b"<html>\n<title> - PREPARING FOR THE FUTURE: AN ASSESSMENT OF EMERGING CYBER THREATS</title>\n<body><pre>[House Hearing, 116 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n \n   PREPARING FOR THE FUTURE: AN ASSESSMENT OF EMERGING CYBER THREATS\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                            SUBCOMMITTEE ON\n                     CYBERSECURITY, INFRASTRUCTURE\n                       PROTECTION, AND INNOVATION\n\n                                 of the\n\n                     COMMITTEE ON HOMELAND SECURITY\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED SIXTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                            OCTOBER 22, 2019\n\n                               __________\n\n                           Serial No. 116-44\n\n                               __________\n\n       Printed for the use of the Committee on Homeland Security\n       \n                                     \n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n                                     \n\n        Available via the World Wide Web: http://www.govinfo.gov\n\n                               __________\n                               \n                               \n               U.S. GOVERNMENT PUBLISHING OFFICE \n 40-460 PDF            WASHINGTON : 2020 \n                                \n                               \n                               \n\n                     COMMITTEE ON HOMELAND SECURITY\n\n               Bennie G. Thompson, Mississippi, Chairman\nSheila Jackson Lee, Texas            Mike Rogers, Alabama\nJames R. Langevin, Rhode Island      Peter T. King, New York\nCedric L. Richmond, Louisiana        Michael T. McCaul, Texas\nDonald M. Payne, Jr., New Jersey     John Katko, New York\nKathleen M. Rice, New York           Mark Walker, North Carolina\nJ. Luis Correa, California           Clay Higgins, Louisiana\nXochitl Torres Small, New Mexico     Debbie Lesko, Arizona\nMax Rose, New York                   Mark Green, Tennessee\nLauren Underwood, Illinois           Van Taylor, Texas\nElissa Slotkin, Michigan             John Joyce, Pennsylvania\nEmanuel Cleaver, Missouri            Dan Crenshaw, Texas\nAl Green, Texas                      Michael Guest, Mississippi\nYvette D. Clarke, New York           Dan Bishop, North Carolina\nDina Titus, Nevada\nBonnie Watson Coleman, New Jersey\nNanette Diaz Barragan, California\nVal Butler Demings, Florida\n                       Hope Goins, Staff Director\n                 Chris Vieson, Minority Staff Director\n                                 ------                                \n\n     SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND \n                               INNOVATION\n\n                Cedric L. Richmond, Louisiana, Chairman\nSheila Jackson Lee, Texas            John Katko, New York, Ranking \nJames R. Langevin, Rhode Island          Member\nKathleen M. Rice, New York           Mark Walker, North Carolina\nLauren Underwood, Illinois           Van Taylor, Texas\nElissa Slotkin, Michigan             John Joyce, Pennsylvania\nBennie G. Thompson, Mississippi (ex  Mike Rogers, Alabama (ex officio)\n    officio)\n               Moira Bergin, Subcommittee Staff Director\n           Sarah Moxley, Minority Subcommittee Staff Director\n           \n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\n\n                               Statements\n\nThe Honorable Cedric L. Richmond, a Representative in Congress \n  From the State of Louisiana, and Chairman, Subcommittee on \n  Cybersecurity, Infrastructure Protection, and Innovation:\n  Oral Statement.................................................     1\n  Prepared Statement.............................................     2\nThe Honorable John Katko, a Representative in Congress From the \n  State of New York, and Ranking Member, Subcommittee on \n  Cybersecurity, Infrastructure Protection, and Innovation:\n  Oral Statement.................................................     3\n  Prepared Statement.............................................     4\nThe Honorable Bennie G. Thompson, a Representative in Congress \n  From the State of Mississippi, and Chairman, Committee on \n  Homeland Security:\n  Oral Statement.................................................     5\n  Prepared Statement.............................................     6\n\n                               Witnesses\n\nMr. Ken Durbin, CISSP, Senior Strategist, Symantec Corporation:\n  Oral Statement.................................................     8\n  Prepared Statement.............................................     9\nMr. Robert K. Knake, Senior Research Scientist, Global Resilience \n  Institute, Northeastern University, Senior Fellow, The Council \n  on Foreign Relations:\n  Oral Statement.................................................    14\n  Prepared Statement.............................................    15\nMs. Niloofar Razi Howe, Senior Fellow, Cybersecurity Initiative, \n  New America:\n  Oral Statement.................................................    20\n  Prepared Statement.............................................    22\nMr. Ben Buchanan, PhD, Senior Faculty Fellow, Center for Security \n  and Emerging Technology, Mortara Center, Assistant Teaching \n  Professor, Georgetown University:\n  Oral Statement.................................................    28\n  Prepared Statement.............................................    30\n\n\n   PREPARING FOR THE FUTURE: AN ASSESSMENT OF EMERGING CYBER THREATS\n\n                              ----------                              \n\n\n                       Tuesday, October 22, 2019\n\n             U.S. House of Representatives,\n                    Committee on Homeland Security,\n                            Subcommittee on Cybersecurity, \n                                 Infrastructure Protection,\n                                            and Innovation,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to notice, at 2:11 p.m., in \nroom 310, Cannon House Office Building, Hon. Cedric L. Richmond \n[Chairman of the subcommittee] presiding.\n    Present: Representatives Richmond, Jackson Lee, Langevin, \nRice, Slotkin, Thompson; Katko, Walker, and Taylor.\n    Also present: Representative Joyce.\n    Mr. Richmond. The Subcommittee on Cybersecurity, \nInfrastructure Protection, and Innovation will come to order.\n    The subcommittee is meeting today to receive testimony on \npreparing for the future, an assessment of emerging cyber \nthreats.\n    Mr. Katko. Mr. Chairman, I ask unanimous consent that our \ncolleague from Pennsylvania, Mr. Joyce, be able to fully \nparticipate in today's hearing.\n    Mr. Richmond. Hearing no objection, so ordered.\n    Good afternoon. I want to welcome the witnesses to today's \nhearing on how we seek to balance the benefits of technical \ninnovation with the security vulnerabilities that it may bring.\n    The rapid proliferation of new technology is changing the \nworld. Advancements in artificial intelligence, AI, and quantum \ncomputing will equip us with new tools to defend ourselves and \nbreak down barriers to new research that could improve the way \nwe live and save lives.\n    Unfortunately, one man's tool is another man's weapon. \nSophisticated nation-state actors like Russia, China, Iran, and \nNorth Korea have already weaponized new technologies to disrupt \nour democracy, compromise our National security, and undermine \nour economy. As technology improves, so will their ability to \nuse it against us.\n    I am particularly concerned about the impact of new \ntechnologies on our elections. In the lead-up to the 2016 \nPresidential election, Russia mounted an unprecedented \ninfluence and disinformation campaign. They use bots to \nautomatically tweet divisive messages from fake accounts. As we \nmove into the heart of the 2020 election cycle, we must be \nprepared for our adversaries to use AI-generated deepfakes to \ncreate a false history, sow discord, and inject skepticism into \nour National elections.\n    To start, on-line platforms must learn to identify \ndeepfakes and publish policies about how they will handle them. \nAt the same time, we need to educate the public to ensure that \nthey are informed consumers of information.\n    More broadly, ensuring that emerging technologies are \ndeveloped and deployed responsibly requires U.S. leadership, \nand I am concerned that we are not demonstrating that now. For \nyears the Federal Government has cut research and development \ndollars to meet budget caps, and I am worried that countries \nlike China are outpacing our investment. Our failure to put \nmoney into R&D may cost us not only our strategic advantage as \nthe world's leader in technology, but the global influence that \nstems from it.\n    What is most alarming, however, is the lack of attention \nthat this administration is giving to this important National \nsecurity issue. Despite the fact that our intelligence agencies \nhave confirmed that nation-state actors are utilizing their \nemerging technology for their strategic advantage, the \nadministration annually slashes R&D funding under the false \npremise that the private sector will make up the difference. \nMaintaining U.S. leadership in this space will require \ndirection, coordination, and money from the Federal Government.\n    Before I close, I want to address a final issue that is \ncausing concern in my district and others like it: How AI and \nautomation will affect the work force. Automation has already \ndecreased availability of jobs in the labor market, and I worry \nabout the National and economic security consequences that \ncould result if we do not adequately plan for this transition. \nI look forward to our witnesses' thoughts on this important \nissue today.\n    The success of our Nation and economic security rests on \nwhether the Federal Government can effectively partner with its \nallies, State and local partners, and the private sector to \ndevelop policies that both incentivize investment in emerging \ntechnology, and manage the risk associated with it when it \nfalls into the hands of our adversaries.\n    I look forward to understanding how this committee can \nassist in the development of safe, secure, and responsible \ntechnologies.\n    [The statement of Chairman Richmond follows:]\n                 Statement of Chairman Cedric Richmond\n                            October 22, 2019\n    The rapid proliferation of new technology is changing the world. \nAdvancements in artificial intelligence (AI) and quantum computing will \nequip us with new tools to defend ourselves and break down barriers to \nnew research that could improve the way we live and save lives. \nUnfortunately, one man's tool is another man's weapon. Sophisticated \nnation-state actors like Russia, China, Iran, and North Korea have \nalready weaponized new technologies to disrupt our democracy, \ncompromise our National security, and undermine our economy. As \ntechnology improves, so will their ability to use it against us.\n    I am particularly concerned about the impact of new technologies on \nour elections. In the lead-up to the 2016 Presidential election, Russia \nmounted an unprecedented influence and disinformation campaign that \nused bots to automatically tweet divisive messages from fake accounts. \nAs we move into the heart of the 2020 election cycle, we must be \nprepared for our adversaries to use AI-generated ``deepfakes'' to \ncreate a false history, sow discord, and inject skepticism into our \nNational elections. To start, on-line platforms must learn to identify \n``deepfakes'' and publish policies about how they will handle them. At \nthe same time, we need to educate the public to ensure that they are \ninformed consumers of information. More broadly, ensuring that emerging \ntechnologies are developed and deployed responsibly requires U.S. \nleadership, and I am concerned that we are not demonstrating that now.\n    For years, the Federal Government has cut research and development \ndollars to meet budget caps, and I am worried that countries like China \nare outpacing our investment. Our failure to put money into R&D may \ncost us not only our strategic advantage as the world's leader in \ntechnology development, but the global influence that stems from it. \nWhat is most alarming, however, is the lack of attention that this \nadministration is giving to this important National security issue. \nDespite the fact that our intelligence agencies have confirmed that \nnation-state actors are utilizing the emerging technology for their \nstrategic advantage, the administration annually slashes R&D funding \nunder the false promise that the private sector will make up the \ndifference. Maintaining U.S. leadership in this space will require \ndirection, coordination, and money from the Federal Government. Before \nI close, I want to address a final issue that is causing concern in my \ndistrict and others like it: How AI and automation will affect the \nworkforce. Automation has already decreased the availability of jobs in \nthe labor market, and I worry about the National and economic security \nconsequences that could result if we do not adequately plan for this \ntransition. I look forward to our witness' thoughts on this important \nissue today.\n    The success of our National and economic security rests on whether \nthe Federal Government can effectively partner with its allies, State \nand local partners, and the private sector to develop policies that \nboth incentivize investment in emerging technology and manage the risks \nassociated with it when it falls into the hands of our adversaries. I \nlook forward to understanding how this committee can assist in the \ndevelopment of safe, secure, and responsible technologies.\n\n    Mr. Richmond. I will now recognize the Ranking Member of \nthe subcommittee, the gentleman from New York, Mr. Katko, for \nan opening statement.\n    Mr. Katko. Thank you, Mr. Chairman, and thank you for \nhaving me here today, and thank you for the witnesses. I \nappreciate you coming today.\n    During my time as a Federal prosecutor over 2 decades I saw \nfirst-hand how criminals evolved and adapted to changes. As I \nhave learned about the cyber landscape as Ranking Member of \nthis subcommittee, I have been amazed at the number and \ndiversity of the cyber threats we face today. These threats are \nalways evolving and adapting to new obstacles, new protections, \nnew tactics, and new technologies.\n    All levels of government, Federal, State and local, as well \nas our allies around the globe, the private sector, academia, \nand nonprofits must work together in order to protect against \nemerging cyber threats.\n    Today's technologies have a number of vulnerabilities that \nmust be protected from bad actors. In the first 6 months of \nthis year more than 4 million records have been exposed due to \ndata breaches. Ransomware attacks have doubled in 2019 in my \ndistrict. Syracuse School District, for example, and the \nOnondaga County Library System both suffered ransomware attacks \nfrom unknown threat actors in the last month.\n    More citizens than ever are falling victim to phishing \nattacks and malware. Cyber crime made up 61 percent of the \nattacks that cybersecurity firm CrowdStrike saw between January \nand June of this year. These are just the attacks and \nstatistics that we are aware of. Many experts believe incidents \nto be vastly under-reported.\n    These threats are persistent, complex, and on the rise. \nCybersecurity must constantly evolve in order to provide \nprotection. As evidenced by the number of incidents this year \nalone, this is a difficult endeavor that cannot be done without \nhelp. As I heard from my constituents in my district, companies \nand local government entities need assistance and guidance to \nidentify, protect against, and recover from certain current \ncyber threats.\n    These are just the threats we see with our current \ntechnology. Our cyber landscape is becoming increasingly \nsophisticated, and new innovations are being introduced every \nday. These advances have put cybersecurity out of reach for \neven more small, medium, and large businesses, as well as State \nand local governments who simply cannot afford it.\n    It is estimated that 22 million internet of things devices \nwill be on-line by 2025. 5G deployment is just around the \ncorner. Artificial intelligence and machine learning, while \nmaking impacts today, are projected to have even more of an \nenormous effect on our lives in the years ahead. Quantum \ncomputing, which is a huge concern, is on the horizon. These \nemerging technologies will undoubtedly present new and evolving \ncyber threats. While we are staying vigilant and working to \nprotect against current hazards, we must also be preparing for \nour future ones.\n    Our first step is to better understand these new threats, \nand this hearing is a very good start.\n    I am also working to educate my colleagues on the \nchallenges and opportunities of the internet of things. I am \nthe co-chair of the Internet of Things Caucus, and have spent \ntime learning from Syracuse University about the quantum \nresearch they are working on in partnership with the Air Force \nResearch Lab. I will do more to seek out opportunities to \nimprove our cybersecurity against current and emerging threats.\n    I want to thank the Chairman for holding this important \nhearing today, and to our witnesses here to help us understand \nthe emerging threat landscape.\n    In closing, I would like to note that I view the cyber \nadvancements much differently than I view other products in our \ncommodity market. A lot of products, like in the automobile \narena, they consider the safety aspects along with emerging \ntechnology in the cars. They are--they don't always do that \nwith cyber technology, and we are constantly playing catch up. \nThat is why it is really important that the Chairman and myself \nand others on this committee work diligently to get the \ninformation we need to try and catch up to the advancements in \ntechnology, which always seem a couple of steps ahead.\n    [The statement of Ranking Member Katko follows:]\n                 Statement of Ranking Member John Katko\n                             Oct. 22, 2019\n    During my time as a Federal prosecutor, I saw first-hand how \ncriminals evolved and adapted to changes. As I have learned about the \ncyber landscape as Ranking Member of this subcommittee, I have been \namazed at the number and diversity of the cyber threats we face. These \nthreats are always evolving and adapting to new obstacles, new \nprotections, new tactics, and new technologies. All levels of \nGovernment--Federal, State, and local, as well as, our allies around \nthe globe--the private sector, academia, and non-profits must work \ntogether in order to protect against emerging cyber threats.\n    Today's technologies have a number of vulnerabilities that must be \nprotected from bad actors. In the first 6 months of this year, more \nthan 4 million records have been exposed due to data breaches. \nRansomware attacks have doubled in 2019--in my district, Syracuse City \nSchool District and the Onondaga County Library System both suffered \nransomware attacks from unknown threat actors last month. More citizens \nthan ever are falling victim to phishing attacks and malware. Cyber \ncrime made up 61 percent of the attacks that cybersecurity firm, \nCrowdstrike, saw between January and June of this year. These are just \nthe attacks and statistics that we are aware of; many experts believe \nincidents to be under-reported.\n    These threats are persistent, complex and on the rise, and \ncybersecurity must constantly evolve in order to provide protection. As \nevidenced by the number of incidents in this year alone, this is a \ndifficult endeavor that cannot be done without help. As I heard from \nconstituents in my district, companies and the local government \nentities need assistance and guidance to identify, protect against, and \nrecover from current cyber threats.\n    And these are just the threats we see with our current technology. \nOur cyber landscape is becoming increasingly sophisticated and new \ninnovations are being introduced every day. These advances could put \ncybersecurity out of reach for even more small, medium, and large \nbusinesses as well as State and local governments.\n    It is estimated that 22 million internet of things devices will be \non-line by 2025. 5G deployment is just around the corner. Artificial \nintelligence and machine learning, while making impacts today, is \nprojected to have even more of an enormous effect on our lives in the \nyears ahead. Quantum computing is on the horizon.\n    These emerging technologies will undoubtedly present new and \nevolving cyber threats. While we are staying vigilant and working to \nprotect against current hazards, we must also be preparing for future \nones. Our first step is to better understand these new threats and this \nhearing is a good start. I am also working to educate my colleagues on \nthe challenges and opportunities of the internet of things and the co-\nchair of the IOT Caucus and have spent time learning from Syracuse \nUniversity about the quantum research they are working on in \npartnership with the Air Force Research Lab. And I will do more to seek \nout opportunities to improve our cybersecurity against current and \nemerging threats.\n    I thank the Chairman for holding this important hearing today and \nto our witnesses here to help us understand the emerging threat \nlandscape. I look forward to our discussion and yield back.\n\n    Mr. Katko. So with that, I yield back, Mr. Chairman.\n    Mr. Richmond. The gentleman yields back. I now recognize \nthe Chairman of the full committee, the gentleman from \nMississippi, Mr. Thompson, for an opening statement.\n    Mr. Thompson. Thank you very much. Good afternoon. I would \nlike to thank Chairman Richmond for holding today's hearing on \nemerging cyber threats.\n    I have served on the Homeland Security Committee since its \ninception. Over that period of time I have watched the tactics \nour adversaries use against us evolve, and the threat landscape \ngrow.