rubles. what might that mean? but they didn't care to look. didn't try to look. didn't want to look. they wanted to cash the rubles and move on. when they improved the genius strategy in private to prevent foreign interference in elections any went all the way to making you create a shell corporation. but facebook don't even require that the shell corporation that's buying the political advertisement disclose who is really behind it. so if you were to set up boris and natasha llc as a phoney delaware shell corporation. facebook would happily sell you political advertising time, even though it would be obvious a ordinary person that something is up. and this business was as miss prerkd saids to that the willfuled blindness is not a security model anwar the united states of the united states is at risk. is workings worth our
3:31 pm
>> thank you for all the witnesses for being here. we'll stand adjourned.
3:32 pm
3:33 pm
on wednesday, president trump holds a campaign rally in monroe, louisiana. watch live at 8:00 p.m. eastern on cspan. online at or listen live with the free cspan radio app. next, a panel on the roll of energy policy and climate change in the 2020 presidential campaign. among the speakers were former obama administration officials along with representatives from several energy advocacy organizations. from the tlanic council, this is an hour and 20 minutes. from the atlantic council. afternoon, everyone. my name is randy bell, the director of the global energy center here at the atlantic council. thank you for joining us today for this discussion, assessing democratic


info Stream Only

Uploaded by TV Archive on