b"<html>\n<title> - AI AND THE EVOLUTION OF CLOUD COMPUTING: EVALUATING HOW FINANCIAL DATA IS STORED, PROTECTED, AND MAINTAINED BY CLOUD PROVIDERS</title>\n<body><pre>[House Hearing, 116 Congress]\n[From the U.S. Government Publishing Office]\n\n\n                     AI AND THE EVOLUTION OF CLOUD.\n                       COMPUTING: EVALUATING HOW\n                       FINANCIAL DATA IS STORED,\n                       PROTECTED, AND MAINTAINED\n                           BY CLOUD PROVIDERS\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                 TASK FORCE ON ARTIFICIAL INTELLIGENCE\n\n                                 OF THE\n\n                    COMMITTEE ON FINANCIAL SERVICES\n\n                     U.S. HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED SIXTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                            OCTOBER 18, 2019\n\n                               __________\n\n       Printed for the use of the Committee on Financial Services\n\n                           Serial No. 116-60\n                           \n                           \n[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]\n\n\n                              __________\n                               \n\n                    U.S. GOVERNMENT PUBLISHING OFFICE                    \n42-363 PDF                  WASHINGTON : 2020                     \n          \n--------------------------------------------------------------------------------------\n\n                 HOUSE COMMITTEE ON FINANCIAL SERVICES\n\n                 MAXINE WATERS, California, Chairwoman\n\nCAROLYN B. MALONEY, New York         PATRICK McHENRY, North Carolina, \nNYDIA M. VELAZQUEZ, New York             Ranking Member\nBRAD SHERMAN, California             ANN WAGNER, Missouri\nGREGORY W. MEEKS, New York           PETER T. KING, New York\nWM. LACY CLAY, Missouri              FRANK D. LUCAS, Oklahoma\nDAVID SCOTT, Georgia                 BILL POSEY, Florida\nAL GREEN, Texas                      BLAINE LUETKEMEYER, Missouri\nEMANUEL CLEAVER, Missouri            BILL HUIZENGA, Michigan\nED PERLMUTTER, Colorado              STEVE STIVERS, Ohio\nJIM A. HIMES, Connecticut            ANDY BARR, Kentucky\nBILL FOSTER, Illinois                SCOTT TIPTON, Colorado\nJOYCE BEATTY, Ohio                   ROGER WILLIAMS, Texas\nDENNY HECK, Washington               FRENCH HILL, Arkansas\nJUAN VARGAS, California              TOM EMMER, Minnesota\nJOSH GOTTHEIMER, New Jersey          LEE M. ZELDIN, New York\nVICENTE GONZALEZ, Texas              BARRY LOUDERMILK, Georgia\nAL LAWSON, Florida                   ALEXANDER X. MOONEY, West Virginia\nMICHAEL SAN NICOLAS, Guam            WARREN DAVIDSON, Ohio\nRASHIDA TLAIB, Michigan              TED BUDD, North Carolina\nKATIE PORTER, California             DAVID KUSTOFF, Tennessee\nCINDY AXNE, Iowa                     TREY HOLLINGSWORTH, Indiana\nSEAN CASTEN, Illinois                ANTHONY GONZALEZ, Ohio\nAYANNA PRESSLEY, Massachusetts       JOHN ROSE, Tennessee\nBEN McADAMS, Utah                    BRYAN STEIL, Wisconsin\nALEXANDRIA OCASIO-CORTEZ, New York   LANCE GOODEN, Texas\nJENNIFER WEXTON, Virginia            DENVER RIGGLEMAN, Virginia\nSTEPHEN F. LYNCH, Massachusetts      WILLIAM TIMMONS, South Carolina\nTULSI GABBARD, Hawaii\nALMA ADAMS, North Carolina\nMADELEINE DEAN, Pennsylvania\nJESUS ``CHUY'' GARCIA, Illinois\nSYLVIA GARCIA, Texas\nDEAN PHILLIPS, Minnesota\n\n                   Charla Ouertatani, Staff Director\n                   \n                   \n                 TASK FORCE ON ARTIFICIAL INTELLIGENCE\n\n                    BILL FOSTER, Illinois, Chairman\n\nEMANUEL CLEAVER, Missouri            FRENCH HILL, Arkansas, Ranking \nKATIE PORTER, California                 Member\nSEAN CASTEN, Illinois                BARRY LOUDERMILK, Georgia,\nALMA ADAMS, North Carolina           TED BUDD, North Carolina\nSYLVIA GARCIA, Texas                 ANTHONY GONZALEZ, Ohio\nDEAN PHILLIPS, Minnesota             DENVER RIGGLEMAN, Virginia\n                                     TREY HOLLINGSWORTH, Indiana\n                            \n                            \n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHearing held on:\n    October 18, 2019.............................................     1\nAppendix:\n    October 18, 2019.............................................    23\n\n                               WITNESSES\n                        Friday, October 18, 2019\n\nBenda, Paul, Senior Vice President, Risk and Cybersecurity \n  Policy, American Bankers Association...........................    11\nBrandt, Jordan, CEO and Cofounder, Inpher, Inc...................     9\nBroussard, Meredith, Associate Professor, NYU, and Affiliate \n  Faculty Member, NYU Center for Data Science....................     4\nGrobman, Steve, Senior Vice President and Chief Technology \n  Officer, McAfee................................................     