\n    As new network devices and information technologies enter \nthe marketplace, many become so mesmerized by their potential \nfor good that we fail to appreciate and plan for the security \nconsequences. Although I am encouraged that we are having more \nconversations about the nexus between technology and security \ntoday, there is still much to be done. So I commend Chairman \nRichmond for holding today's hearing.\n    When this committee was established a decade-and-a-half ago \nwe focused our efforts on defending against physical attacks \ncommitted by terrorists who would readily claim responsibility. \nNow we are faced with cyber threats from state and non-state \nactors who use cyber tools to carry out attacks in secret, blur \nattribution, and complicate our ability to impose consequences.\n    As technology continues to evolve, so too will the tools of \nour adversaries. Last December DHS, DoD, the State Department, \nand the Office of the Director of National Intelligence \nidentified internet of things devices, artificial intelligence, \nand quantum technology as emerging dual-use technologies that \npose a threat to our National security.\n    A month later, then-director of national intelligence, Dan \nCoats, warned that our adversaries and strategic competitors \nwill increasingly use cyber capabilities, including cyber \nespionage, attacks, and influence to seek political, economic, \nand military advantage over the United States and its allies \nand partners.\n    Unfortunately, much of what DNI warned us about is, in \nfact, already happening. We know that Russia has relied on the \ncyber capabilities to carry out influence campaigns designed to \ndivide Americans and swing elections. Efforts to manipulate \nAmericans on social media platforms are wide-spread, but \ntechnologically simple.\n    I worry about influence campaigns of the future, where \nRussia uses AI to create deepfakes that make it nearly \nimpossible to discern fact from fiction. We know that China has \nengaged in intelligence gathering and economic espionage, and \nhas successfully breached OPM, Navy contractors, and non-\ngovernmental entities, from hotels to research institutions. We \nalso know that China is investing heavily in developing quantum \ncomputing capabilities, which could undermine the security \nvalue of encryption within the next decade.\n    Over the past year the Department of Justice has \nindicated--indicted 2 Iranians for their role in the ransomware \nattack against the city of Atlanta. Microsoft recently revealed \nthat Iran had attempted to breach a Presidential campaign. \nAccording to the U.N. Security Council, North Korea has used \nits cyber capabilities to evade sanctions, stealing $670 \nmillion in various foreign and cryptocurrencies between 2015 \nand 2018.\n    The momentum Russia, China, Iran, and North Korea have \ndemonstrated related to their use of cyber tools shows no sign \nof slowing. We must prepare ourselves to harness the security, \neconomic, and health care benefits of emerging technologies \nlike AI and quantum computing will yield, while defending \nourselves against adversaries who will use technology against \nus.\n    But the Government cannot do it alone. The private sector \nis a critical partner in this effort. I am eager to hear from \nour witnesses how the Federal Government can ensure the \nresponsible deployment of emerging technologies.\n    [The statement of Chairman Thompson follows:]\n                Statement of Chairman Bennie G. Thompson\n                            October 22, 2019\n    I'd like to thank Chairman Richmond for holding today's hearing on \nemerging cyber threats. I have served on the Homeland Security \nCommittee since its inception. Over that period of time, I have watched \nthe tactics our adversaries use against us evolve and the threat \nlandscape grow. As new networked devices and information technologies \nentered the market place, many became so mesmerized by their potential \nfor good that we failed to appreciate and plan for the security \nconsequences. Although I am encouraged that we are having more \nconversations about the nexus between technology and security today, \nthere is still much to be done. So I commend Chairman Richmond for \nholding today's hearing. When this committee was established a decade-\nand-a-half ago, we once focused our efforts on defending against \nphysical attacks committed by terrorists who would readily claim \nresponsibility. Now, we are faced with cyber threats from state and \nnon-state actors who use cyber tools to carry out attacks in secret, \nblur attribution, and complicate our ability to impose consequences. As \ntechnology continues to evolve, so too will the tools of our \nadversaries.\n    Last December, DHS, DoD, the State Department, and the Office of \nthe Director of National Intelligence identified internet of things \n(IOT) devices, artificial intelligence (AI), and quantum technologies \nas emerging, dual-use technologies that pose a threat to our National \nsecurity. A month later, then-director of national intelligence Dan \nCoats warned that our ``adversaries and strategic competitors will \nincreasingly use cyber capabilities--including cyber espionage, attack, \nand influence--to seek political, economic, and military advantage over \nthe United States and its allies and partners.'' Unfortunately, much of \nwhat DNI's warning about is in fact already happening.\n    We know that Russia has relied on its cyber capabilities to carry \nout influence campaigns designed to divide Americans and swing \nelections. Its efforts to manipulate Americans on social media \nplatforms were wide-spread, but technologically simple. I worry about \nthe influence campaign of the future, where Russia uses AI to create \n``deepfakes'' that make it nearly impossible to discern fact from \nfiction. We know that China has engaged in intelligence-gathering and \neconomic espionage, and has successfully breached OPM, navy \ncontractors, and non-government entities from hotels to research \ninstitutions. We also know that China is investing heavily in \ndeveloping quantum computing capabilities, which could undermine the \nsecurity value of encryption within the next decade.\n    Over the past year, the Department of Justice has indicted 2 \nIranians for their role in the ransomware attack against the city of \nAtlanta, and Microsoft recently revealed that Iran had attempted to \nbreach a Presidential campaign. And according to the U.N. Security \nCouncil, North Korea has used its cyber capabilities to evade \nsanctions, stealing $670 million in various foreign and crypto-\ncurrencies between 2015 and 2018. The momentum Russia, China, Iran, and \nNorth Korea have demonstrated related to their use of cyber tools show \nno signs of slowing. We must prepare ourselves to harness the security, \neconomic, and health care benefits of emerging technologies like AI and \nquantum computing will yield while defending ourselves against \nadversaries who would use technology against us. But the Government \ncannot do it alone. The private sector is a critical partner in this \neffort. I am eager to hear from our witnesses how the Federal \nGovernment can ensure the responsible deployment of emerging \ntechnologies.\n\n    Mr. Thompson. With that I thank the witnesses for being \nhere today, and I look forward to the testimony, and yield back \nthe balance of my time.\n    Mr. Richmond. Thank you, Mr. Chairman. I want to welcome \nour panel of witnesses.\n    First I am pleased to welcome Mr. Ken Durbin, senior \nstrategist for global government affairs at Symantec, where he \nhas provided solutions to the public sector for over 30 years.\n    Next we have Mr. Robert Knake, who is a senior fellow at \nthe Council of Foreign Relations and a senior research \nscientist at Northwestern University's Global Resilience \nInstitute. Mr. Knake served as director for cybersecurity \npolicy at the National Security Council from 2011 to 2015.\n    Next Ms.--Niloofar, is that right?--Razi--which is the easy \npart, Howe is a fellow at New America's Cyber Security \nInitiative. Ms. Howe has been an investor, executive, and \nentrepreneur in the technology industry for the past 25 years, \nwith a focus on cybersecurity for the past 10. Most recently \nMs. Howe served as chief strategy officer and senior vice \npresident of strategy and operations at RSA, a global \ncybersecurity company.\n    Finally, Dr. Ben Buchanan is a senior faculty fellow at \nGeorgetown's Center for Security and Emerging Technology. He \nhas a--he has written journal articles and peer-reviewed papers \non artificial intelligence, attributing cyber attacks, \ndeterrence in cyber operations, cryptography, election \ncybersecurity, and the spread of malicious code between nations \nand non-state actors.\n    Without objection, the witnesses' full statements will be \ninserted into the record.\n    I now ask each witness to summarize his or her statement \nfor 5 minutes, beginning with Mr. Durbin.\n\n  STATEMENT OF KEN DURBIN, CISSP, SENIOR STRATEGIST, SYMANTEC \n                          CORPORATION\n\n    Mr. Durbin. Chairman Richmond, Chairman Thompson, Ranking \nMember Katko, thank you for the opportunity to testify.\n    Assessing emerging threats is important, but we can't \nforget about traditional threats that have been re-purposed; I \nwill address both in my testimony. I will start with a couple \nkey findings from our 2019 Internet Security Threat Report.\n    Email has been a traditional threat vector cyber criminals \nconstantly re-purpose. The latest exploit is the use of \nMicrosoft Office attachments to deliver malicious payloads. \nForty-eight percent of malicious email attachments were, in \nfact, Microsoft Office documents.\n    Attacks on endpoints from the web continue to grow. We saw \na 56 percent increase in web attacks in 2018. By the end of \n2018 Symantec blocked more than 1.3 million unique web attacks \non endpoints every day.\n    As this committee well knows, supply chain attacks remain a \npersistent and serious threat. There was a 78 percent increase \nin supply chain attacks which exploit third-party services and \nsoftware to compromise a target.\n    Deepfakes, on the other hand, are an emerging threat. \nDeepfake are audios or videos created by artificial \nintelligence systems and used to make the public believe they \nare authentic. Deepfakes are new, and not typically viewed as a \nthreat to enterprise security. Fake videos, photos, or audio \nrecordings represent a serious risk to the enterprise, since, \nto create convincing deepfakes, you simply need the internet, a \ngaming PC, and the right software. A deepfake of a CEO \nannouncing a layoff or used to order an employee to transfer \nfunds or intellectual property could hurt their reputation and \ntheir stock price. Until we can identify or block deepfakes, \norganizations will be best served implementing rapid response \nplans that can be executed as soon as a deepfake is identified.\n    Twitter bots have emerged as a threat hiding in plain \nsight. Symantec analyzed content released by Twitter originally \nposted on their service by the Russian-based Internet Research \nAgency. The IRA content was used as part of a Twitter bot \ncampaign directed against the 2016 U.S. elections. The \noperation was carefully planned, with accounts often registered \nmonths before they were used. The data set consisted of 3,836 \nTwitter accounts and nearly 10 million tweets. They attracted \nalmost 6.4 million followers and they, in turn, followed 3.2 \nmillion accounts. A core group of 123 main accounts was used to \npush out new content, while a larger pool of auxiliary accounts \namplify messages pushed out by the main accounts. One main \naccount only tweeted 10,794 times, but was retweeted over 6 \nmillion times.\n    Targeted ransomware has been re-purposed to focus on the \nenterprise. During 2018 attacks against organizations rose by \n12 percent, but represented 81 percent of all infections that \nyear. State and local governments were hit hard. The city of \nAtlanta was attacked and chose not to pay the ransom. Clean-up \nis expected to exceed $10 million. The Colorado Department of \nTransportation spent $1.5 million to clean up after their \nattack. Two Florida cities took another direction and paid the \nransom, which totaled $1 million between them.\n    Targeted attacks have tools to infect a large number of \ncomputers simultaneously, maximizing the number of assets to \nimprove the chances the victim will pay the ransom.\n    Mobile is an example of a kind of self-inflicted threat. \nMobile devices are susceptible to unwanted cyber threats and \nthreats we allow via app permissions. We looked at apps on both \nthe Google and Android platforms and found both requested \npersonal information and access to similar device functions. \nMany of these requests were reasonable, but many were excessive \nand questionable.\n    We looked at a flashlight app which has over 10 million \ninstalls that wanted access to the user's location, contacts, \nand permission to make calls. It is difficult to imagine why a \nflashlight app needs your contacts, call your friends, or know \nyour exact location. Users are opening themselves up to \npotential threats, since they grant permission without \nunderstanding what the app developer will do with that data.\n    Finally, stalkerware is a type of malware that is secretly \nloaded on an unsuspecting victim computing device, giving \nalmost total control of the device to an ex-spouse, ex-\nboyfriend, or other stalker, who would then know the victim's \nexact location, be able to read their emails and texts, and \neven turn on their microphone or camera.\n    So why is stalkerware commercially available? Publishers of \nstalkerware typically advertise their product as parental \nmonitoring software to keep kids safe. This can certainly be \ntrue when it is used appropriately by a responsible parent. \nHowever, the features built into some of these apps give more \ncontrol than parents would need, which make them ripe for \nabuse.\n    In closing, emerging threats that try to influence beliefs \nor drive behavior need to be assessed along with the re-purpose \ntraditional threats. The focus of this committee is vital for \nour Nation to understand these threats and ensure resources are \nallocated to defend against them.\n    Thank you for the opportunity to testify, and I would be \nhappy to take any questions you may have.\n    [The prepared statement of Mr. Durbin follows:]\n                    Prepared Statement of Ken Durbin\n                            October 22, 2019\n    Chairman Richmond, Ranking Member Katko, my name is Ken Durbin, \nCISSP, and I am a senior strategist for Symantec Global Government \nAffairs and Cybersecurity. I have been providing solutions to the \npublic sector for over 30 years. My focus on compliance and risk \nmanagement (CRM) and its application in both the public and private \nsector has allowed me to gain insights into the challenge of balancing \ncompliance with the implementation of Cybersecurity Solutions. \nAdditionally, I focus on the standards, mandates, and best practices \nfrom NIST, OMB, DHS, etc. and their application to CRM. I spend a \nsignificant amount of my time on the NIST Cybersecurity Framework \n(CSF)\\1\\ and the emerging privacy framework, the DHS Continuous \nDiagnostics and Mitigation (CDM) Program and the EU Global Data \nProtection Regulation (GDPR.)\n---------------------------------------------------------------------------\n    \\1\\ NIST Cybersecurity Framework (CSF): Provides guidance to \nprivate companies on how best to prevent, detect, and respond to cyber \nattacks.\n---------------------------------------------------------------------------\n    Symantec Corporation is the world's leading cybersecurity company, \nallowing organizations, governments, and people to secure their most \nimportant data wherever it lives. Organizations across the world look \nto Symantec for strategic, integrated solutions to defend against \nsophisticated attacks across endpoints, cloud, and infrastructure. \nLikewise, a global community of more than 50 million people and \nfamilies rely on Symantec's Norton and LifeLock product suites to help \nprotect their digital lives at home and across their devices. Symantec \noperates one of the world's largest civilian cyber intelligence \nnetworks, allowing it to see and protect against the most advanced \nthreats. In my testimony I will discuss the current Threat Landscape, \nto include:\n  <bullet> Key findings from the 2019 Symantec Internet Security Threat \n        Report (ISTR);\n  <bullet> Mobile security privacy;\n  <bullet> Deepfakes risk to the enterprise;\n  <bullet> Twitterbots in the 2016 election;\n  <bullet> Targeted ransomware; and\n  <bullet> Stalkerware.\n                          the threat landscape\n    A review of the current threat landscape shows there are \nchallenging new attacks and threats that need to be addressed. However, \nit also shows that it would not be wise to ignore the traditional \nthreats we have been dealing with for years. Bad actors are finding new \nways to attack using well-established attack vectors. At the same time \nnew technologies and campaigns are emerging to exert influence and \ndrive behavior. I'll address both traditional and emerging threats in \nthe following sections.\nThe Internet Security Threat Report\n    The Internet Security Threat Report (ISTR)\\2\\ analyzes data from \nSymantec's Global Intelligence Network, the largest civilian threat \nintelligence network in the world, which records events from 123 \nmillion attack sensors worldwide, blocks 142 million threats daily, and \nmonitors threat activities in more than 157 countries. The analysis \nprovides insight into a wide variety of threats and identifies trends \nthat help inform the public with the goal of helping them avoid risk. \nHighlights from the ISTR include:\n---------------------------------------------------------------------------\n    \\2\\ https://www.symantec.com/security-center/threat-report.\n---------------------------------------------------------------------------\n  <bullet> One out of 10 URLS are malicious. That is up from one in 16 \n        in 2017. Clicking on a malicious URL continues to be a widely-\n        used attack vector by attackers.\n  <bullet> There was a 56 percent increase in web attacks over 2017. By \n        the end of 2018, we blocked more than 1.3 million unique web \n        attacks on endpoint machines every day.\n  <bullet> On average, 4,800 websites are compromised with formjacking \n        software each month.\n  <bullet> Formjacking is the use of malicious JavaScript code to steal \n        payment card details and other information from payment forms \n        on the checkout web pages of eCommerce sites. We blocked 3.7 \n        million formjacking attempts on endpoint devices in 2018.\n  <bullet> Supply chain attacks increased 78 percent. Supply chain \n        attacks, which exploit third-party services and software to \n        compromise a final target, take many forms, including hijacking \n        software updates and injecting malicious code into legitimate \n        software.\n  <bullet> Forty-eight percent of malicious email attachments were MS \n        Office documents, up from just 5 percent in 2017. Cyber crime \n        groups continued to use macros in Office files as their \n        preferred method to propagate malicious payloads in 2018, but \n        also experimented with malicious XML files and Office files \n        with Dynamic Data Exchange (DDE) payloads.\n  <bullet> The number of attack groups using destructive malware rose \n        25 percent. Destructive malware is designed to inflict physical \n        damage to an organizations network or facility. While still a \n        niche area, the use of destructive malware continued to grow. \n        Eight percent of groups were known to use destructive tools, up \n        from 6 percent at the end of 2017.\nMobile Security\n    The average smartphone user these days has between 60 and 90 apps \non their device, and most of them request some sort of information \nabout the user and the device. They may want to know your name, your \nemail address, or your real-world address. But because smartphones are \nso powerful, they can also get quite a bit more than that, such as your \nexact location. Some apps will even request access to the device's \ncamera or microphone despite having no legitimate need to use them.\n    In order to find out what kind of data your apps may be looking \nfor, we analyzed the top 100 free apps as listed on the Google Play \nStore and Apple App Store on May 3, 2018.\\3\\ For each we looked at 2 \nmain things: How much personal information was the user sharing with \nthe app and which smartphone permissions the app accessed.\n---------------------------------------------------------------------------\n    \\3\\ https://www.symantec.com/blogs/threat-intelligence/mobile-\nprivacy-apps.\n---------------------------------------------------------------------------\n    Email addresses are the most common piece of personally \nidentifiable information (PII) apps were accessing, as 48 percent of \nthe iOS and 44 percent of the Android apps did so. Username was next, \nwhich was accessed by 33 percent of iOS and 30 percent of Android apps, \nfollowed by phone numbers, which were accessed by 12 percent of iOS and \n9 percent of Android apps. Finally, 4 percent of iOS and 5 percent of \nAndroid apps accessed the user's physical address.\n    It is often reasonable and necessary to grant apps permission to \naccess various features on a smartphone. For example, if you want to \ntake a picture using an app, the app will need permission to use your \ndevice's camera. However, not all permissions are the same. We took a \ncloser look at permissions that could provide access to data or \nresources that involve the user's private information or could \npotentially affect the user's stored data or the operation of other \napps.