7\nSeiffert, Alla, Director, Cloud Policy and Counsel, Internet \n  Association....................................................     6\n\n                                APPENDIX\n\nPrepared statements:\n    Benda, Paul..................................................    24\n    Brandt, Jordan...............................................    36\n    Broussard, Meredith..........................................    39\n    Grobman, Steve...............................................    51\n    Seiffert, Alla...............................................    58\n\n              Additional Material Submitted for the Record\n\nFoster, Hon. Bill:\n    Written responses to questions submitted to Alla Seiffert....    65\n\n \n                     AI AND THE EVOLUTION OF CLOUD\n                       COMPUTING: EVALUATING HOW\n                       FINANCIAL DATA IS STORED,\n                       PROTECTED, AND MAINTAINED\n                           BY CLOUD PROVIDERS\n\n                              ----------                              \n\n\n                        Friday, October 18, 2019\n\n             U.S. House of Representatives,\n             Task Force on Artificial Intelligence,\n                           Committee on Financial Services,\n                                                   Washington, D.C.\n    The task force met, pursuant to notice, at 9:33 a.m., in \nroom 2128, Rayburn House Office Building, Hon. Bill Foster \n[chairman of the task force] presiding.\n    Members present: Representatives Foster, Cleaver, Porter, \nCasten, Garcia of Texas; Budd, Gonzalez of Ohio, Riggleman, and \nHollingsworth.\n    Chairman Foster. The Task Force on Artificial Intelligence \nwill now come to order. Without objection, the Chair is \nauthorized to declare a recess of the task force at any time. \nAlso, without objection, members of the full Financial Services \nCommittee who are not members of the task force are allowed to \nparticipate in today's hearing, consistent with the committee's \npractice.\n    Today's hearing is entitled, ``AI and the Evolution of \nCloud Computing: Evaluating How Financial Data is Stored, \nProtected, and Maintained by Cloud Providers.''\n    The Chair now recognizes himself for 5 minutes for an \nopening statement.\n    First off, thanks, everyone, for joining us today on what \nshould be a very interesting hearing of the task force. Today, \nwe are looking to explore the rise of cloud computing in the \nfinancial services sector, including the opportunities and \nrisks of companies' migration to the cloud, as well as the \nregulatory framework for protecting sensitive financial \ninformation that is stored in the cloud.\n    And I should also mention that it seems possible that we \nare going to have votes called, Floor votes in the House called \npart way through the hearing, and in that case, we will have a \ngame-time decision about which Members might be interested in \nreconvening. And if not, we can just convene for a private \ndiscussion among the Members, if that turns out to be what is \nfeasible.\n    The transition to cloud computing is something that is a \ndouble-edged sword. I have faced that personally where, several \nyears ago when I couldn't stand it anymore, what was happening \nin politics, and I went and downloaded TensorFlow to my laptop \nand worked through the various--this is Google's open-source AI \nengine. And so the tradeoffs there were pretty obvious to me, \nthat the data set I wanted to be working on fit on my laptop, \nbut it just wasn't reasonable. The problems of having to \nreconfigure your system for the latest version of Python, \neverything like that, so that the advantages of going to a \ncloud-based system just for a small-scale user are enormous. \nNot to mention all of the defensive things that you get when \nyou go to a competent cloud provider where the first lines of \ndefense are actually provided by the cloud service.\n    But then, when you talk about the policy implications, we \nare always struggling with data privacy and the basic fact that \nAI works much better with large data sets, and that has huge \npolicy implications with which we are struggling. If we are not \ncareful, it is going to encourage the consolidation that is \nalready a natural feature of any digital enterprise, which is \nessentially a natural monopoly, and this AI has a good chance \nof amplifying this. If you don't have access to the large data \nsets, it is hard for a startup to compete. And if they do have \naccess, then there are huge potential--a privacy breach, for \nexample, can cause economic damage massively in excess of the \nmarket capitalization of some little startup. And so, we have \nto be very careful that the AI policies that we apply to the \ncloud don't further force consolidation in an already \nconsolidated industry.\n    The second thing is just the way that AI will be a \ncontinuing attack on privacy. Some of the most competent spear-\nphishing attacks now involve multifactor attacks where you are \nusing an AI voice synthesizer in concert with a spear-phishing \nattack to make it very likely that an ordinary person will \nclick on the enclosure. And so we are seeing, I think it was \nwithin the last year, that for the first time, an AI engine \ncompeted on a level playing field with teams of hackers in \nterms of finding software vulnerabilities.\n    We are talking about a future that is now, where both cyber \noffense and cyber defense are going to be best employed by AI. \nThese sorts of efforts are out of the scale where a small \nperson holding their own computer can actually hope to compete \nin this world, so you are going to be increasingly dependent on \nlarge cloud vendors and companies that deploy on the cloud for \nthe defensive work that you will have to do. So, that is \nanother huge issue.\n    I don't want to take up a lot of time here. I would like to \nget to the witnesses' testimony as much as possible, and I just \nwant to thank you all for appearing, and I will turn it over to \nthe acting ranking member, Mr. Riggleman.\n    Mr. Riggleman. Thank you, Mr. Chairman, for convening this \nhearing today, and generally, for pulling this task force \ntogether. If I had known a task force on artificial \nintelligence was a possibility, someone like myself might have \nrun for Congress much sooner in life, so it is great to be \nhere.\n    And to our witnesses, I look forward to hearing each of \nyour testimonies, and I appreciate you being here.\n    Cloud services offer many benefits, both to financial \ninstitutions and consumers. And as been discussed by Ranking \nMember Hill and others, the work this committee is doing \nthrough both the FinTech and AI Task Forces is exploring ways \nto streamline compliance, lower regulatory costs, and also \ndeliver an overall better, more affordable experience for \nAmerican consumers. By utilizing the cloud, companies can do \njust that, help the consumer.\n    Financial institutions are able to innovate and thrive in \nan environment that affords both scaleability and flexibility. \nThere are, however, some risks when dealing with anything new, \nincluding technology and operations, which we look forward to \ndiscussing further in today's hearing.\n    In less than a century, computing has revolutionized the \nbanking industry, along with the types and delivery of \nfinancial products and services that can be offered. Today, we \nall know that a majority of banking and personal finance is \nhandled either on your phone or on a computer, but it hasn't \nalways been that way.\n    Banks first started using computers in the 1950s, \npredominantly to process checks, and later, electronic funds \ntransfers. Since banks first began to use computers, they have \nrelied on the secure information technology infrastructure run \nby nonbank companies or third-party service providers (TSPs).\n    In the 1980s and 1990s, banks started to use personal \ncomputers for their employees. By the end of the 20th Century, \na greater proportion of workers in finance used computers than \nin any other industry. Then came the internet and everything \nchanged, especially in banking.\n    I say all of this to show that the financial industry has a \nlong history of utilizing computers, and now they are \noutsourcing many of those responsibilities to the cloud, which \nis why I am glad we are having this hearing today. It is of the \nutmost importance to ensure that all of these operations \nsupported by the cloud are safe, secure, and private for its \ncustomers.\n    We have all heard about the Capital One breach that \nhappened this past summer, and that breach was connected to \nAWS, the bank's cloud service provider. Our job in Congress is \nto ensure that financial institutions of all sizes, their \nthird-party service providers, and every other entity involved \nin the chain has legislative or regulatory certainty to do what \nis needed to protect consumers' data.\n    If you look at the Treasury's FinTech report last year on \nnonbanks and FinTechs, you will see a recommendation that \nFederal regulators ease the adoption of new technologies, such \nas cloud computing, with the aim of reducing barriers to the \nmigration of activities to the cloud. I agree we need to ensure \ninnovation is not stifled, because innovation is ultimately \nwhat protects consumers while also providing more options and \nmore choices.\n    All that to say, I look forward to constructive dialogue \ntoday. I hope we can find solutions that promote innovation \nwhile also ensuring consumer safety. Today's hearing is the \nstart of what I expect will be a longer conversation involving \nidentity, privacy, and consumer safety. I look forward to \nongoing discussions as our world only becomes more connected.\n    Thank you, and I yield back.\n    Chairman Foster. Thank you.