\n    Camera access was the most requested permission, with 46 percent of \nAndroid and 25 percent of iOS apps seeking it. That was followed by \nlocation tracking, which was sought by 45 percent of Android and 25 \npercent of iOS apps. Twenty-five percent of Android apps requested \npermission to record audio, while 9 percent of iOS apps did so. Last, \n15 percent of Android apps sought permission to read SMS messages and \n10 percent sought access to phone call logs. Neither of these \npermissions are available in iOS.\n    Apps have permissions because the user granted them by hitting an \n``I Agree'' button--usually without considering if certain permissions \nmake sense, and often without pausing to consider the request at all. \nFor example: The Android flashlight app ``Brightest Flashlight LED--\nSuper Bright Torch'', which has 10 million installs, asks for \npermissions including precise user location, access to user's contacts, \nand permission to directly call phone numbers. It is hard to imagine \nwhy a flashlight app has a legitimate need to copy all of your \ncontacts, call all of your friends, or know exactly where you are \nlocated. Consumers should pause before the agree to permissions--and \napp developers should be very clear about what permissions their app \nneeds and why it needs them.\nDeepfakes\n    ``Deepfakes'' are audio or video tracks created or altered by \nartificial intelligence (AI) systems and used to make the public \nbelieve they are authentic. Most of the popular examples of deepfakes \nshow politicians or actors saying or doing things designed to embarrass \nor harm reputations. As a result, deepfakes are not typically viewed as \na threat to Enterprise security.\n    This is short-sighted. Enterprises do need to pay attention to \ndeepfakes; fake content like videos, photos, audio recordings or emails \nrepresent a serious risk to individuals as well as the organization. \nThe technology behind deepfakes has advanced to the point decisions \nmight be made based on a deepfake, or decisions not made because an \nauthentic video is thought to be a deepfake. Deepfakes are particularly \ndangerous because there is such a low barrier of entry and because they \nare difficult to detect. Until recently, altering videos was expensive \nand required significant resources, specialized equipment, and money. \nToday, if someone has access to the internet, a gaming PC and the right \nsoftware they can produce convincing deepfakes. Specialized \napplications have reduced creating deepfakes to a point-and-click \nexercise, reducing the need for advanced skills.\n    Deepfakes are created using a process based on Generative \nAdversarial Networks (GAN). Essentially, a GAN consists of 2 machine-\nlearning networks that work in an on-going feedback loop where 1 \nnetwork creates the deepfake and the second one tests the output. The \nnetworks pass the deepfake back and forth making alterations to make it \nas realistic as possible. Since the GAN is ``learning'' throughout the \nprocess, the deepfake becomes harder to spot with the naked eye.\n    Given the low barrier of entry and that they are difficult to \ndetect, Enterprises need to understand the risks deepfakes pose to \ntheir organization. For example: A deepfake of a CEO announcing a \nmassive layoff could cause their stock price to sink. A deepfake could \nbe used to order an employee to wire funds, or transfer intellectual \nproperty out of the company. Until a proven method to identify or block \ndeepfakes is developed organizations will be best served educating \nemployees about the danger of deepfakes and implementing rapid response \nplans that can be executed as soon as a deepfake is identified.\nTwitterbots\n    In October 2018, Twitter released a massive dataset of content \nposted on its service by the Internet Research Agency (IRA) beginning \nin May 2014. The IRA is the Russian company behind the social media \npropaganda campaign directed against the 2016 U.S. elections. Symantec \nconducted an in-depth analysis of the dataset to learn more about how \nthe campaign operated.\n    The dataset consisted of 3,836 Twitter accounts and nearly 10 \nmillion tweets. These accounts amassed almost 6.4 million followers and \nfollowed 3.2 million accounts. The sheer volume of data was enormous, \nmore than 275 GB.\n    Our research \\4\\ led to a number of interesting findings:\n---------------------------------------------------------------------------\n    \\4\\ https://www.symantec.com/blogs/threat-intelligence/twitterbots-\npropaganda-disinformation.\n---------------------------------------------------------------------------\n    1. The operation was carefully planned, with accounts often \n        registered months before they were used. The average time \n        between account creation and first tweet was 177 days. The \n        average length of time an account remained active was 429 days.\n    2. A core group of main accounts was used to push out new content. \n        These were often ``fake news'' outlets masquerading as regional \n        news outlets or pretending to be political organizations.\n    3. A much larger pool of auxiliary accounts was used to amplify \n        messages pushed out by the main accounts. These accounts \n        usually pretended to be individuals.\n    4. Some operatives may have been making money on the side by using \n        monetized URL shorteners to create links. If they did monetize \n        the URLs one account in particular could have generated almost \n        $1 million.\n    We divided the accounts into two main categories; main accounts and \nauxiliary accounts. Each category had different characteristics and \nplayed a different role. We identified 123 main accounts, each having \nat least 10,000 followers. Main accounts tended to not be followers of \nother accounts. They were primarily used to publish new tweets.\n    We identified 3,713 auxiliary accounts, each having less than \n10,000 followers. Auxiliary accounts tended to be followers of \nthousands of other accounts. Their main purpose was to retweet messages \nfrom other accounts. Since auxiliary accounts were used to amplify \ntargeted messages it makes sense they were the larger category.\n    A particularly effective account in the dataset was called TEN--\nGOP. Created in November 2015, the account masqueraded as a group of \nRepublicans in Tennessee. It appears to have been manually operated. In \nless than 2 years TEN--GOP managed to rack up nearly 150,000 followers. \nDespite only tweeting 10,794 times, the account garnered over 6 million \nretweets. Only a small fraction (1,850) of those retweets came from \nother accounts within the dataset. In other words, almost all of its \nretweets came from accounts outside the dataset, meaning many could \nhave been real Twitter users.\n    The Twitterbot campaign is often referred to as the work of trolls, \nbut the release of the dataset makes it obvious that it was far more \nthan that--it was highly professional. It was planned months in advance \nand the operators had the resources to create and manage a vast \ndisinformation network. And aside from the sheer volume of tweets \ngenerated over a period of years, its orchestrators developed a \nstreamlined operation that automated the publication of new content and \nleveraged a network of auxiliary accounts to amplify its impact.\nTargeted Ransomware\n    Ransomware continues to be one of the most dangerous cyber threats \nfacing any organization. The threat has changed significantly over the \npast 2 years, as criminals are increasingly targeting enterprises. \nDuring 2018, while the overall number of ransomware infections was down \n20 percent, attacks against organizations (as opposed to against \nindividuals) rose by 12 percent. Alarmingly, Enterprises accounted for \n81 percent of all ransomware infections in 2018. Targeted attacks have \nbeen particularly hard on State and local government organizations. In \nMarch 2018 the city of Atlanta was attacked and ransomware encrypted \nservers that made over a third of the 424 city-wide services \ninaccessible. The clean-up costs for the attack are expected to run to \nover $10 million. The Colorado Department of Transportation spent $1.5 \nmillion to clean up after they were attacked. Two Florida cities that \nwere attacked took another route--they paid the ransom, which totaled \n$1 million between them.\n    The number of targeted ransomware attacks has multiplied as new \ngroups move into this sector. Although targeted ransomware attacks \naccount for a small percentage of overall ransomware attacks, they \npresent a far greater risk as a successful targeted ransomware attack \ncan cripple an ill-prepared organization. These attacks also typically \ninvolve much higher ransom demands, ranging from $50,000 to over $1 \nmillion.\n    Targeted attacks can result in hundreds of computers encrypted, \nbackups destroyed, and business-critical data removed from the \norganization. Targeted attacks can shut down an organization, leading \nto loss of business, reputational damage, and multimillion-dollar \nclean-up bills. The number of organizations affected by targeted \nransomware attacks has grown sharply over the past 2\\1/2\\ years. As \nrecently as January 2017, Symantec observed just 2 organizations a \nmonth being attacked. However, recent months have seen that figure grow \nto above 50 organizations a month.\n    The SamSam ransomware group was the original targeted ransomware \nthreat, but was joined in 2018 by another highly-active targeted actor \ncalled Ryuk. In 2019 several additional groups were linked to a series \nof highly disruptive attacks in the United States and Europe. Current \ntrends indicate that targeted ransomware is attracting a high degree of \ninterest among cyber criminals, with new groups appearing at an \naccelerating pace, motivated no doubt by the success of some recent \nattacks. RobbinHood is another new family, first appearing in May 2019. \nIt was reportedly used in the attack against the U.S. city of Baltimore \nthat shut down several services, including municipal employees' emails, \nphone lines, and on-line bill payments.\n    A group known as GoGalocker has used a new breed of targeted \nransomware that appeared in early 2019. Traditional ransomware \nattackers cast a wide net using spam campaigns to improve their chances \nof finding a victim. GoGalocker selects targets and digs in deep. The \nattackers behind GoGalocker appear to be highly skilled, capable of \nbreaking into the victim's network and deploying a wide array of tools \nin order to map the network, harvest credentials, elevate privileges, \nand turn off security software before deploying the ransomware. This \nprocess permits the attackers to identify and access a large number of \ncomputers in order to later simultaneously infect them with the \nransomware. By maximizing the number of assets, the attacker \ncompromises the better the chances are the victim will pay the ransom.\nStalkerware\n    Stalkerware is a type of malware that is secretly loaded on an \nunsuspecting victim computing device giving almost total control of the \ndevice to a bad actor. The bad actor--who can be an ex-spouse, ex-\nboyfriend, or other stalker--would then know the victims exact \nlocation, be able to read their emails and texts, and even turn on \ntheir microphone or camera. Due to the control Stalkerware gives a bad \nactor, it is classified as a type of malware--malicious software \ndesigned to gain access to or damage your computer, often without your \nknowledge.\n    Stalkerware can affect PCs, Macs, and iOS or Android devices. \nAlthough Windows operating systems may be more susceptible to attacks, \nattackers are becoming better at infiltrating Apple's operating systems \nas well. Stalkerware typically infects a device when the victim accepts \na prompt or pop-up without reading it first, downloads software from an \nunreliable source, opens email attachments from unknown senders, or \npirate media such as movies, music, or games\n    So why is Stalkerware available in app stores? Publishers of \nStalkerware typically advertise their product as parental monitoring \nsoftware to keep kids safe, and this can certainly be true when it is \nused appropriately by a responsible parent. However, any software \nsurreptitiously loaded onto a device, no matter how well-meaning is \nmalicious. Additionally, the features built into some of these apps \ngive more total control of a device than parents would need and make it \nripe for abuse.\n                               conclusion\n    New threats are emerging every year--but that does not mean \nexisting threats have gone away. We need to be vigilant in our defense \nagainst the traditional threats we have battled for years, while \nunderstanding emerging threats and planning defenses accordingly. \nEmails have been a persistent attack vector, yet attackers are finding \nnew ways use the service against us. Ransomware is not new but the \nattacks are becoming more targeted and disruptive. Mobile security is a \nthreat we allow by granting excessive permissions. Finally, deepfakes \nand twitterbots teach us that cyber can be utilized to influence and \nforce actions from a distance. The focus of the Cybersecurity, \nInfrastructure Protection, and Innovation Committee is vital for our \nNation to understand the current threat landscape and ensure resources \nare allocated to determine how to defend against them. Thank you for \nthe opportunity to testify before this committee, and I would be happy \nto take any questions you may have.\n\n    Mr. Richmond. Thank you, Mr. Durbin. Thank you for your \ntestimony.\n    I now recognize Mr. Knake to summarize his statement for 5 \nminutes.\n\nSTATEMENT OF ROBERT K. KNAKE, SENIOR RESEARCH SCIENTIST, GLOBAL \n RESILIENCE INSTITUTE, NORTHEASTERN UNIVERSITY, SENIOR FELLOW, \n                THE COUNCIL ON FOREIGN RELATIONS\n\n    Mr. Knake. Thank you, Mr. Chairman. I want to break down my \nremarks into 3 categories.\n    OK, thank you, Mr. Chairman. I want to break down my \ncomments into 3 categories, what I will call the good, the bad, \nand the ugly.\n    The good is that I think we are actually making progress in \ncybersecurity. Ten years ago, when I wrote my first book on \ncyber warfare, it was a dire prognosis for the patient. We \nconcluded in that that the attacker had an overwhelming \nadvantage, and that private companies could not possibly \nprotect themselves from Russian, Chinese, or other state-based \nadversaries.\n    I think the last 10 years have showed us that, in fact, \nsome companies are able to manage the risk from even the most \nsophisticated adversaries, and they are able to do it day in \nand day out. In the last decade we have seen the development, \nnot just of new technology, but new doctrine and new strategies \nand new tactics for defense.\n    Most notably, I will call out the kill chain. Right? This \nis the basic concept that an adversary doesn't simply need to \ncompromise a single host, they need to go through a series--\nanywhere from 7 to 22 steps, depending on how you count--to \nachieve their objective. So, from that perspective, a defender \nonly needs to detect them at one, and block them at one of \nthose stages.\n    This kind of thinking has allowed us to reverse the notion \nthat the offense has an overwhelming advantage in this space. \nWe now have tooling around that. Technology like endpoint \ndetection and response, end-point protection program that can \nautomatically identify malware. These technologies have really \nhelped us turn a corner for the most sophisticated of cyber \ndefense programs. That is the good news.\n    What we need to do now, of course, is create the incentives \nand the structures and the Government enablement to drive these \ninnovations down into the wider markets so that school \ndistricts and local governments and mom-and-pop businesses are \nable to achieve this level of cybersecurity.\n    The bad news is, of course, the technology landscape, as \nyou all know, is rapidly changing. This may mean that, by the \ntime we get in place these secure systems, these secure \nconcepts that will help protect the state of play today, the \ntechnical terrain is going to have changed.\n    We have talked about IOT, we have talked about AI, and we \nhave talked about quantum. Those, I think, are the 3 big \nchanges out there. I would add, with IOT, 5G. Ubiquitous high-\nspeed connectivity is going to enable so many millions of \ndevices to be connected.\n    What we have seen so far is that, for IOT, it is not really \nso much a new technology as a trend toward cheaper computers \nand ubiquitous connectivity that is enabling us to put \ncomputers everywhere. What we are not doing is learning the \nlessons from the past 20 years of enterprise security and \napplying those lessons into the IOT space.\n    For artificial intelligence and quantum, the only thing I \ncan say is we have got to make sure that this is a race between \nthe United States of America and the Chinese, not a race \nbetween Silicon Valley and the Chinese. The capability that \nSilicon Valley is bring to this fight is immensely important, \nbut they are acting in their commercial interests, as they \nshould as private businesses. We need to ensure that we have \nthe funding there.\n    So finally, I would say the ugly of it is Government \nintervention in this space. We have got to make sure that \nGovernment is helping to align market interests in favor of \nsecurity. That is going to require doing things that we haven't \nwanted to do in this space, like regulate, in part because we \nbelieve that the technology is moving too fast for Government \nregulation to keep up.\n    I think, though, that there is an answer here, and I think \nit is fairly simple. Instead of Government setting requirements \nthat we know adversaries will target to get around, our goal \nneeds to be to require outcomes. We can do this through \ninsurance. We can do this through other financial incentives. \nBut we have models for this in other spaces that we can apply, \nso that the goal should not be to meet a list of Government \nrequirements for what security looks like, but to achieve an \nobjective that we know current technology can meet, and that \nthe market can reinforce companies meeting that objective.\n    Thank you very much.\n    [The prepared statement of Mr. Knake follows:]\n                 Prepared Statement of Robert K. Knake\n                       Tuesday, October 22, 2019\n                              introduction\n    Thank you Chairman Richmond, Ranking Member Katko, and Members of \nthe committee for the opportunity to testify on this important matter. \nWhile other witnesses will focus on how the capabilities of specific \nthreat actors may change and evolve, I would like to focus my remarks \non how the technology landscape may change in the next 5 years and what \nthat may mean for emerging cyber threats. Before I begin, let me be \nclear that the views I represent here are my own and do not represent \nmy employers or any supporters of my work.\n    Looking back over the past decade, there are reasons to be hopeful \nfor a secure cyber future. When my co-author Richard Clarke and I wrote \nCyber War: The Next Threat to National Security and What to Do About It \na decade ago, we predicted a dire future in cyber space. Early trends \nthen indicated to us that our adversaries would develop sophisticated \ncyber offensive capabilities and would use these capabilities to \nundermine our dominance of conventional military domains. We predicted \ncorrectly that North Korea would emerge, somewhat surprisingly, as a \ncapable adversary in the cyber domain and highlighted China's on-going \ncampaign of economic espionage on behalf of its National champion \ncompanies. We of course failed to predict many of the key events that \nare top of mind today like Russia's use of the internet to interfere in \nelections and sow dissent; however, in my view, our greatest error was \nour failure to see the technology trends that have allowed the \ndefensive community to be able to manage the threat posed by even the \nmost determined nation-state adversaries.\n    In Cyber War, we concluded that private companies could not defend \nthemselves against determined adversaries because cyber space as a \ndomain favors the attacker. Conventional wisdom at the time was that an \nattacker had all the advantages. An attacker only needed to find one \nvulnerable system to succeed whereas the Chief Information Security \nOfficer (CISO) at a large enterprise had to defend thousands or \nhundreds of thousands of systems. This asymmetry was often captured as \nthe idea that ``the attacker only needs to compromise one vulnerable \nsystem; the defender needs to be perfect.''\n    The good news is that technology trends and new doctrine for \ncybersecurity have dramatically changed the terrain of cyber space. \nCompanies at the leading edge of cybersecurity have been able to manage \nthe threat from even the most sophisticated actors. If these trends \ncontinue and if policy is put into place to correctly align incentives, \nit is possible that in 5 years we may view cybersecurity broadly as a \nmanageable problem. The bad news is that emerging technologies may once \nagain favor the attacker, erasing the defensive gains of the past \ndecade. In my remarks below, I will review the ``good news'' of the \nlast decade and how these trends can be accelerated and adoption of \nbetter cybersecurity practices encouraged by Congress. I then will \ndiscuss the ``bad news'' of how emerging technology trends like \nartificial intelligence, the internet of things and 5G, and quantum \ncomputing could favor the offense. I then provide some thoughts for how \nCongress can promote wider adoption of cybersecurity practices that are \non the cutting edge today and shape the future of technology so that \ndefenders are not left at a disadvantage tomorrow. Finally, I conclude \nwith a brief review of the projects I am working on today that may help \nus build a more resilient cyber future.\n                the good news: cybersecurity is possible\n    There is an old joke in cybersecurity, attributed to Dmitri \nAlperovitch, now the Chief Technology Officer (CTO) of the \ncybersecurity firm Crowdstrike. The joke, retold in many formulations, \nis always along the lines of ``there are two types of companies: Those \nthat have been hacked and know it and those that have been hacked and \ndon't know it.'' That may have been true a decade ago, but today there \nare three types of companies: Those that have been hacked and know it, \nthose that have been hacked and don't know it, and those that are \nactively and successfully managing the risk.\n    In The Fifth Domain, Clarke and I conclude that the greatest \nadvance in cybersecurity over the last decade was not a technology but \na white paper. In ``Intelligence-Driven Security'' a group of \nresearchers and practitioners at Lockheed Martin presented the \nprocesses they had developed for detecting and disrupting adversary \nactivity along the ``Cyber Kill Chain''. Published in 2011, the paper \nshowed how defenders could take the advantage away from adversaries by \nbreaking down the process by which an adversary attempted to achieve an \nobjective on a network and building a security program around each of \nthose steps. Unlike in conventional thinking on cybersecurity where a \nnetwork compromise is considered a failure, the Kill Chain methodology \nsees that as only one step in the chain. Before an adversary can \nexploit an initial host on a network, they must engage in \nreconnaissance of the target, weaponize what they have learned into a \npackage capable of compromising the target and deliver it. After they \nhave achieved the initial exploitation, they then need to gain \nadministrative rights, move laterally across the network to find their \ntarget, and then carry out out their intended action. That action might \nbe to exfiltrate data off the network or to destroy operational \nsystems. Whatever their goal, it is not simply to compromise a single \nsystem.\n    The concept of the kill chain has evolved and expanded since first \npublished. MITRE Corporation has developed the ATT&CK Matrix to further \nbreakdown the steps that happen after initial compromise into 22 \ndiscrete steps. However you break down the attackers progression, the \nkey takeaway should be that detecting and stopping them is possible. \nWhether the adversary needs to go through 7 steps or 22, they have to \nsuccessfully avoid detection at each stage; defenders only need to \ndetect them at any one stage. Once the adversary is on the defender's \nsystem, the defender should have the advantage. Gaining that advantage \nrequires knowing the topology of your system better than the adversary \nand being able to detect anomalous behavior within it. This ability to \ndetect and respond rapidly is what Crowdstrike and other companies have \nspecialized in. Endpoint Detection and Response (EDR) has been the \ntechnical capability that has enabled ``threat hunting'' along the kill \nchain to occur at scale within enterprises. Managed Detection and \nResponse companies are rapidly bringing these capabilities to the \nmiddle market.\n    Beyond detection and response, newer technologies have the \npotential to remove large swaths of risk. When properly deployed and \nmanaged with security in mind, cloud computing, containerization, and \nsoftware defined networking, to name just three emerging technologies, \ncan provide real advantages to defenders. Virtualization can allow new \ncomputing environments to be spun up and down for a specific purpose so \nrapidly that gaining a foothold in one of these new environments does \nan adversary no good because the environment itself does not persist. \nThese technologies can also allow for deception campaigns on a massive \nscale to create new opportunities for detection and to increase the \nwork factor of adversaries.\n    All this adds up to the potential to make our country, our \ncompanies, and ourselves resilient to cyber attacks. Through the \nadoption of secure-by-default technologies we should be able to make it \nso that almost all attacks ``bounce off'' and that we can ``bounce \nback'' when attacks do succeed. From a policy perspective, what is \nneeded now are the incentives and requirements to promote the adoption \nof these techniques and the technologies beyond the small handful of \ncompanies that are deploying them in a holistic way today. And of \ncourse, this transition needs to occur at a faster rate than \nadversaries can adopt new technologies that defeat them.\n        the bad news: technology changes could erase these gains\n    Just as we may be turning a corner on security, the technology \nlandscape may change in ways that are not evolutionary but \nrevolutionary. By that I mean that the technology coming on-line is not \nabout the continuation of current trends or even the acceleration of \ntrends but whole new classes of technology. Artificial intelligence, \nquantum computing, and 5G and the internet of things may not \nintrinsically favor attackers over defenders but the offense is likely \nto adopt technologies that can give them an advantage faster than \ndefenders and their targets are likely to adopt new technologies in \nways that open up new swaths of vulnerabilities. I would like to now \ndiscuss three such technologies: (1) Artificial intelligence; (2) 5G \nand the internet of things; and (3) quantum computing.\nArtificial Intelligence\n    Arguably, artificial intelligence up until now has been a \ntechnology that has favored the defense. Many of the gains discussed \nabove in the last decade are due to artificial intelligence \napplications within cybersecurity. For instance, the ability of \nadvanced endpoint protection programs to identify never before seen \nmalware using machine learning has made the work of adversaries much \nmore difficult. The bad news is that as the state-of-the-art in \nartificial intelligence advances, attackers are likely to use it in \nways that will upend the basis of today's security architectures.\n    Deepfakes have made headlines recently in the political world. For \npublic figures who have thousands of hours of voice and video \nrecordings available on-line, artificial intelligence can now be used \nto piece together snippets of them talking to literally put words in \ntheir mouths. Deepfakes are likely to come into play heavily in the \n2020 election and defenses against them are lagging. Use of AI for \ndeepfake detection made news over the summer but in this arms race, \nadversaries look to have an advantage, tweaking their tools and testing \nagainst deepfake detection technology until they can defeat it.\n    Initially, deepfakes required large libraries of voice and video \nbut as the technology improves, the amount of source data required is \nrapidly coming down. That will mean that many of the fundamental \ncontrols we have in place today to combat cyber crime may no longer be \ntrusted. The cybersecurity community has worked hard to educate \ncompanies about the dangers of wire transfer fraud--to train finance \ndepartments to be suspicious of emails from the CEO ordering them to \nwire funds on an emergency basis, for instance. But what if, instead of \ncompromising the email system, adversaries compromise voice and video \nsystems, and your boss in her natural speaking voice that you hear \neveryday, calls you to confirm that she does in fact need you to wire \nthose funds right now? The ability to create deepfakes from smaller and \nsmaller sets of source material will make that scenario possible for \nmany companies in a short period of time. That will mean that the \nultimate root of trust--believing what we see and hear--can no longer \nbe trusted.\n5G and the Internet of Things\n    Internet of things (IOT) technology is rapidly being distributed \nwithin critical infrastructure and in homes and businesses in ways that \nappear to ignore the security lessons we learned over the last 20 years \nwithin enterprise systems. Coding practices are poor in the space, \nfirmware is difficult to update, and systems are widely exposed to the \npublic internet. What's more, with the advent of 5G, massive, \nubiquitous wireless connectivity will mean that many of these devices \nwill be directly connected to the public internet with no defense-in-\ndepth built around them. Within the consumer market, we have seen a \ntroubling trend of ``set and forget'' connected devices that, after \nbeing setup, are not monitored for security and do not receive updates \nto their software after problems are discovered. Unfortunately, this \ntrend does not appear to be confined to the home IOT market. The same \nproblem is occurring even within industrial control systems.\nQuantum Computing\n    Far more than these other two technological shifts, quantum \ncomputing is likely to up-end computer security because it will up-end \ncomputing. A calculation that might take a classical computer several \ncenturies to complete could be done by a quantum computer in the blink \nof an eye. Experimental systems today are showing a lot of promised \ntoward achieving this kind of capability. Google may already have \nachieved what is known as ``Quantum Supremacy'', using a quantum \ncomputer to complete a mathematical equation faster than a conventional \nsystem could.\n    Quantum computing has the potential to be extremely disruptive to \nsecurity, allowing encryption protocols to be defeated; whether quantum \nresistant encryption will be deployed ubiquitously and will prove to \ndefeat quantum computing is an open question. The combination of \nartificial intelligence technology with quantum computing open some \nscary possibilities. More than anything else, Government needs to \nensure that the United States is a leader, not a follower, in the \ndevelopment of quantum computing.\n             the ugly: government intervention in necessary\n    For most of the last 20 years, U.S. Government policy across \nadministrations has largely been about getting out of the way and \nhoping that markets would solve cybersecurity problems on their own. \nWhere Government has intervened, intervention has been uneven and light \ntouch. Today, I believe we are starting to recognize that markets alone \nwill not solve our cybersecurity dilemma. I think it is fair to \nconclude that the industries that are doing the best at actively \nmanaging risk in cyber space are also actively regulated: Financial \nservices and the defense industrial base. Many of the approaches to \nsecurity that are working today were pioneered in these sectors. \nDriving these innovations to other markets will require creating the \nright set of incentives and requirements. I have been pleased to see \nthat more so than in any previous administration, the current \nleadership of the Department of Homeland Security has recognized that \nregulation, smartly and carefully implemented, is necessary to drive \nthe level of security required for our Nation. The Department's \ncybersecurity strategy is explicit on this point. In the IOT space, DHS \nshould lead efforts to regulate the security of IOT devices in the \nsectors that it regulates including chemicals, pipelines, and the \nmaritime industry.\n    I believe that the Internet of Things Cybersecurity Improvement Act \nwould be a good first step toward improving IOT security. The act would \nset standards that sellers of IOT technology to the Federal Government \nwould need to meet as well as establish disclosure requirements when \nmanufacturers discover vulnerabilities. The approach uses Government's \nmassive purchasing power to improve security more broadly. Companies \nthat develop technologies on a ``build once, sell everywhere'' model \nwill likely meet the Government's requirement for all their commercial \nofferings rather than just for those sold to Government. These \nrequirements, once set, could then be adopted to regulate the use of \nIOT in critical infrastructure sectors.\n    Fundamentally, however, I believe that setting requirements is \ninsufficient. We need to make device makers responsible for the full \nlife cycle of security by making them liable for harm caused by their \ndevices. I recognize that this notion is a radical departure from how \nwe have approached liability within the information technology realm \nthus far but now that these devices are making their way into National \nsecurity systems and life safety systems, I think it is critical that \nwe create incentive structures that truly value security. In the next \nsection, I discuss one effort we have undertaken at the Global \nResilience Institute to create a model for liability for cybersecurity.\n    Beyond IOT, the leadership of the Cybersecurity and Infrastructure \nSecurity Agency (CISA) has made election security the agencies No. 1 \npriority. CISA will need to build on its current efforts to counter-\nelection interference to play a role in combating the proliferation of \ndeepfakes in the political realm and for enterprise security. Crucial \nto this effort will be building strong, operational partnerships with \nsocial media companies that go well beyond today's arm length \ninteractions. Steps must be taken to breakdown the reluctance by \nFacebook, Google, Twitter, and other social media companies to truly \npartner with Government on this problem.\n    For quantum computing and artificial intelligence, Government's \nrole should be less about managing the cybersecurity implications and \nmore focused on ensuring that the United States competes and wins in \nthese technologies. I tend to be skeptical of analogies to arms races \nor calls for Apollo Programs or Manhattan projects, but on the basic \nscience in these fields, those kinds of approaches are warranted. Both \nChina and Russia have made gaining an advantage in AI a National \npriority. China has also done that on quantum. I believe our market-\nbased approach to technology development comes with real advantages but \nin the development of these core capabilities, I worry that a race that \nis the Chinese State vs. Silicon Valley is one that Silicon Valley will \nlose. We need a National effort to ensure that U.S. technology \nleadership continues into the next decade.\n    Each of these lines of effort will take at least half a decade to \nproduce meaningful results--thus it is crucial that the efforts begin \nnow.\n                        what we are doing at gri\n    The challenges we face are large, but they are not insurmountable. \nWhile much work remains to be done, let me take this opportunity to \nhighlight four efforts under way at the Global Resilience Institute \nthat may contribute to improving our National cyber resilience over the \nnext 5 years.\nCreating a National Transportation Safety Board for Cyber Incidents\n    Resilience is a concept that we have talked a lot about in the \nfield of cybersecurity but it's a far better-developed idea in other \nfields like emergency management and psychology. One of the key \ncomponents of resilience I have taken away from studying the concept in \nthese other fields is the importance of adapting following a bad \noutcome. Learning from disasters or even from so-called ``near misses'' \nis critical to the development of resilience. To this end, as far back \nas 1991 practitioners in the field have suggested that Government \nshould develop the equivalent of a National Transportation Safety Board \n(NTSB) for cybersecurity incidents, a ``Cyber NTSB''. Given that this \nidea was first suggested 3 decades ago but has yet to reach fruition, \nwe are planning a workshop, sponsored by the National Science \nFoundation, to develop a prototype process for how such an organization \nwould operate. We plan to hold the workshop in the spring of 2020.\nBuilding a High Assurance Network for Collaborative Defense\n    Critical to building resilience is creating a model for \nCollaborative Defense. The ``partnership'' that has been the central \ntenet of our National cybersecurity policy for 2 decades needs to \nevolve to real-time, operational collaboration. In order for that to \nhappen, we need collaboration platforms where the members of this \npartnership can trust each other. Government needs to be able to trust \nthat the intelligence it shares will be protected and only shared \nappropriately and securely. But private companies need the same degree \nof assurance when they share with Government and with each other. \nToday, the platforms on which we collaborate, internet-connected, \ngeneral purpose computers, are not trustworthy. Moreover, we often do \nnot know whether we can trust our partners that are using those \ncomputers.\n    When I testified before this committee 2 years ago, I discussed \nearly thinking about how to develop such a network. Today I am pleased \nto say that, working with our partners at the Advanced Cybersecurity \nCenter and with a generous grant from a private foundation, we have \ndeveloped a prototype network. This network takes advantage of the \ntrends in computing that have dramatically lowered cost: Inexpensive \ncomputing at endpoints and cloud computing to provide immense computing \npower for analytics and other services. For about $300 a year, we can \nprovide a high assurance endpoint that can only be accessed by \nspecified users to connect to a secured, private network for threat \ncollaboration. This model provides the basis for addressing the issue \nof trust in the users and trust in the systems by replicating at far \nlower costs many of the design criteria of the Classified networks used \nby Government today.\n    In my view, the model we have developed should be adopted by the \nDepartment of Homeland Security to create what we have dubbed CInet for \nCritical Infrastructure Network. Using existing authorities, the \nSecretary of Homeland Security should establish a new safeguarding \nstandard for Confidential information, the existing level below Secret \nin the classification schema. The standard should be built around the \nprototype we have developed which eliminates the most common paths to \ncompromise (spear-phishing, credential compromise, and watering hole \nattacks) and prevents end-users from unintentionally releasing \ninformation through a series of technical controls. Having vetted the \nconcept with a handful of critical infrastructure companies, we believe \nthat this model could fit into the current operating models within \ncritical infrastructure security operating sectors. We also believe \nthat by harnessing current best practices in the private sector for \ncontinuous monitoring of insider threats, the Secretary could also \npromulgate a different standard for granting of clearances at the \nConfidential level that would be better, faster, and cheaper. Then \nwould come the hard part of convincing the intelligence community to \ntarget collection to provide relevant threat intelligence to \nparticipating companies and to downgrade it to the Confidential level.\nDesigning a Darknet for the Electric Grid\n    Many of the same technology trends that could provide attackers an \nadvantage over the next 5 years can also be harnessed to increase \nsecurity for critical infrastructure. Advances like software defined \nnetwork (SDN), increased mobile bandwidth with 5G, and artificial \nintelligence can enable far higher degrees of assurance for critical \ninfrastructure than can be attained today. This is the idea behind our \nDarknet project to create a separate network for the electric grid \nusing ``dark'' or unlit fiber optic cables. GRI initially began work on \nthis concept with a grant from a private foundation and is now \npartnering on it with Oak Ridge National Laboratory.\nDeveloping an Insurance Regime that Promotes Better Security\n    Cyber insurance was supposed to help drive down risk. In theory, \nthe insurance sector, in exchange for providing insurance coverage, \nwould require companies to prove that the risk they underwrote was \nbeing managed. In practice, as the recent spate of ransomware attacks \non city governments has demonstrated, cyber insurance is simply \ntransferring the risk and enriching the criminal groups behind the \nattacks. Yet, in other sectors, insurance markets have proved \nremarkable mechanisms for encouraging risk reduction. Dr. Stephen E. \nFlynn, the director of Northeastern's Global Resilience Institute, and \nI have been developing a model for insurance that would promote risk \nreduction rather than just risk transference. Dr. Flynn, a retired \nCoast Guard officer, has posited that the regime put in place under the \nOil Pollution Act of 1990 after the Exxon. Valdez oil spill could be \nported over for data security. In other words, we should treat data \nspills like oil spills. Under that regime, ships entering U.S. waters \nmust provide proof in the form of a Certificate of Financial \nResponsibility that their owners or their guarantors in the insurance \nindustry have the financial resources to cover the cost of cleaning up \nan oil spill should containment on their vessel fail. Notionally, \nowners of data could be required to take out insurance policies to \ncover the full societal cost should they fail to protect the data that \nthey hold. In this thinking, Congress could establish a dollar figure \nper record and then require holders of personal data to obtain \ninsurance to cover those loses. From there, market mechanisms would \ntake over to determine how to price risk. This model could also be \nadapted for critical infrastructure. For instance, if natural gas \npipeline owners had to obtain private insurance to cover the costs of a \ndisruption to service caused by malicious cyber activity, markets would \nlikely require a far higher degree of assurance than would be required \nthrough a standard regulatory model. In the coming months, we will \nengage the insurance industry on further developing this concept.\n\n    Mr. Richmond. Thank you, Mr. Knake.\n    We will now recognize Ms. Howe to--five minutes to \nsummarize your statement.\n\n STATEMENT OF NILOOFAR RAZI HOWE, SENIOR FELLOW, CYBERSECURITY \n                    INITIATIVE, NEW AMERICA\n\n    Ms. Howe. Chairman Richmond, Chairman Thompson, Ranking \nMember Katko, distinguished committee Members, thank you so \nmuch for inviting me to speak today about emerging cyber \nthreats. My name is Niloofar Razi Howe, and for over 2 decades \nI have worked in the technology sector, including \ncybersecurity, as an investor, as an entrepreneur, and as an \nexecutive.