\n    Today, we welcome the testimony of Meredith Broussard, \nassociate professor at NYU, and affiliate faculty member at the \nNYU Center for Data Science; Alla Seiffert, director of cloud \npolicy and counsel at the Internet Association; Steve Grobman, \nsenior vice president and chief technology officer at McAfee; \nDr. Jordan Brandt, CEO and cofounder of Inpher; and Paul Benda, \nsenior vice president for risk and cybersecurity policy at the \nAmerican Bankers Association.\n    Witnesses are reminded that your oral testimony will be \nlimited to 5 minutes, and without objection, your written \nstatements will be made a part of the record.\n    Ms. Broussard, you are now recognized for 5 minutes.\n\nSTATEMENT OF MEREDITH BROUSSARD, ASSOCIATE PROFESSOR, NYU, AND \n     AFFILIATE FACULTY MEMBER, NYU CENTER FOR DATA SCIENCE\n\n    Ms. Broussard. Chairman Foster, Acting Ranking Member \nRiggleman, and members of the task force, thank you very much. \nIt is an honor to be asked to testify today. I am a professor \nat NYU, a computer scientist turned journalist, and the author \nof a book called, ``Artificial Unintelligence: How Computers \nMisunderstand the World.''\n    I would like to speak today about the realities of AI and \ncloud computing as a way of thinking through the human-scale \nissues with running bank operations in the cloud.\n    Computer scientists like to say, the cloud is someone \nelse's computer, and we know exactly where those computers are. \nAmazon Web Services controls 48 percent of the cloud computing \nmarket, and it has 4 major data centers, or server farms, in \nthe United States. They are large, usually windowless buildings \nin Northern Virginia, Ohio, Oregon, and northern California.\n    Worldwide, 76 percent of the cloud market is controlled by \na few big firms: Amazon; Google; Microsoft; and Alibaba. Inside \ntheir server farm buildings, these companies maintain thousands \nof physical computers that anyone can rent space on, including \nbanks.\n    The U.S. Government is a cloud client. The AWS GovCloud is \na secure set of servers that host data and programs for DHS, \nTreasury, DOD, cloud.gov, and other agencies. The computers \nthat power the AWS GovCloud are physically located in Amazon's \nbuilding in Virginia and backed up on the West Coast. Running \nbank operations in the cloud means moving bank operations to \none of these buildings, which are vulnerable to a variety of \nphysical or cybersecurity threats.\n    Again, the reality there is market dominance. We should \nask, does it make sense to have all of the defense programs and \nall of the Citibank and Chase and SoftBank data stored in the \nsame Amazon building in Northern Virginia?\n    Let's also think about the people in the banking and cloud \ncomputing ecosystem. It helps to hear from the IT professionals \nwho manage local and cloud computers. A 2014 Ponemon Institute \nsurvey asked IT professionals to rate their organization's \neffectiveness in securing data and applications used in the \ncloud. Fifty-one percent rated their organizations as low in \neffectiveness. They said the likelihood of a data breach in the \ncloud has increased. Sixty-nine percent believe that their \norganizations failed to be proactive in assessing information \nthat was too sensitive to be stored in the cloud.\n    If IT professionals have so little faith in their own \norganizations, and we know there is a high demand but low \nsupply of IT professionals who are experts in cybersecurity, it \nseems that more regulation and oversight will help protect bank \noperations in the cloud.\n    I want to talk now about artificial intelligence (AI). \nArtificial intelligence is widely misunderstood. Hollywood \nimages of AI like The Terminator or Commander Data from Star \nTrek are what most people think of when they think of AI. And \nthese Hollywood images are delightful, but they are not real. \nAI is best understood as a branch of computer science, the same \nway that algebra is a branch of mathematics.\n    Inside AI, there are other branches, including: machine \nlearning; expert systems; and natural language processing. \nThese are just a few of them, but machine learning is the most \npopular kind of AI in business right now. And it is so popular \nthat there has been linguistic confusion. When people say, ``I \nam using AI for my business,'' usually what they mean is, ``I \nam using machine learning for my business.''\n    And ``machine learning'' is another misleading name. It \nsounds like the computer has sentience, or learning like a \nhuman being, and it does not. Machine learning is math. It is \ncomputational statistics on steroids.\n    Banks are using machine learning to help make business \ndecisions about things like who qualifies for a mortgage. But \none problem is that machine learning models discriminate by \ndefault. Let's say that I have a data set of people who have \ngotten mortgages in the past. The data will be tainted by the \nhistory of red-lining and residential segregation in the United \nStates. If I build a machine-learning model based on this data, \nthe model will discriminate against citizens.