\n    When I first started working in technology we had a Utopian \nvision for the internet, and cybersecurity was a dark art that \nlived in its own silo. But as the internet has matured, and \nevery aspect of our lives has become operationalized in this \ndomain, the threat it represents has grown in kind and in \neffect.\n    From IP theft, to cyber crime, to espionage, hostile social \nmanipulations, radicalization, and cyber war, the activity and \nmalfeasance that takes place affects all of society. It affects \nall of our businesses, not just critical infrastructure. It \naffects our Government's ability to provide services. Most \nimportantly, it affects all of us, the people. This same \nadversary that is infiltrating our defense industrial base is \nstealing intellectual property from our companies, probing our \ninfrastructure, and manipulating individuals. As Dan Geer \nfamously said, ``Every sociopath is now your next door \nneighbor.''\n    There are no more silos. The problem is only getting bigger \nas we embrace new waves of technology, innovations such as \ncloud computing, autonomous vehicle, small low-orbit satellites \nwith advanced sensor platforms, the internet of things, drones, \ndistributed ledger technology, augmented and virtual reality. \nOn the horizon we see the emergence of 5G and microsensor \nproliferation, autonomous weapons for private and military use, \nquantum computing, AI, and synthetic biology, to just name a \nfew.\n    People and businesses will not wait for security laws and \nregulation to catch up before they embrace these technologies. \nThey don't have a choice. The internet of things, which has the \npotential to change industries at their core and create over \n$11 trillion of economic gain, has security issues that are \nwell understood. But these issues will not slow adoption down. \nOddly, there is too much at stake to wait for security.\n    For the first time in human history, the accelerating pace \nof technology innovation is outstripping our ability as human \nbeings to adapt and adjust our policies in a time line that is \nrelevant. Our adversaries have repeatedly shown that they can \nmove faster than we do. They adapt and exploit technology while \nwe grapple with its implications, emerging social norms, the \nuneven distribution of authorities and capabilities, and a \npolitical process that does not function at the speed of \ninnovation.\n    While we study the problem, our adversaries have \ninfiltrated our systems, exploited an already polarized \nsociety, and undermined the very foundation of our democracy, \nthe belief that there is such a thing as objective truth--\nbecause where there is no objective truth, the biggest liar \nwins.\n    We need a coordinated and collaborative whole-of-society \napproach to rise to the challenge of these emboldened \nadversaries that we are out of position to deal with. It is \ntime for the United States to set a bold cyber agenda capable \nof restoring trust globally, trust in our technology, trust in \nour systems, trust in our infrastructure, and, through that, \ntrust in our political system, our political process, and our \nleaders.\n    To be effective our Government will have to do this in \npartnership across the Government and with private sector, and \nremove any barriers that prevent Government agencies that have \nrelevant information from sharing that information and the \ncontext that goes with it with the entities that are most \naffected. This collaboration must extend to our cities, which \nare overwhelmed and under-resourced. Their vulnerabilities are \na homeland security issue, especially as we look at our \nelection infrastructure and ransomware.\n    To have trust in our systems and infrastructure we must \ncommit to regaining our innovation edge, and never again lose \nour seat at the standard-setting table. As we look to the next \nwaves of technology, especially AI and quantum, falling behind \nis not about National pride. It is about National security. We \nmust have a strong and consistent cyber deterrence policy, \nsomething only the Government can deliver on. Even the \nstrongest walls will eventually succumb to a capable and \ndetermined adversary if there is no deterrence.\n    Technology companies that are co-conspirators with our \nadversaries, that facilitate communications and propaganda \nnetworks enabling destructive and chaotic social manipulation \nmust be regulated. To build resilience in society to social \nmanipulation efforts, funding and incentivizing media literacy \nprograms that teach the difference between fact, opinion, \nmisdirection, and lies, as well as research into deepfakes must \nbecome a Homeland Security priority.\n    Finally, our cybersecurity work force lacks diversity, \nlagging the technology sector by a significant margin. As we \nbuild programs to skill and re-skill individuals to address the \nmassive skill shortage, we must put in place the right \nincentives for diversity. We need new perspectives and a new \nmental model for how we approach this threat. Our adversaries \nare agile, creative, and persistent. Our technology landscape \nis ever-shifting and our tax surface ever-expanding. Preparing \nfor the future requires a new organizational and operating \nmodel focused on persistent cooperation and collaboration at \ncyber speed.\n    Thank you.\n    [The prepared statement of Ms. Howe follows:]\n                Prepared Statement of Niloofar Razi Howe\n                            October 22, 2019\n    Chairman Richmond, Ranking Member Katko, distinguished committee \nMembers, thank you for inviting me to testify on cybersecurity and \nemerging technologies. I am a senior fellow in the Cybersecurity \nInitiative at New America, a DC-based non-partisan think tank, and have \nspent close to 3 decades in the technology sector, the last 15 years \nfocused on innovation in the National security and cybersecurity \nsectors. I have been a venture capitalist, an entrepreneur, and a \ncorporate executive in the cybersecurity industry. I am also a member \nof a number of corporate and Government advisory boards.\n                     overview: where we stand today\n    We must rethink our approach to cybersecurity and cyber defense.\n    We are at an inflection point as enormous technological and \nsocietal shifts are converging to reshape the National security \nlandscape and the underpinnings of our democracy. The world is changing \ndramatically with the speed, scope, and scale of nothing we have ever \nexperienced. New, highly-advanced technology is being adopted at a \nblinding pace as we digitize business, economic, defense, and social \ninfrastructures. We are embracing cloud computing, autonomous vehicles, \nsmall low-orbit satellites with advanced sensor platforms, the internet \nof things (IOT), drones, distributed ledger technology, augmented and \nvirtual reality. On the horizon we see the emergence of 5G and \nmicrosensor proliferation, autonomous weapons (for both military and \nprivate use), quantum computing, artificial intelligence, and synthetic \nbiology, to name a few. It's an exciting time, but there are \nconsequences. Over time almost everything that we have experienced in \nthe physical world--prosperity, democracy, corruption, and warfare--\nwill happen digitally but with a speed and severity that we are just \nstarting to comprehend. This isn't about technology alone or something \nthat takes place in a dark corner of the internet somewhere. It's \nhappening every moment in our offices, our cars, our family rooms, and \nin our children's pockets. Every device is a supercomputer, every \napplication an attack vector, and with the internet, ``every sociopath \nis now your next door neighbor.'' This is a defining moment for our \nsociety as we face emboldened groups of adversaries with complex \nmotivations creating new social, political, and economic challenges \nthat we are out of position to deal with and almost out of time.\n    Good cyber hygiene is no longer sufficient as the path forward in \nthe face of increasing sophistication and the volume of threats our \nsociety faces. In cyber space, we are certainly in conflict, and many \nbelieve we are at war every day. Our adversaries are committed, well-\ncoordinated, persistent, and agile and they are growing in number, \nespecially as we continue to digitize the world, including some of the \nworld's most fragile societies. They are focused on using digital \ntactics to exploit weaknesses in our technology infrastructures and in \nour human nature. They are penetrating the seams that exist in society, \nsometimes for greed, sometimes for power, and sometimes for their \nNational security imperatives.\n    For decades, our Nation has played a critical global leadership \nrole, providing vision, diplomacy, and stability to further our \ninterests and our allies' interests, and this role is core to the trust \nand partnership required for a stable society and effective governance \nat home and around the world. We must do this in the digital world as \nwell. To move us to a world of trustworthy systems and a resilient \nsociety, we must reclaim our technology innovation edge and set the \nstandards for our digital infrastructure, which increasingly underpins \nevery aspect of our existence. We must work together--individuals, \nbusinesses, innovators, technologists, educators, policy makers, and \nour Government and military leaders--to define this new world order in \ncyber space, or at least mitigate the risks that compound with every \nmoment.\n    And we must move fast.\n    It took centuries for Gutenberg's invention, the printing press, to \nfundamentally change society by transforming information sharing and \ncommunication. The internet has transformed society on a fundamentally \ndifferent, faster time line. Today, time is not on our side. Our \nstarting point is a society that is polarized, a political system that \nis under attack, and a way of life that feels remarkably uncertain and \nfragile to many Americans. The accelerating pace of technology \ninnovation for the first time in human history is outstripping our \nability as humans to adapt, adjust our policies on a time line that is \nmeaningful, and avoid the inevitable widening of the income divide in \nsociety that this acceleration will drive. Automation will diminish the \nimportance of labor over time adding to income disparity between the \nhighest earners and the low-wage labor force, reinforcing a belief for \nmany in our society that the future will not be better for them or \ntheir children. In fact, an Oxford University study estimates that 47 \npercent of total U.S. employment is at risk with automation. It is \nthese seams in society that our adversaries are exploiting. They are \nusing cyber space to undermine the very foundation of our democracy. \nThe amplification of polarization as a result of the structure of our \ntechnology platforms as well as exploitation of those platforms by our \nadversaries to sow discord and chaos in society has undermined the \neffectiveness, stability, and consistency of our Government leaders and \npolicy makers to address these pressing problems and to find common \nground to rally around as a society with shared values and a shared \nvision for the future. Not surprisingly, people's faith and trust in \ntheir leaders--government, business, and religious leaders--continues \nto decline, especially and most alarmingly, among our youth.\n    We must also move fast because our people and our businesses will \nnot wait for our policy makers to catch up or security to be designed \nin before they embrace new waves of technology innovation that can \nbring with them new disruptions to society. IOT, powered by 5G \nnetworks, will be embraced by businesses to take advantages of the $11 \ntrillion of economic gain waiting to be captured. Many of these devices \nare inexpensive and rely on slim profit margins and with little to no \nregulation or liability they generally lack even the most basic \nsecurity features we have come to expect in our connected devices. The \nresult is that most IOT devices have known vulnerabilities, and they \nhave already become a key component of adversary attack tactics such as \nbotnets. IOT devices are proliferating in every corner of society from \nbusiness-to-business applications in manufacturing, agriculture, health \ncare, and transportation to consumer applications such as home \nautomation. As a result, the vulnerabilities of these systems will also \nproliferate into every aspect of our corporate and personal lives.\n    The growing market in low-orbit satellites, which gets little \nairtime from security and privacy experts, threatens to form the most \nubiquitous surveillance platform ever built with no meaningful \nregulation to control what they are used for or by whom. These \nplatforms can now be easily tasked by individuals at low cost with few \nlimits, regulatory or technical, on what they can be tasked to track or \nwhat information they can obtain and sell. The privacy debate, which is \na critical corollary to any discussion about cybersecurity, needs to \ntake into account the implications of the 4,000 satellites that are \nbeing launched into orbit.\n    The consequences of the digitization of fragile societies without \nthought to security ramifications poses a credible security risk both \nto those societies and possibly to the broader interconnected world. \nWhile over half of the world's population is on-line, many of the \npeople who are now being brought on-line live in some of the world's \nmost chaotic geographies. As these populations get connected via the \ninternet, with few norms to truly govern their behavior or those who \nseek to destabilize and manipulate them, we must be prepared for new \nforms of malfeasance and exploitation.\n    As more money pours into artificial intelligence from governments \nand technology firms, the ramifications are poised to be immense and by \ndefinition beyond what the human brain can comprehend. We can expect \nevery industry and every aspect of society to be impacted by AI. What \nthis impact will be exactly is yet to be fully understood and must be \ncarefully researched and studied at every stage of development.\n    Our adversaries have repeatedly shown in the past that they can \nmove faster than we do in the United States. We have witnessed how \nquickly they can adapt and exploit technology while we grapple with \nemerging technologies, emerging social norms, and a political process \nthat does not function at cyber speed. While we have been studying the \nproblem of cybersecurity, cyber criminals have innovated and adapted. \nCyber crime is now an industry, often protected by the governments of \nthe geographies in which the cyber criminals operate, and has quickly \ngrown to be the most lucrative form of crime, overshadowing the global \nillegal drug trade. The Hacker-Industrial Complex--networks of cyber \ncriminal who crowdsource their tools and share their services--\ncontinues to operate with little fear of prosecution or retribution.\n    Just in the past few years, ransomware, which started out as a \ntroublesome cyber crime issue for petty criminals to extract value from \nlocking down access to data, has grown to represent a National and \nhomeland security issue threatening the very ability of our Government \nto provide services to its citizens. This past year multiple \njurisdictions in the United States were hit with ransomware attacks \nthat crippled municipal services for prolonged periods of time. If this \nwas a testing ground for a new attack vector, these incidents proved \nthe vulnerability of our under-resourced State and local municipalities \nto ransomware attacks and the potentially disastrous effect on the \ncommunities they serve.\n    Our adversaries over the past 3 years have developed a better \nunderstanding of, and therefore improved their use of, social \nmanipulation through the internet. The growth and reliance on social \nmedia in the United States has enabled our adversaries, especially \nRussia and China, to engage in state on individual activities \n(manipulation) exploit vulnerabilities in our society, amplify \npolarization, radicalize our youth, and undermine any sense of \nobjective truth in society. By definition, polarized societies are \nineffective at governance as there is no common ground to build \nconsensus to enact bipartisan policies, laws, and regulations that \nbenefit all of society. As our ability to govern erodes, so does \npeople's faith in the government leaders and their political system. A \nrecent Pew Research study found that Republicans and Democrats are more \ndivided along ideological lines--and partisan antipathy is deeper and \nmore extensive--than at any point in the last 2 decades. The ``middle'' \nhas literally disappeared.\n    Underpinning all of these issues is the fact that human beings have \na flawed operating system (OS) that relies on outdated mental models \nand cognitive biases that perhaps were useful when we lived in caves, \nsurviving attacks from the wild, but do little to help us in the age of \ntechnology acceleration or protect us against our increasingly \nvulnerable digital existence. This flawed human OS sits at the \nintersection of our networks and devices and continues to be the weak \nlink in our security programs and architecture. For example, 91 percent \nof all cyber attacks start with a phishing email, which still drives a \nbetter response rate than most marketing programs. This flawed human OS \nis also responsible for developing the policies, laws, and regulations \nto protect our people and our businesses from harm. The pace at which \nwe have historically developed societal and Government solutions, \nadapted to new technologies, and built consensus with respect to our \nmost pressing problems is too slow for the age of technology \nacceleration. It is time to change our perspective and mental model \nwith respect to the time lines we must operate on, the agility with \nwhich we take action, and the collaborative model we employ. Our \nadversaries have.\n                          where we need to go\n    It is critical to put in place the right policies to address our \nmost existential threats in real time. It is time for the United States \nto set a bold cyber agenda capable of restoring trust globally trust in \nour technology, trust in our systems, trust in our infrastructure, and \nthrough that trust in our political system, our political process, and \nour leaders. To be effective, our Government will have to do this in \npartnership across the Government and with the private sector. There is \nno time for silos or provincialism as we turn into solving an \nexistential crisis for our homeland, for the people, and for the world.\n    A bold new cyber agenda should include the following elements:\n    1. Speed and transparency.--The U.S. Government must remove any \n        barriers that prevent Government agencies that have threat and \n        adversary information from sharing that information real-time \n        and with context with the entities that are most affected. \n        Sustained and real-time cooperation and collaboration between \n        all relevant Government agencies and the private sector is the \n        only way to rebuild trust and have a real impact on our \n        adversaries. We now have multiple agencies with unique \n        capabilities to help the private sector, including the \n        Department of Homeland Security's (DHS) Cybersecurity and \n        Infrastructure Protection Agency (CISA), United States Cyber \n        Command, the National Security Agency (NSA), the Federal Bureau \n        of Investigation (FBI), and sector-specific agencies such as \n        United States Treasury and Department and Energy (DOE) to name \n        a few. Each plays a unique role in the Nation's cybersecurity \n        mission, but only if they are working together and without \n        barriers and provincial turf wars, can we actually change the \n        landscape of cybersecurity for the country. The Russia Small \n        Group, with a clear mandate to protect the 2018 elections, was \n        a tremendous example of what happens when we bring the full \n        power of multiple Government agencies to solve a problem, hand-\n        in-hand with the private sector. We need to rethink our U.S. \n        Government operating model to empower consistent and real-time \n        coordination and collaboration. Many of the authorities for \n        securing our systems were written long before there was a \n        commercial internet. We need take a holistic look at these \n        authorities through the lens of how we can most effectively \n        defend the Nation, our enterprises, and our people, with the \n        goal of enabling effective real-time consistent collaboration \n        and coordination.\n    2. A relentless focus on unique value drivers and outcomes.--\n        a. Government's unique role.--Government must do what only the \n            Government can do--deter malfeasance in cyber space, \n            especially by nation-state adversaries, by using our tools \n            of National power against those adversaries who are harming \n            us. The private sector cannot defend itself alone against \n            nation-state adversaries and criminals who are agile, \n            persistent, and creative. Even the strongest walls will \n            eventually succumb to a capable well-funded adversary if \n            there is no deterrence. This is uniquely the Government's \n            role. Peter Singer, a senior fellow at New America, wrote \n            last year about the collapse of cyber deterrence: ``Less \n            generously, these trends have created the opposite of \n            deterrence: Incentives. The failure to clearly respond has \n            taught not just Russia, but any other would-be attacker, \n            that such operations are relatively no pain on the cost \n            side, and all gain on the benefits side. Until this \n            calculus is altered, the United States should expect to see \n            not just Russia continue to target its citizens and \n            institutions but also other nations and non-state groups \n            looking for similar gains.'' Strong deterrence is the \n            cornerstone of any security framework and the U.S. \n            Government must take up this challenge in a decisive way, \n            with a consistent policy and framework for imposing cost on \n            those who do us harm.\n        b. Private sector's unique expertise.--The private sector has \n            developed deep technical expertise in certain domains and \n            the U.S. Government must leverage the private sector better \n            and not duplicate effort in areas where private-sector \n            capabilities now surpass Government capabilities. In the \n            threat intelligence market, while U.S. intelligence \n            agencies can bring the full power of their capabilities to \n            bear on a selected basis producing unique insights into \n            foreign adversaries, the private sector has advanced \n            capabilities across a broad group of actors (foreign and \n            domestic), including insight into attacker behavior, \n            tactics techniques and procedures (TTPs), and campaigns. \n            Coordinating intelligence between private and public sector \n            to understand adversary behavior and create a coordinated \n            response to defend and defeat the adversary is critical. As \n            we build and invest in Government capabilities, we must be \n            careful not to duplicate or compete with private-sector \n            capabilities.\n    3. Resilience to ransomware.--Ransomware is no longer just a cyber \n        crime issue. Ransomware at the State and municipal level is a \n        National security and homeland security issue. The single \n        purpose of Government is to provide services (including \n        protection) to its citizens. Ransomware at scale keeps that \n        from happening as we saw in Baltimore, Atlanta, and the State \n        of Texas. A ransomware attack during an election would have \n        devastating affect not just on the election itself, but on \n        people's trust in Government and the validity of our political \n        process. State and municipal administrations need Federal help \n        in the form of standards, grants, developing response plans, \n        and tax incentives to invest in infrastructure that can be \n        resilient to ransomware attacks and making Government systems \n        resilient to ransomware attacks should be a high priority for \n        Congress. It will take a coordinated effort across the whole of \n        Government, but especially DHS CISA, NIST, FBI, and NSA's \n        Cybersecurity Directorate, working hand-in-hand with State and \n        local agencies, to make progress against this real threat and \n        to stay ahead of the adversary.\n    4. Support secure smart cities.--As a corollary to the ransomware \n        issue, Congress should provide more support to sub-Federal \n        entities to collaborate on smart city modernization projects. \n        Our cities do not have the expertise to defend themselves on \n        their own nor the resources to do it. As our cities become \n        smarter, they must do so with security in mind or these \n        modernizations could unwittingly enable disruption of the \n        Government's core function of providing services and security \n        to its citizens, and given the criticality of municipal \n        services, actually lead to loss of life. As Natasha Cohen and \n        Brian Nussbaum write in their New America report Smart is not \n        Enough, ``Despite increasing concern from the information \n        security community, it is far from clear that even the smartest \n        of U.S. cities are in a position to deal with the full range of \n        new risks that the technology may bring. The required \n        financial, social, security, operational, legal, and policy \n        innovations needed for smart cities to deliver on their \n        aforementioned promises do not appear to be moving at the pace \n        of innovation of the technology.''\n    5. Commit to regaining our innovation edge.--Government funding of \n        innovation so that the United States can regain its edge in \n        next generation technologies will be critical to ensuring that \n        those technologies and the infrastructure that supports them is \n        secure by design. While venture capitalists invest over $5 \n        billion per year conservatively in cybersecurity companies and \n        technologies, with a myriad of Innovation competitions such as \n        the RSA Conference Innovation Sandbox and Launchpad \n        Competitions held each year during the RSA Conference, which \n        now boasts close to 45,000 attendees each year, private-sector \n        investment is focused on building businesses based on proven \n        technologies and established market demand. That is not where \n        the funding gap exists. The United States must significantly \n        increase (to the tune of multiple of current Federal R&D \n        budgets) its funding in basic and applied research in the areas \n        identified by the U.S. intelligence community such as \n        artificial intelligence, 5G, and quantum computing in order to \n        meet its declared National technology priorities. It is time \n        for the Government to fund a bold innovation agenda that will \n        carry us forward to 2030 and beyond, and commit to regaining \n        our innovation edge in these critical next generation \n        technologies.\n    6. Fund media literacy programs.--We live in a polarized, \n        hyperconnected world of impatient digital citizens who are \n        being continuously and creatively targeted with misinformation. \n        Developing and funding a media literacy program that teaches \n        individuals how to discern the difference between fact, \n        opinion, misdirection and lies, is critical to a well-\n        functioning society and should be a homeland security priority. \n        IREX, a global development and education organization, \n        developed a Learn to Discern education program for the \n        Ukrainian Ministry of Education to combat Russian \n        disinformation campaigns. Their program integrated information \n        consumption skills into existing secondary school curricula and \n        teacher training programs at pre- and in-service teacher \n        training institutes. Working with the non-profit community as \n        well as the private sector, the U.S. Government should fund the \n        development of similar programs and curricula in the United \n        States for our elementary, middle, and high-school students as \n        well as for teacher training. With a broad media literacy \n        campaign, we can build resilience to state-sponsored \n        disinformation campaigns, help individuals recognize divisive \n        narratives and hate speech, and improve our youth's ability to \n        navigate increasingly polluted on-line spaces in a safe and \n        responsible way. As we do this, we must pay close attention to \n        misinformation innovations such as deepfakes, which present a \n        unique challenge, and fund research aimed at identifying and \n        mitigating the threat they pose to the very concept of \n        objective truth.\n    7. Commit to building a diverse workforce in cybersecurity.--The \n        Government is in a unique position to contribute and commit to \n        purposefully reducing the skills shortage in the cybersecurity \n        industry. While there are some great programs in place, \n        including DHS's CyberPatriot competition, CyberCorps \n        Scholarship for Service initiative, and the April 2019 \n        Executive Order focused on reskilling and upskilling Federal \n        employees, more needs to be done to recruit individuals from \n        outside our typical skill sets (IT, law enforcement, and \n        military) with a clear mandate of solving the diversity gap in \n        the industry. The cybersecurity workforce today significantly \n        lags behind the broader technology industry in terms of \n        diversity and to solve our skills shortage we need all of \n        society to be inspired by the mission to reclaim cyber space \n        for good. Elizebeth Friedman, one of the most prolific \n        codebreakers in U.S. history had no background or training in \n        mathematics or linguistics and yet was able to break any code \n        in any language during and after World War II. We need to \n        inspire a new generation of Elizebeth Friedmans to consider a \n        career in cyber. There are a number of good examples of \n        reskilling efforts in both the public and private sector. The \n        U.K. Cyber Retraining Academy is an effort by the U.K. \n        government in partnership with the SANS Institute to reskill \n        individuals with high natural aptitude, but no formal cyber \n        background, to enroll in an intensive 10-week program preparing \n        them for a career in cybersecurity. Google launched Google IT \n        Support Professional Certification under its Grow with Google \n        initiative through Coursera, offering a way for anyone from any \n        educational background to get a start in the IT field where the \n        average starting salary for IT support is $52,000 per year. The \n        Homeland Security Act of 2002 envisioned the creation of a \n        National Emergency Tech Guard program, a corps of volunteers \n        whose training is funded by the Government and who can be \n        deployed during periods of crisis to restore critical systems \n        and services to their communities. Policy makers should \n        support, fund, expand, and incentivize similar initiatives with \n        a mandate of driving diversity in the industry. This commitment \n        would not only help solve the industry's skills shortage, \n        bolster our resilience during times of crisis, but would help \n        address the ``digital divide'' of the haves and the have nots \n        in our society. As we look to the future we will have to \n        ultimately commit to completely rebuilding our digital \n        infrastructure, cities, and nations to face the digital and \n        social challenges of 2030 and beyond. Investment in building \n        the talent base in the right way to tackle this challenge is a \n        necessity for success.\n    8. Judicious implementation of regulation.--Regulation must be \n        pursued in a focused and purposeful manner with a willingness \n        to adjust and adapt as we evolve, as technology evolves and as \n        our adversaries evolve. With those guiding principles, we \n        should enact regulation targeted at very specific areas where \n        we can have measurable impact.\n        a. Setting minimum Security Standards for IOT is critical.--\n            Congress should enact basic regulation with respect to IOT. \n            The U.S. Government can help protect the 5G ecosystem of \n            billions of connected devices by setting basic security \n            standards, requiring features such as auto update, and \n            importantly providing the right incentives, including tax \n            incentives for vendors to implement these standards and \n            corporations (including critical infrastructure) to deploy \n            secure products and the financial headroom and reason to \n            make changes.\n        b. It is time to enact regulations on big data and social \n            platforms.--The aim is not to regulate ``Big Tech'' but \n            rather those technology platforms that facilitate \n            communications and propaganda networks, exploit human \n            weakness for profit, are addictive by design, reward \n            virality, not veracity, thereby enabling destructive and \n            chaotic social manipulation by our adversaries, without \n            providing clear benefits to their users that outweighs \n            these costs. These social platforms have demonstrated an \n            unwillingness to self-regulate or put the interests of \n            their consumers or society at large ahead of their profit \n            motivation. The scope of harm they have caused society \n            includes not only the amplification of polarization, but \n            also psychological harm as the amount of stress, anxiety, \n            and depression caused by their platforms is on the rise in \n            society and especially with our youth. They are out of \n            time.\n                               conclusion\n    All of the recommendations outlined above are intended to support \nempowering a society that is resilient to the unintended consequences \nof technology innovation and the inevitable exploitation and use of \nthose technologies by adversaries to gain some form of advantage. This \nmay only be a starting point of a long journey. If our ultimate goal is \ndefending our Nation by defeating our adversaries in cyber space rather \nthan accommodating them, then, in addition to establishing acceptable \nnorms of behavior, developing and committing to a consistent policy of \nengagement, escalation and deterrence, we must have a working model for \nsuccessful public-private collaboration and engagement. Defeating our \nadversaries presupposes our ability to harness the vast technical \nexpertise and resources as well as the unique authorities of the \nFederal Government, the vast technical expertise and agility of the \nprivate sector, a collaborative intelligence gathering and sharing \nframework, and coordinated response planning. It presupposes a society \nwhere trust exists between the private sector and the public sector, \nwhere transparency and fact-based substantive conversation, discussion, \nand communication are the norm.\n    We have a long way to go, time is not on our side, but we have not \nyet run out of time.\n\n    Mr. Richmond. Thank you, Ms. Howe, for your testimony.\n    I now recognize Dr. Buchanan to summarize his opening \nstatement for 5 minutes. Thank you.\n\nSTATEMENT OF BEN BUCHANAN, PH D, SENIOR FACULTY FELLOW, CENTER \nFOR SECURITY AND EMERGING TECHNOLOGY, MORTARA CENTER, ASSISTANT \n           TEACHING PROFESSOR, GEORGETOWN UNIVERSITY\n\n    Mr. Buchanan. Thank you, Chairman Richmond, Chairman \nThompson, and Ranking Member Katko, for holding this important \nhearing and for inviting me to testify.\n    My name is Ben Buchanan. I am an assistant teaching \nprofessor at the School of Foreign Service, and the senior \nfaculty fellow at the Center for Security and Emerging \nTechnology, both at Georgetown University. I am also a global \nfellow at the Woodrow Wilson Center for Scholars, where I teach \nintroductory classes on artificial intelligence and \ncybersecurity for Congressional staff. My research specialty is \nexamining how cybersecurity and AI shape international \nsecurity. In this vein I co-authored recently a paper entitled, \n``Machine Learning for Policymakers.''\n    I will confine my opening remarks to the impact of AI on \ncybersecurity, since I think it is the emerging technology \npoised to have the most significant effect in this area. While \nthere is an enormous amount of hype and debate around AI in \ngeneral, the intersection of AI and cybersecurity is \nunderstudied and underappreciated. At least 3 dimensions of \nthis problem deserve our analysis.\n    First and most significant is the cybersecurity of AI \nsystems themselves. AI systems are just as likely to be \nsusceptible to the kinds of software vulnerabilities that are \npresent in other kinds of computer code. As we have seen for \ndecades, hackers can exploit these vulnerabilities for their \nown ends. There is no reason to think that hackers will not try \nto do the same to AI systems, and there is no reason to think \nthat they will not, at times, succeed. This possibility is \nparticularly worrying, given the high stakes of some AI \napplications. This is not a reason to avoid using AI, but \nvigilance is imperative in order to improve cyber and National \nsecurity.\n    Yet to stop our analysis at just the traditional kinds of \nsoftware vulnerabilities is to miss a great deal of the \ncybersecurity risk that AI systems pose. The neural network \narchitecture that underpins a lot of modern AI is immensely \npowerful, but presents new classes of cybersecurity risk that \nwe are only beginning to uncover and understand. We call this \nfield adversarial learning.\n    Using adversarial learning hackers can cause neural \nnetworks to make bizarre errors, causing systems that rely on \nthose networks to fail or reveal confidential information. This \nis a field that requires a great deal more attention. A tiny \nfraction of the research in AI today goes to studying AI \nsecurity and the risks of adversarial learning.\n    Our second area of analysis is that AI can change \ntraditional offensive cyber attacks against regular computer \nsystems. Modern hackers in many cases do not need AI to achieve \ntheir ends. That said, I think it is noteworthy that some of \nthe most potent cyber attacks we have seen, including last \ndecade's Stuxnet, the 2006 black--2016 blackout in Ukraine, and \nthe 2017 attack now is NotPetya, which caused $10 billion in \ndamage, feature some forms of automation within them.\n    I can imagine a world in which future cyber operations will \nuse more sophisticated automated capabilities to achieve \nparticular tasks such as vulnerability discovery, target \nselection, command and control, and attack execution. Mr. Knake \nmentioned the kill chain earlier, and suffice it to say that I \nthink almost every aspect of the kill chain could be \ntransformed by more powerful automated capabilities.\n    I suspect that such automation could offer significant \nupsides to sophisticated hackers faced with complex targets and \ncomplex missions. In some respects, the possible upside to \nautomation in attack is higher in the area of cyber operations \nthan in physical warfare, since whether a plane is operated by \na human or a machine, the laws of physics still apply. But it \nis likely that automated cyber capabilities, if sophisticated \nenough, could operate much faster than their human-directed \ncounterparts. I stress, however, we have not seen this come to \nfruition yet.\n    This leads to the third area of analysis, the possibility \nthat AI might help on cyber defense. This idea is also the \nsubject of a lot of hype and a lot of investment. There seems \nto be discreet ways in which AI can indeed help secure computer \nsystems, both in discovering vulnerabilities before hackers do, \nand also in detecting the presence of malicious code.\n    However, we must be careful not to let the hype outrun the \nreality on this front. In evaluating cybersecurity advances in \nthis area, we should compare them to the baseline of \ntechnologies we already use, many of which already involve \nautomation, and understand how, if at all, automation in our \nmodern paradigm of machine learning actually improves our \ndefenses. I do believe that AI-enabled tools are likely to be a \nfundamental part of modern and future cyber offense and \ndefense. The scale, size, and speed of cyber operations will \nmake this inevitable. It is imperative that we keep up with \nchanging times.\n    That said, we must not forget that cyber operations, no \nmatter how sophisticated, are still fundamentally human \noperations. For as much as we will talk about technology today, \nwe must remember that the people in our organizations, \nincluding Government, are key to addressing these threats.\n    I look forward to your questions.\n    [The prepared statement of Mr. Buchanan follows:]\n                   Prepared Statement of Ben Buchanan\n    Thank you, Chairman Richmond and Ranking Member Katko, for holding \nthis important hearing and for inviting me to testify.\n    My name is Ben Buchanan. I am an assistant teaching professor at \nthe School of Foreign Service and a senior faculty fellow at the Center \nfor Security and Emerging Technology, both at Georgetown University. I \nam also a global fellow at the Woodrow Wilson International Center for \nScholars, where I teach introductory classes on artificial intelligence \nand cybersecurity for Congressional staff. My research specialty is \nexamining how cybersecurity and AI shape international security.--I co-\nauthored a paper entitled ``Machine Learning for Policymakers.''\\1\\\n---------------------------------------------------------------------------\n    \\1\\ Buchanan, Ben and Taylor Miller. ``Machine Learning for \nPolicymakers.'' Belfer Center for Science and International Affairs \n(2017), https://www.belfercenter.org/sites/default/files/files/\npublication/MachineLearningforPolicymakers.pdf.\n---------------------------------------------------------------------------\n    I will confine my opening remarks to the impact of artificial \nintelligence on cybersecurity, since I think it is the emerging \ntechnology poised to have the most significant effect in this area. \nWhile there is an enormous amount of hype and debate around AI in \ngeneral, the intersection of AI and cybersecurity is understudied and \nunderappreciated.\n    At least 3 dimensions of this problem deserve analysis:\n    First and most significant is the cybersecurity of AI systems \nthemselves. AI systems are just as likely to be susceptible to the \nkinds of software vulnerabilities that are present in other kinds of \ncomputer code. As we have seen for decades, hackers can exploit these \nvulnerabilities for their own ends. There is no reason to think that \nhackers will not try to do the same to AI systems, and there is no \nreason to think that they will not at times succeed. This possibility \nis particularly worrying given the high stakes of some AI applications; \nit is not a reason to avoid using AI, but vigilance is imperative to \npreserve cybersecurity.