\n    We need to audit the AI algorithms and machine-learning \nmodels used by banks and other types of companies for fairness \nand to prevent discrimination. The issue here is not where \nthese AI programs run or whether the data is stored on bank \ncomputers or on Amazon's computers. Instead, we should ask what \nthe AI is used for, plus, how it is used, what kind of AI is \nused, what specific data is used to train a machine-learning \nmodel, and what specific data is used to make decisions after \nthe model is trained.\n    One option is that these kinds of questions could be \nanswered in plain language, and this information could be \ncommunicated as part of the regulatory examination.\n    The final thing I will mention is the cultural conflict \nbetween tech and finance. In the tech world, nobody talks about \nregulatory compliance or teaches it much in schools. The move-\nfast-and-break-things ethos is diametrically opposed to the \nmindset of compliance. It doesn't surprise me that in April \n2019, when Federal examiners visited the AWS site in Virginia, \nthey didn't notice the Capital One data breach. The Amazon--\n    Chairman Foster. Thank you. And at this point, we are on a \ntight time schedule.\n    Ms. Broussard. Okay. Sorry.\n    Chairman Foster. The Members can read your full written \ntestimony.\n    Ms. Broussard. Thank you for the opportunity to contribute, \nand I look forward to answering your questions.\n    [The prepared statement of Ms. Broussard can be found on \npage 39 of the appendix.]\n    Chairman Foster. Thank you.\n    Ms. Seiffert, you are now recognized for 5 minutes.\n\nSTATEMENT OF ALLA SEIFFERT, DIRECTOR, CLOUD POLICY AND COUNSEL, \n                      INTERNET ASSOCIATION\n\n    Ms. Seiffert. Chairman Foster, Acting Ranking Member \nRiggleman, and distinguished members of the task force, thank \nyou for the opportunity to appear before you today to discuss \nthe use of the cloud in financial services. My name is Alla \nSeiffert, and I am the director of cloud policy and counsel at \nInternet Association.\n    Internet Association, or IA, represents over 40 of the \nworld's leading internet companies. Our members are global \nleaders in the drive to develop lower-cost, more secure, \nscaleable, elastic, efficient, resilient, and innovative cloud \nservices to customers in both the private and public sectors. \nAll of the major U.S.-based hyperscale cloud service providers \nare members of IA.\n    I would like to thank Chairman Foster, the task force \nleadership, and your staff for your continued commitment to \nexploring emerging areas around cloud computing and AI within \nfinancial services. I would like to start with a background on \ncloud computing.\n    NIST defines cloud computing as a model for enabling \nubiquitous, convenient, on-demand network access to a shared \npool of configureable computing resources that can be rapidly \nprovisioned and released with minimal management effort or \nservice provider interaction. Cloud service providers, or CSPs, \nmake available to customers a wide range of services that \nfunction as IT building blocks that customers can use to build \napplications to meet their IT goals and be more secure, \ninnovative, and responsive to their customers. The cloud is \nflexible enough to be used for everything, from storing \nnational security data to managing my PayPal balance.\n    Security is a top priority for CSPs, and they invest a \ntremendous amount to make their services secure. By using cloud \nservices, customers such as financial institutions can focus on \ncarrying out their core business functions and benefit from the \nsecurity measures that CSPs have in place. In that way, the \ncloud is kind of like an office building landlord. It will rent \nyou space and make sure you have doors that lock, but it is \nultimately your responsibility to decide whom you let into your \noffice for meetings. Consequently, financial institutions \nremain accountable for managing the risk of their IT \nenvironments, whether they are run in-house, through a third-\nparty-managed service provider, or a CSP.\n    Today, financial institutions use the cloud for a wide \nrange of applications, from storing publicly available data or \nrunning test environments, to creating digital channels, \nstoring sensitive records, or running critical workloads. We \nhave the following three major themes to discuss with the task \nforce today.