\n    But to stop our analysis at just the traditional kinds of software \nvulnerabilities is to miss a great deal of the cybersecurity risk that \nAI systems pose. The neural network architecture that underpins a lot \nof modern AI is immensely powerful but presents a new class of \ncybersecurity risks that we are only beginning to uncover. We call this \nfield adversarial learning.\n    Using adversarial learning, hackers can cause neural networks to \nmake bizarre errors, causing systems that rely on those networks to \nfail or to reveal confidential information. This is a field that \nrequires a great deal more attention.\n    Second, AI can also change traditional offensive cyber attacks \nagainst regular computer systems. Modern hackers in many cases do not \nneed artificial intelligence to achieve their ends. That said, I think \nit is noteworthy that some of the most potent cyber attacks we have \nseen--including Stuxnet, the 2016 blackout in Ukraine, and the 2017 \nattack known as NotPetya that caused at least $10 billion in damage--\nfeature some forms of automated propagation and attack capability. I \ncan imagine a world in which future cyber operations will use more \nsophisticated automated capabilities to achieve particular tasks, such \nas vulnerability discovery, target selection, command and control, and \nattack execution.\n    I suspect that such automation could offer significant upsides to \nsophisticated hackers faced with complex targets. In some respects, the \npossible upside to automation is higher in this area than in physical \nwarfare; whether a plane is operated by a person or a human, the laws \nof physics still apply, but it is likely that automated cyber \ncapabilities--if sophisticated enough--could operate much faster than \ntheir human-directed counterparts. I stress, however, that we have not \nseen this come to fruition yet.\n    This leads to the third area of analysis: The possibility that AI \nmight help on cyber defense. This idea is also the subject of a lot of \nhype and a lot of venture capital investment. There seem to be discrete \nways in which AI can indeed help secure computer systems, both in \ndiscovering vulnerabilities before hackers do and also in detecting the \npresence of malicious code. However, we must be careful not to let the \nhype outrun the reality on this front. In evaluating cybersecurity \nadvances in this area, we should be careful to compare them to the \nbaseline of technologies we already use--many of which already involve \nautomation--and understand how, if at all, artificial intelligence \nimproves our defenses.\n    I do believe that AI-enabled tools are likely to be a fundamental \npart of modern and future cyber defense; the scale, size, and speed of \ncyber operations will make this inevitable, and it is imperative that \nwe develop these tools. That said, we must not forget that cyber \noperations, no matter how sophisticated, are still fundamentally human \noperations. For as much as we will talk about technology today, we must \nremember that the people in our organizations are key to addressing \nthese threats.\n    I look forward to your questions.\n\n    Mr. Richmond. Thank you. Thank you for your testimony. I \nwill now recognize myself for 5 minutes to ask questions.\n    Let me just start with some of the things that you all \ntalked about. Mr. Knake, you mentioned that there are examples \nwhere governments set the objectives or goals. Can you give me \nsome of those, and your train of thought on how governments \nshould do it, or what the goals should be?\n    Mr. Knake. Yes, Mr. Chairman. The analogy that I like to \nuse in this space is how we handle oil spills.\n    We all remember the Exxon Valdez oil spill in 1989. In \n1990, Congress passed bipartisan legislation, the Oil Pollution \nAct. What that act said was that, if you are going to bring oil \ninto U.S. waters, you need to have insurance that would cover \nthe full cost of cleaning up a loss of containment from that \nvessel. So the important thing that that act did is, it didn't \nsay, ``Here are the requirements for safety of your vessels, \nhere is what you must do,'' it said you will own the cost. The \npolluter will pay.\n    Well, I think we can adapt that model very easily to areas \nlike data spills. Treat data spills like oil spills. If you \nwant to hold 140 million records of U.S. citizen data, then you \nprobably should have to have an insurance bond that would pay \nout on the order of--back of the envelope math would suggest \nabout a $1,000 per record. That would require the insurance \nindustry to be able to measure risk in a way that they cannot \nmeasure today, and to measure security in a way they cannot \nmeasure today.\n    But I am quite confident that, from that point on, markets \nwould be able to adopt new strategies to be able to price that \nrisk and enforce it, so they wouldn't have to pay out that kind \nof insurance payment.\n    Mr. Richmond. Part of my thinking--and you mentioned \nAtlanta in your testimony, and other places--part of my \nconcern--and I will pick a fictional place so that I don't \noffend any community, but let's think of Mayberry, North \nCarolina, where Barney Fife was the sheriff's deputy.\n    [Laughter.]\n    Mr. Richmond. It is made up.\n    So how do we ensure that they are up with the times in \nterms of protecting their data, and their cyber hygiene, and \nall of those things? How do we get them to where they need to \nbe?\n    Mr. Knake. This is a very unpopular opinion, Mr. Chairman. \nThe first thing I would do is I would ban ransomware payments.\n    What we are doing at this point is handing hundreds of \nmillions of dollars over to our adversaries. They are taking \nthat money. They are spending some of it on Lamborghinis and \nleather jackets. The rest of the money they are reinvesting to \nup their capabilities. They are growing more sophisticated. \nThey are building larger teams. They started out doing \nransomware against individuals. They are now doing hospital \nsystems and local governments. It is only a matter of time \nbefore they do the power grid. So from that perspective, we \nhave got to stop funding them.\n    Mr. Richmond. Let me stop asking you questions.\n    [Laughter.]\n    Mr. Richmond. Ms. Howe, you mentioned autonomous weapons. \nWhat is out there when you speak of that?\n    Ms. Howe. Today the technology exists to have completely \nautonomous weapons. They are available, both for the military \nand also for private use, where you can set up sniper rifles to \ntake down targets from great distances with very little human \nintervention. That exists out there, and when they are \nnetworked it creates an interesting dilemma, from a security \nperspective.\n    Mr. Richmond. Thank you. Mr. Durbin, you mentioned stalker \napps, or stalker--tell me how they--how it will get on a \nMember's phone or one of the panelists' phone.\n    Mr. Durbin. Stalkerware is considered malicious software. \nLike most threats and malicious software packages, there are--\nthere is no difference in how they would end up on a device.\n    So, like a phishing exercise, where you get an email and \nyou are asked to click on a link that could execute a program \nto load it in, or even--you could do it via text. If since \nstalkerware in--sometimes involves somebody that the stalker \nknows, if they have physical access to the phone, then they \nwould be able to, obviously, grab it and loaded it on. So it is \nlike typical threats. You can be tricked into having that, the \nsoftware load.\n    Mr. Richmond. OK. I would imagine that you all sell \nsoftware to detect it.\n    Mr. Durbin. Yes, we do.\n    Mr. Richmond. OK. With that I will recognize the Ranking \nMember of the subcommittee, Mr. Katko, for 5 minutes.\n    Mr. Katko. Thank you, Mr. Chairman. Ms. Howe, during your \ntestimony--well, all of you talked about the various threats \nthat are out there, and I really, truly believe we are \nconstantly playing catch-up, and that is a concern.\n    But Ms. Howe, you mentioned that we need to study--we, \nbeing the Government--need to set a bold cyber agenda. Could \nyou just drill down a little more and tell me what you envision \nwould be good for us to do?\n    Ms. Howe. Well, certainly, sir. Thank you for the question.\n    From the outset, I think the Government--there are things \nonly the Government can do that would have a tremendous impact \non the threat landscape.\n    Having a consistent cyber deterrence policy that imposes \ncosts on the adversary is a great starting point. It is unfair \nto expect companies to be able to defend themselves against \nnation-state adversaries who are committed. We have done that \nin the past. We certainly wouldn't do that in the kinetic \nworld, but we are doing that in the cyber world, where we \nexpect companies to defend themselves.\n    We also have to--some of the authorities that were written \nfor defending our most critical systems were written before \nthere was a commercial internet. As we take a holistic look and \nsee what is happening in the dynamics of the market, we have to \nbe willing to re-examine how we operate as a Government, the \nauthorities and capabilities mismatch that we all talk about, \nand how we organize and how we collaborate at cyber speed.\n    Mr. Katko. All right, thank you very much.\n    Mr. Buchanan. You talked about a human element factor. You \nknow, one common theme that I believe in is that, with emerging \ntechnologies and threats the way they are, the human element \nremains critical to the functionality of the attacks. So how do \nwe make the human element of attacks less effective with \nemergent technologies? Or can we?\n    Mr. Buchanan. Well, I think, again, as much as we talk \nabout technology, it is important to recognize that, both on \noffense and defense, there are humans involved. One of the \nthings I worry about quite a bit, as someone who teaches \nstudents who often go into Government, is the capacity to \neducate future policy makers and policy advisers to have \nGovernment-hiring authorities to bring people into Government \nso they can serve in this mission set on offense and on \ndefense.\n    As you can imagine, relating to compensation and other \nfactors, often times many of these individuals go to the \nprivate sector and don't end up in Government working on these \nimportant missions.\n    Mr. Katko. Thank you. Here is a question for everyone here.\n    Mr. Durbin, we can start with you. It is about quantum \ncomputing. In my home town, Syracuse, New York, they have a \nrobust quantum computing research operation under way. But it \nis, of course, not the only one in the country. I am vitally \nconcerned about quantum computing in that--one of you said that \nif China gets it, basically, we are in big trouble. It should \nbe something that we prioritize better than we are right now.\n    I just want to, should we--just--it is a softball question, \nbut it is--I want to hear what your answers are.\n    Should we be making more of a concerted effort to develop \nour quantum capabilities on the Government level, given how \nmuch of an advantage fully-functional quantum computing can \nprovide?\n    Mr. Durbin. Yes, it is a serious threat. It is coming. The \ntime frames are very debatable, but the time to come up with \ndefenses are now, not when somebody does have the first \nfunctional working quantum computer.\n    The algorithms that are used right--or the encryption \nrhythms for protecting data right now will not be sufficient \nwith quantum, so we need to come up with the new problem that \nis hard for a quantum computer to solve.\n    I am encouraged with the attention that NIST has been \ngiving this topic, and so I encourage them to keep going with \nthe research that they are doing.\n    But yes, it is coming, and focus needs to be brought to \nbear.\n    Mr. Katko. Yes, it seems to me that there is a bit--it is a \nbit diffused, the projects, and there is not, like, a \ncentralization, if you will, of the--their overall goal. I \nmean, I view this as a modern-day moonshot, because if we--if \nthe Chinese get it before us, then we really--our encryption \ndata is--or our encryption capabilities are going to be \nseverely hampered. We are already vulnerable, as it is.\n    So Mr.--as you say, Knake--is that how you say it, or \nKnake? Yes. Well, what can we do, as a Government, from a \nprioritization standpoint?\n    To me, it seems to me that we need to do more to make this \na high priority within Government. It is not something that \npeople can see and feel like the moonshot, if you will. But it \nis something that is critically important to us, going forward. \nHow do we get the Government to prioritize this more?\n    Mr. Knake. So I think the way that I would approach this \nproblem is to say that we need to focus on it with the same \nenergy and, really, the same level of resources as we would \nmaybe a Manhattan project or a moonshot, but we need to harness \nthe capabilities within our private sector. So instead of \nhaving one large Manhattan Project out in the Southwest desert, \nin this case we need to have dozens, if not hundreds, of \ncompanies working on various aspects of it. There are models \nfor how we have done this in the past. I would call on SpaceX \nas a good example of a commercial-supported endeavor.\n    But I think the key here is more research going to more \nteams to compete globally, and hope that one of those teams \nthat is going to win is going to be a U.S.-based team. I think \nwe can't really put all our eggs either in the hope that \nSilicon Valley is going to solve this problem for us, or that a \nGovernment research team singly funded and focused is going to \nbeat the Chinese, who I view as the major adversary in this \nspace.\n    Mr. Katko. Thank you all. I wish I had more time to ask you \na ton of questions, but I have to--I am out of time. I yield \nback.\n    Mr. Richmond. The gentleman yields back. The Chairman of \nthe full committee, Mr. Thompson, is recognized for 5 minutes.\n    Mr. Thompson. Thank you very much, Mr. Richmond. As I heard \nthe witnesses' testimony today, I became very suspect of \nsomething I can't do without. But the challenge for this \ncommittee and Members of Congress is how do we not overreact to \na problem, so that Government, all of a sudden, is stifling \ninnovation and a lot of other things with regulation.\n    So--and one of the reasons hearings like this are held is \nto try to get the benefit of the talent that is out here, \nespecially in the private sector. Some of us believe that there \nis a role for Government, but it is to encourage the \ndevelopment of the technologies and things that we need, while \nunderstanding that it is really the private sector and its \ntalents that ultimately will get us to where we need to be.\n    So--but a couple of things I heard. One is right now we are \nkind-of reacting to the problem, rather than getting ahead of \nit. Can you suggest a way forward for us to wait until the next \nattack occurs, in anticipation of whatever that is, that we \ncould do, as Members of Congress, to get us to that point?\n    Mr. Durbin, if you can, get us started with some idea.\n    Mr. Durbin. It is tempting to react to the buzz word, what \npeople are talking about in the press, like the deepfakes. I \nencourage that we also have to keep our eye on the threats that \nhave been plaguing us for a long time.\n    Email, for example, still tends to be the No. 1 threat \nvector out there that attackers use to do their malicious \nthings. As soon as a bad guy figures out a way to utilize \nemail, then companies like ourselves, we counter it. Then they \ncome up with a new clever way. So we can always be prepared for \nwhat is coming by focusing on what is tried and true, and what \nwe know that the adversaries aren't going to back away from.\n    Ransomware. Today I talked about targeted ransomware. This \nis the first time since we have been tracking it where the \nshift has moved to the enterprise versus the individual. Why \nare they doing that? They are doing that because, when you \ntarget somebody and you really understand their network, you \ncan get in there, get in there deep, compromise as many assets \nas possible, launch it at the same time, and it puts pressure \non that company: ``We better pay the ransom, because we are \ntied up.''\n    So solving ransomware will help you to solve the next \niteration, the next usage of it, and it is a way to kind-of \nstay ahead of the curve.\n    Mr. Thompson. Mr. Knake.\n    Mr. Knake. Thank you, Mr. Chairman. I would focus on 3 \nbrief ideas.\n    No. 1, I think we need to have a much higher degree of \ndisclosure of cyber incidents. We really don't have a clear \npicture of how badly we are owned by Chinese or Russian or \nother adversaries. Companies tend to try and avoid disclosing \npublicly what has happened. So, on the one hand, we have the \nnumber that General Alexander has put out, which I believe to \nbe accurate, of possibly as high as $400 billion in loss from \neconomic espionage by the Chinese, but we have very few cases \nwhere we actually know of public incidents where that loss has \nhappened. That puts investors at a disadvantage, it puts \nstakeholders at a disadvantage, and it keeps markets from \ninflicting pain on companies that don't have good security.\n    With that, I would highly recommend the idea of creating \none or more National Transportation Safety Board-like \nmechanisms to dig in and understand why these incidents happen \nonce they are disclosed, so those lessons learned can get \npushed out to the broader ecosystem.\n    Finally, I think this is all about creating collaboration, \ndefensive collaboration with Government and with the private \nsector. Today we don't have the system that we need to be able \nto do that to trust the end-users and to trust the systems over \nwhich information is shared. So that is why I have advocated \nfor extending Classified connectivity out to critical \ninfrastructure companies beyond the defense industrial base. I \nthink that is essential.\n    Mr. Thompson. Thank you.\n    Ms. Howe.\n    Ms. Howe. Chairman Thompson, you are exactly right that the \nattack surface is ever-shifting, the landscape moves on us, and \nthe most important thing we can do is put in place a \ncollaborative process that can be as agile as the threat \nlandscape and as our adversaries are.\n    We have had great examples of this. The Russia Small Group, \nwhich was--had a very specific goal of protecting the 2018 \nmidterm elections, did their job. They did it. It was Cyber \nCommand, NSA, FBI, DHS, working together with private sector. \nThe Enduring Security framework was another example of this \ncollaboration working.\n    If we could systematize that kind of collaboration so that, \nno matter how our adversary adapts, no matter how our \ntechnology evolves, we can be as agile as they are--I don't \nthink we can predict with precision how these attacks will take \nplace in the future, but if we organize the right way, we can \nmake a difference.\n    The other thing I would put out there is today we want to \nhave resilience and protect ourselves. The boldest thing we can \ndo is to decide to defeat the adversary in cyber space, and to \norganize to actually defeat the adversary. That is something we \nare absolutely capable of doing. It takes a lot of resolve to \ndo. But again, working society, Government, hand-in-hand with \ntrust between the two, we can accomplish that.\n    Mr. Thompson. Dr. Buchanan.\n    Mr. Buchanan. Just in terms of concrete ideas, I think we \nneed to do a lot more study of the cybersecurity \nvulnerabilities of emerging systems, ideally, before we employ \nthem. This is something we, in many cases, did not do with old \ncyber systems. The good news, I think, is that the Government \ndoes have some capacity to do this that we could use as a \nfoundation. I am thinking in particular of NIST, National \nInstitute of Standards and Technology, which has very small \neffort, but a promising one, to study weaknesses in artificial \nintelligence systems.\n    It seems to me that would be something that is ripe for \nexpansion, where we could study the problems that many in the \nprivate sector, because of market interests, are not studying, \nbut that will be quite impactful for broader society if they \nwere to be targeted by adversaries.\n    Mr. Thompson. Thank you very much. I ask the Chair--I have \nsome follow-up questions we will submit to the witnesses in \nwriting along this line. But I thank you very much.\n    Mr. Richmond. The gentleman yields back. The gentleman from \nNorth Carolina, Mr. Walker, is recognized for 5 minutes.\n    Mr. Walker. Thank you, Mr. Chairman.\n    Dr. Buchanan, I would like to stay with you, if I could, \nplease. In August, President Trump announced a rule restricting \nGovernment agencies from doing business with the Chinese \ntelecommunications company Huawei due to National security \nthreats. What was our exposure to Huawei when the decision was \nreached?\n    Mr. Buchanan. Congressman, I don't know that I am in a \nposition to judge U.S. Government's exposure to Huawei.\n    I would imagine that what would concern me most would be \nexposure in Classified networks, and I am in no position to \nhave visibility into that.\n    Mr. Walker. So you don't necessarily have anything that is \nconfirmed, but you do have some concerns. Is that fair to say, \nwithout having to get into detail?\n    Mr. Buchanan. Sure. I think it is fair to say that \ntelecommunications systems provide enormous access to the \ninformation and broader networks of which they are a part. In \ngeneral, I worry about that as a significant threat, and----\n    Mr. Walker. Yes. Not everybody on the panel--technology \nstill is an issue for, I am realizing, but that is a different \nstory.\n    [Laughter.]\n    Mr. Walker. What has changed in the agency's contract \nacquisition since the ban, such as the type of contract signed, \nor how contractors are chosen?\n    Mr. Buchanan. Again, I am not sure I have visibility into \nthe contracting processes.