\n    First, cloud implementation is a shared responsibility \nbetween CSPs and customers. Financial institutions that use \ncloud computing operate in an environment where they manage \ncertain aspects of their IT resources and are responsible for \nconfiguring those resources, but they rely on the CSP to manage \nthe cloud itself. This division of labor means that both the \nCSP and the customer bear responsibility for making sure \nservices are run efficiently and securely. Because each party \nis responsible for securing the resources they control, \nsecurity in the cloud is something we call a shared \nresponsibility. Simply put, CSPs are responsible for security \nof the cloud, while the customer is responsible for security in \nthe cloud. CSPs provide a broad range of information, tools, \nand assistance to help customers with these responsibilities.\n    Second, cloud adoption increases cybersecurity. This is \nbecause embracing cloud technology helps banks increase overall \nsecurity by modernizing applications and gaining better \nvisibility into their networks, traffic, and vulnerabilities. \nThe opportunities offered by cloud computing enable enterprises \nto level out their IT security posture and implement best-in-\nclass cybersecurity solutions.\n    Large cloud providers have the resources and expertise to \ninvest in and maintain state-of-the-art and comprehensive IT \nsecurity and deploy it on a global basis across all of their \nplatforms. Financial institutions, particularly small and \nmidsized firms, could find it economically infeasible to \nachieve similar levels of security on their own.\n    Third, the cloud increases the resilience of our nation's \nfinancial institutions. Specifically, it allows firms of all \nsizes to leverage a suite of best-in-class tools for backup, \nsecurity, and continuity of operations. CSPs design their \ninfrastructure to be resilient to outages and incidents, and \ncustomers can take advantage of this infrastructure to \narchitect for enhanced operational resilience. Since CSPs can \nrapidly redistribute data across geographically diverse storage \nregions, cloud environments can enhance firms' strategies for \nbusiness continuity and operational resilience.\n    In conclusion, I would like to reiterate IA's gratitude for \nbeing included in discussions with the Financial Services \nCommittee's Task Force on Artificial Intelligence, and for the \nopportunity to testify today. IA, along with our member \ncompanies, stands ready to support the task force and the \ncommittee in helping financial services companies adopt the \ncloud in a secure way.\n    Thank you, and I look forward to your questions.\n    [The prepared statement of Ms. Seiffert can be found on \npage 58 of the appendix.]\n    Chairman Foster. Beautifully timed. Thank you.\n    Mr. Grobman, you are now recognized for 5 minutes.\n\n  STATEMENT OF STEVE GROBMAN, SENIOR VICE PRESIDENT AND CHIEF \n                   TECHNOLOGY OFFICER, MCAFEE\n\n    Mr. Grobman. Good morning, Chairman Foster, Acting Ranking \nMember Riggleman, and members of the task force. Thank you for \nthe opportunity to testify about two important issues for the \nfinancial services sector: the cloud; and artificial \nintelligence. Both have advantages to the industry and raise \nsecurity concerns.\n    Financial services organizations are migrating to the cloud \nto reduce complexity, cut costs, and focus their capabilities \non delivering financial services to their customers. By using \nthe cloud, both large and small institutions benefit from \nadvanced technology that normally is available only to those \nwho can invest significantly in highly technical workforce. \nCloud providers also generally practice strong cyber hygiene, \nenabling a quick response to vulnerabilities and issues.\n    Yet, there are also security challenges in moving to the \ncloud. As cloud providers service many clients, a breach can \nplace multiple organizations' data at risk. An analogy I like \nto use is that traditional, on-premise computing is like an \nautomobile, and cloud computing is a lot like an airplane. \nWhile an airplane is safer than an automobile, given its more \nadvanced technology, when a failure does occur, the impact can \nbe catastrophic.\n    Today, almost all organizations, including financial \nservices, use multiple cloud providers, a trend that is leaving \norganizations with less visibility to their operations. To \nremediate the situation, organizations need solutions to manage \nvisibility and monitor security between cloud service consumers \nand providers. Known as CASB, this function is a critical new \nclass of application that is rapidly being adopted to manage \nand secure diverse cloud environments.\n    Another security issue is the use of unauthorized cloud \napplications by employees, what we call shadow IT. This creates \nrisk for both the technology and the data. Like cloud, we must \nunderstand the capabilities, limitations, and risks of AI. \nFinancial services organizations are using AI and machine \nlearning to enable advanced analytics that allow them to better \nservice and protect customers and better manage overall costs.