\n    Mr. Walker. OK, all right. So maybe my final question for \nyou, then, may be the same thing. Are there alternatives to the \ncovered ban telecom companies such as Huawei routers and other \ncompanies' data networks, or have agencies been struggling to \nfill their tasks because of the ban? Can you address that?\n    Mr. Buchanan. Yes. Speaking generally, there is--there are \nother players in the telecommunications market. I think it is a \nsmaller market than we would like. Huawei has a price \nadvantage, why they are attractive, but they are not the only \nsupplier in the world.\n    Mr. Walker. OK. Do you see that changing in the foreseeable \nfuture, as far as these smaller companies having a little bit \nmore access, or a little bit more stronger foothold?\n    Mr. Buchanan. I think it is fair to say that I worry \ngenerally about competition in this space, because there are \nnot that many players.\n    Mr. Walker. OK.\n    Mr. Buchanan. Yes. So, in general, I think there is reason \nwhy we would want more competition than we have right now, and \nparticularly we might want more U.S. companies involved than is \ncurrently the case.\n    Mr. Walker. Thanks. I appreciate you going there.\n    Mr.--I believe it is Knake, is that correct? In your \ntestimony you mentioned that in a race--and this struck me a \nlittle bit--in a race between Silicon Valley and China, I \nbelieve you said Silicon Valley would lose in respect to these \nemerging technologies. Is that correct? I am going to come back \nwith a question. I just want to make sure I heard that correct. \nRight? Is that fair?\n    Mr. Knake. Yes, I think it is fair.\n    Mr. Walker. All right. There is no question that Huawei, in \ncircumventing--is circumventing the U.S. export ban and \nexperiencing success in becoming self-sufficient.\n    So my question is this. If China becomes totally self-\nreliant in these technologies, such as the production of their \nown advanced chips, what impact do you think that is going to \nhave on the U.S. economy 5, 10, 50 years down the road?\n    Mr. Knake. So I am in a minority within the international \nrelations community on this topic. But what I think is going to \nhappen is we are largely going to see a split of the internet \ninto 1, 2, or 3 parts, and with it a split of the underlying \ntechnologies, so that we are unlikely to see a situation \nbarring massive political change in China, in which U.S. \ncompanies are able to compete there for that market.\n    Therefore, I don't think we are going to continue to allow \nChina to compete in our market. So I think we are going to have \nvery different technology development and very different paths.\n    Mr. Walker. Well, you just--you answered the second \nquestion, as far as, if there have--if they have the largest \nR&D funding in the sector, how would we expect companies in the \nUnited States to compete with the Chinese government-backed \ncompany from dominating the telecom market? You just answered \nthat. It looks like it is going to be two independent sectors \nhere.\n    Mr. Knake. Yes, sir. I would say that I think that there is \na--it is almost a dirty word within policy communities in \nWashington, but it is time that we re-look at the concept of \nindustrial policy.\n    How are we going to assure that 6G, however we decide to \ndefine that, is something that the United States can compete \nin, and isn't going to fall behind these other actors?\n    Choices were made by leading telecommunications firms in \nthe United States not to compete in this space. That clearly \nwas not in our National security interest. So we have got to \nfind ways to make sure they choose to compete in the next \ngeneration.\n    Mr. Walker. A lot of my questions, a lot of the focus in \nthe media and National security is on Huawei, but there are \nother companies that should cause major concern, as well, for \nthe U.S. National security. Do you agree with that?\n    Mr. Knake. Absolutely.\n    Mr. Walker. Especially in the emerging technologies.\n    In my closing few seconds, what should be done, in your \nopinion, to prevent these companies from posing a security \nrisk, specifically, obviously, in our country?\n    Mr. Knake. So I think one of the things that we need to \nlook at, which is, again, a very unpopular opinion, is can we \nmaintain global supply chains, or do we need to have trusted \nsupply chains by trusting companies that are either \nmanufactured in the United States or by our allies?\n    Can we trust chips and devices and components that are \nmanufactured abroad for critical systems?\n    Mr. Walker. Thank you for your testimony. I yield back, Mr. \nChairman.\n    Mr. Richmond. The gentleman from North Carolina yields \nback. The gentleman from Rhode Island, Mr. Langevin, is \nrecognized for 5 minutes.\n    Mr. Langevin. Thank you.\n    [Pause.]\n    Mr. Langevin. Is that better? OK. Here we go.\n    I just want to thank our panel of witnesses for your \ntestimony today, and your contributions to raising our National \nsecurity awareness, and providing steps forward to how we \nbetter protect the country in cyber.\n    Mr. Knake, I would--first of all, I am not going to get \ninto this question, but on the issue of--be able to discuss \nindustrial policy, I couldn't agree with you more. We need to \nmake sure that we can do that, and take the politics out of it, \nand really focus on the issue at hand. So I agree on that \npoint.\n    So this is a question, and it actually--one other point I \nwant to make is how I completely would agree with you on what \nyou talked about in terms of critical thinking. You know, this \nissue of our adversaries using our values and our commitment of \nfree speech and using these social media platforms as weapons \nagainst us and undermining our democracy is something that I \nhave worried about for a long time.\n    Being able to think critically when you talk about media \nand issues that are raised, if the public can't do that, we are \nalready losing. We need to build that resilience into our \ndemocracy, and that starts with our kids, and teaching civics \nin class, and also doing things like critical thinking.\n    But this question is for all witnesses, and I would like to \nstart with Mr. Knake. In your collective testimony you all \nfocused on--significant attention on new tactics and techniques \nto achieve malign cyber goals. You do not, though, to a large \nextent focus on threat actors.\n    So do you believe that the cyber threat actor environment \nis likely to remain largely static in the coming years, with \nmajor challenges coming from China, Russia, North Korea, and \nIran, and lesser problems from organized crime and other non-\nstate actors? Or are we likely to see major shifts?\n    Mr. Knake. Thank you, Congressman. I would say that, from a \nnation-state perspective, the threats are largely determined by \nthe geopolitics and the ability for any nation-state to rapidly \nacquire offensive cyber capability. It means that any of our \nadversaries are likely to confront us in cyber space if they \ndeem it in their interests.\n    You touched on organized crime. I think we are at the point \nwhere organized crime in cyber space really represents a \ndanger, and a National security danger, a National security \nthreat. The capabilities are only growing. Their interests in \ngenerating financial revenue are moving them out of purely the \ncyber realm and into the physical realm. So we have hybrid \nthreats emerging from these criminal groups. They are operating \nout of safe havens. I think that they are, like the drug \ncartels in the 1990's, ever much a National security threat as \ncertain nation-states.\n    Mr. Langevin. How about in terms of mitigating our risk? \nHow much would you focus on responding to threat actors vice \n(sic) technological steps that we can take to protect ourselves \nfrom emerging threats?\n    Mr. Knake. What I have advocated is that there is a limited \namount we can do to threat actors.\n    I certainly agree with Ms. Howe that we want to engage them \neverywhere we can and in every way that we can. But really, our \nNational strategy needs to be about building resilience. We \nneed to be able to have most attacks bounce off of our \ninfrastructure, and we need to be able to bounce back rapidly, \nshould those protections fail. That kind of strategy, I think, \nis really in our National interest. That is where we want to \nfocus on incentives and aligning technology around those \nincentives.\n    Mr. Langevin. Thank you, Mr. Durbin, in your written \ntestimony you make reference to something that we have been \nfocusing a great deal on right now, and that is risk posed to \never-expanding supply chains, and the various accesses that \nthey provide to networks. Can you expound upon the growth that \nyou have seen in this type of threat?\n    To our other witnesses, do you believe that intrusions \nthrough the supply chain will continue to rise in the future?\n    Given that malicious actors often use software update \nmechanisms when attacking through supply chain, are you \nconcerned that an uptick in supply chain attacks could actually \nundermine faith in this important hygiene measure?\n    Mr. Durbin. So the supply chain is attractive because, if \nyour main target has a sufficient enough cybersecurity budget, \nand has taken the--done the due diligence to protect \nthemselves, instead of spending your resources trying to \npenetrate them, let's go down the supply chain and look for \nsomeone who is less diligent, attack there, and try to feed the \nattack back upstream into the main target. So that is always \ngoing to be an attractive vector that we are going to have to \nstay diligent with.\n    I think the--using the supply chain and compromising \nsoftware download sites and software patching sites is also \ngoing to be very attractive, because you are able to reach a \nlarge number of people, and you are doing it in a way where the \nvictim thinks that they are interacting with a trusted site. So \nyou are not going to be as cognizant, or you are not could be \nas concerned or suspicious. So it can be a very powerful threat \nvector.\n    Mr. Langevin. Thank you. I know my time has expired. Thank \nyou, Mr. Chairman. I yield back.\n    Mr. Richmond. The gentleman from Rhode Island yields back. \nThe gentleman, Mr. Taylor, is recognized for 5 minutes.\n    Mr. Taylor. Thank you, Mr. Chairman. I appreciate this \nhearing.\n    In 2017 I carried the cybersecurity package for the State \nof Texas, for the Texas legislature. In that package the \nattorney general of Texas asked for a limited defense of \nprosecution in the event that he wanted to take down a human \ntrafficking website. So he would take down a human trafficking \ngang. The website with the victims' pictures would still be \nleft on the internet. He wanted the ability to conduct a \ndenial-of-service attack against that site to take it down and \nto eliminate that site on the internet.\n    So that takes me to my question, my line of questioning, \nwhich is around offensive operations against cyber predators. \nRight?\n    So we have got people out there that are conducting cyber \nattacks in the United States, whether it is denial-of-service, \nwhether it is ransomware, et cetera. This is thorny legal \nground.\n    But I was just wondering, since we have some really smart \npeople in the room, what are your thoughts on conducting \noffensive operations against those that are actually conducting \nattacks on us when--retaliating, in effect, doing a ransomware \nattack on people that are doing ransomware attacks on us? I \nwill let you go in order.\n    Mr. Durbin, do you want to----\n    Mr. Durbin. So there are a few issues.\n    First is attribution. The attacker can hide who they really \nare. So it may appear as that they are coming from a hospital \noverseas, and then you are going to go attack this hospital \nthat was innocent. If you do identify the correct attacker, and \nyou attack them, you risk escalation, because they may come \nback at us again.\n    But I think one thing that we often overlook, traditional \nwarfare, if you throw a hand grenade at somebody, it blows up. \nThey can't pick it up and throw it back at you. If we launch an \nattack, we are basically giving them that software that they \ncan re-engineer and use against us, or use against others.\n    I think there is a way to use a deterrence, maybe the \nthreat of it, or to demonstrate what we could do. But I think \nhack attacks, or attack-backs are delicate.\n    Mr. Taylor. Mr. Knake.\n    Mr. Knake. Thank you, Congressman. I would say that I am \nall in favor of Cyber Command taking a more active role in \ndefense of private industry and State and local government. I \nthink that the idea of other entities than Cyber Command \ncarrying out that offensive operation is scary and could put us \ninto situations that we don't want to be in.\n    But I do think, if we had the kind of capability where, for \ninstance, a critical infrastructure company that was involved \nin a threat from a overseas actor was able to communicate that \nin real time with high assurance, with trust among the parties \nover a Classified network, that then Cyber Command could \nessentially be tipped off to that activity and target to shut \nit down.\n    So we really just need tighter collaboration, rather than \nkind-of a go-it-alone approach by private companies. I think \nthat is possible.\n    Mr. Taylor. While I have got you, just one quick thing. You \nsaid you want to see greater clarity in cyber attacks. The \nproblem that we have grappled with on this subcommittee is \nthat, if we tell people where the attacks are, or what the \neffect--we are basically saying, hey, there is a vulnerability \nhere.\n    So, I mean, I appreciate the desire for transparency. I am \nfor that. But then--but in this particular instance, if I give \nyou transparency, I am basically telling you where you can \nattack me.\n    Do you want to just quickly respond on that, and I will go \nback to the offensive question here with Ms. Howe?\n    Mr. Knake. Yes, I think there is two pieces to it. I think, \nNo. 1, the adversary has already exploited the vulnerability if \nthey have created the incident. So, from that point of view, \nyou are not going to be sharing information, assuming that you \nhave patched that specific vulnerability and built protections \naround that specific threat. So I think that that can be \naddressed.\n    I also think that, if we can build the kind of \ncollaborative defense that we have been talking about, and the \ntrust between partners, you don't necessarily need to share \nthat information publicly or with the world. That disclosure \ncould be made with partner, private-sector companies, and \nagencies.\n    Mr. Taylor. Ms. Howe, going back to the offensive \nquestion----\n    Ms. Howe. I often tell my children I have escalation \ndominance so they should never take me on.\n    [Laughter.]\n    Ms. Howe. I think, when it comes to offensive cyber \noperations, you have to make sure you have escalation \ndominance, which means it is only the purview of the U.S. \nGovernment to conduct offensive cyber activity.\n    I agree with Mr. Knake, that we have seen Cyber Command do \nthat effectively. We need to have a very consistent policy of \nengagement if we are going to engage in offensive cyber. If we \ndo, it essentially becomes part of the cyber deterrence policy.\n    When it comes to attribution, I would say our Government is \nthe best in the world at attribution. We haven't gotten it \nwrong. In fact, even last week, the NSA put out an advisory \nshowing that the Russians were using Iranian tools and \ninfrastructure, and hiding as Iranians when they were \nconducting their attacks.\n    So this is one place where the U.S. Government is \nfantastic, knows what it is doing, and we have got the \ncapabilities to launch offensive cyber the right way.\n    We have to have the policies, and we need to be able to \ncommunicate them. I do not think this is something the private \nsector should do.\n    Mr. Taylor. All right. I see my time has expired. Thank \nyou, Mr. Chairman. I yield back.\n    Mr. Richmond. The gentleman from Texas has yielded. I now \nrecognize the gentlewoman from Illinois, Ms. Underwood.\n    Ms. Underwood. Thank you, Chairman Richmond. Last week \nMembers of this committee traveled to my district, the Illinois \n14th district, to hold a hearing examining what steps the State \nof Illinois has taken, in coordination with the Federal \nGovernment, to prepare for the 2020 election.\n    In Illinois foreign adversaries were able to exploit a \nvulnerability in our State's voter database to access the \nrecords of 76,000 Illinoisans. Since then Illinois has used \nFederal and State dollars to increase its cybersecurity posture \nby executing the Cyber Navigator Program. This model continues \nto be a valuable tool for election officials around the State \nwho now have access to a sure internet system, and highly-\ntrained cybersecurity personnel.\n    We know that social media is an important source of \ninformation in communities like mine. A majority of Americans \ncheck social media at least once daily. So, Mr. Durbin, what \nadvice can you offer to social media users about how to \nrecognize the difference between a post from our neighbor and a \npost from a bot campaign?\n    Mr. Durbin. That is a challenging ask. The people that are \ncoming up with these posts, that are trying to deceive you, \nthey are very good at them.\n    So I think the platforms themselves are going to have to be \ninvolved in looking at the metadata of where these posts are \ncoming from to help identify is this really a person, or is \nthis a bot. But if it is not from somebody that you--you don't \nknow, or that you are just hearing from, and it is on something \nthat is topical, that could be--or topical to the election, \nthat would be a flag for me.\n    Ms. Underwood. What we often see is that, you know, people \nare in groups, and that they don't--they are not friends with \nthe people in the group. So it just pops up on their feed.\n    So if I am a mom in the 14th, what should I be looking for? \nRight? Because I don't have access to that metadata.\n    Mr. Durbin. Again, I think if it is from someone that you \ndon't know, and it seems awfully topical, it is a pretty good \ncoincidence that around this election we are--which is--this is \na hot topic for us--I am getting some--a social post from \nsomebody I don't know, that would be, certainly, a red flag for \nme.\n    Ms. Underwood. OK. But if they--``they,'' being the social \nmedia users--want to report a potential bot campaign, do social \nmedia companies currently have a timely and effective way for \npeople to do that?\n    Mr. Durbin. I don't know for sure what processes the social \nmedia companies have in place.\n    Ms. Underwood. Anybody else can--can anybody else answer \nthat?\n    Mr. Durbin. I will speak from personal experience. The only \nway I was able to report a fake LinkedIn profile that had \nconnected with me was to tweet at LinkedIn. That was the only \nway they responded. They did not respond to the abuse report I \nfiled.\n    Ms. Underwood. Interesting.\n    Following the 2016 election, Symantec conducted extensive \nresearch on the use of Twitter bot campaigns to promote \ndisinformation leading up to and during the 2016 election. Mr. \nDurbin, can you share any lessons or key findings from that \nresearch as we prepare for the 2020 election?\n    Mr. Durbin. It was very well-planned. There is this \nimpression that it was a bunch of trolls out there that were \nbehind this. We found that not to be the case.\n    They took their time in planning. They set accounts up \nmonths before they started using them. They were set up so \nthat--it was kind of a main group that was responsible for the \nkey content. Then there was a much larger group of the bots \nthat were designed to get that fake messaging out. It was very \neffective with this kind of generate and amplify.\n    The response to one of the accounts, which was in my \ntestimony, only 10,000 tweets, but was retweeted over 6 million \ntimes. That is a clear indicator that that those 6 million were \nnot bots. Those were actual people that were choosing to read a \nmessage that was generated from a fake account----\n    Ms. Underwood. Right.\n    Mr. Durbin [continuing]. Believe it, and then re-tweet it \nout to other people.\n    Ms. Underwood. Right. For years now, social media companies \nhave been on record saying that they are working to combat the \nuse of their platforms to spread disinformation, specifically \nduring election times. But new reports emerge every day. Just \nyesterday we heard about 4 new disinformation campaigns backed \nby foreign states on Facebook.\n    Do you believe that these companies are prepared today for \nthe 2020 elections, Mr. Durbin?\n    Mr. Durbin. They claim that they are. I believe that they \nhave the tools and the resources inside that they--they could \ntake action. Whether or not they are, I am not an expert, I am \nnot inside those organizations.\n    Ms. Underwood. OK. Thank you.\n    We have done a lot to secure our elections, but there is a \nlot of work that needs to be done to secure our Nation's \nelection infrastructure. As technology continues to advance, so \nmust our resources and policies to combat foreign adversaries \nwho would seek to exploit new technologies to do us harm. \nMoving forward, this is going to take a whole-of-Government \napproach to preserve the integrity of our democratic \ninstitutions.\n    I look forward to working with all my colleagues on this \ncommittee and the House to address election security from all \nangles. I yield back.\n    Mr. Richmond. The gentlelady from Illinois yields back.\n    I want to thank the witnesses for their valuable testimony, \nand the Members for their questions.\n    The Members of the committee may have additional questions \nfor the witnesses, and we ask that you respond expeditiously in \nwriting to those questions.\n    Without objection, the committee record shall be kept open \nfor 10 days.\n    Hearing no further business, the committee stands \nadjourned.\n    [Whereupon, at 3:28 p.m., the subcommittee was adjourned.]\n\n                                 <all>\n</pre></body></html>\n"