\n    AI is also the new foundation of cyber defense, enabling us \nto better detect threats and find the so-called needle in a \nhaystack of needles. AI-based automation is helping us \nalleviate the cybersecurity talent shortage, enabling us to \nfree up human security professionals to focus on the most \ncritical aspects of cyber defense.\n    But AI is actually quite fragile. In many industries that \nuse AI, such as meteorology, where an adversary does not exist, \nthe fragility is not an issue. In cybersecurity, adversaries \nare building techniques to confuse AI models and evade \ndetection. To mitigate these risks, McAfee is investing in \nunderstanding the adversarial techniques and researching ways \nto make AI more resilient against attacks.\n    AI can also be used as a tool by the adversaries. Bad \nactors can use AI to identify the most vulnerable victims, \nautomate phishing, and evade detection. AI improves their \nability to execute attacks and enables content creation for use \nin social engineering and information warfare such as deepfake \nvideos.\n    These and many other adversarial uses of AI can and will \noccur, putting our financial services sector, as well as our \ndemocracy and civil society, at increased risk. Most major \nfinancial institutions are prepared for major cyber attacks, in \npart due to the regulatory oversight of the Bank Service \nCompany Act, and the Gramm-Leach-Bliley Act. Financial service \norganizations also actively engage in cyber sharing groups in \ncollaboration with DHS, the OCC, and the Federal Reserve.\n    Likewise, overall, the largest third-party cloud providers \nalso have strong cybersecurity records. They have solid plans \nin place to respond to cyber attacks, they are committed to \naligning with the NIST cybersecurity framework, and they are \nactive in public-private partnerships.\n    Cloud providers are less regulated than their counterparts \nin the financial services sector, as many policymakers know \nthat overly prescriptive regulation would stifle innovation in \ntechnology companies and could quickly be outdated as \ntechnology advances. Yet, Federal regulators do have a \nlegitimate interest in seeing that IT and cybersecurity \nservices provided by cloud providers to financial institutions \nare robust.\n    To best secure cloud and AI technology in the financial \nservices sector, we recommend voluntary collaboration and the \nuse of industry-supported standards and best practices, such as \nthe NIST cybersecurity framework. When appropriate, existing \ncybersecurity rules for highly regulated critical \ninfrastructure industries should be updated to reflect the \nrapid speed of innovation.\n    Thank you for the opportunity to discuss these issues, and \nI look forward to answering your questions.\n    [The prepared statement of Mr. Grobman can be found on page \n51 of the appendix.]\n    Chairman Foster. Thank you. Again, beautifully timed.\n    Dr. Brandt, you are now recognized for 5 minutes.\n\n  STATEMENT OF JORDAN BRANDT, CEO AND COFOUNDER, INPHER, INC.\n\n    Mr. Brandt. Thank you, Chairman Foster, Acting Ranking \nMember Riggleman, and members of the task force. And, Chairman \nFoster, I have to say, it is impressive that you have \nexperimented with TensorFlow. So, thank you for your efforts.\n    Cloud computing and AI are distinct and complementary \ntechnologies that offer tremendous economic and consumer \nbenefits. The cloud reduces cost and democratizes access to \ncomputational resources which, in turn, powers AI to streamline \nbusiness functions and provide new insights that improve \nconsumer welfare.\n    The committee has correctly identified that these benefits \nmust be harnessed with proper legislative and technological \nsafeguards for both data security and privacy. Whereas cloud \ncomputing and AI pose distinct risks, a common theme applies to \nboth: Don't put all of your eggs into one basket. The \nconsolidation of sensitive personal information into any \nindividual entity, to be mined by data-hungry AI algorithms, \nposes significant economic risks and an existential threat to \nthe privacy of our citizens. Fortunately, the emergence of \nprivacy enhancing technologies, or PETs, and specifically \nencryption in-use capabilities, can address the concerns of \nboth cloud data security and privacy in AI.\n    As banks move more of their data and information processing \nto the cloud, they are effectively consolidating risk into a \nselect few providers of cloud computing infrastructure. The \nmagnitude of this risk was underscored by the recent Capital \nOne hack. The breach could have been prevented by securely \ncomputing across distributed data in a multi-cloud \narchitecture, in which data is processed without exposing the \nunderlying personal information. This would have eliminated a \nsingle point of failure.\n    To illustrate how this works, it is important to firstly \ndefine the three pillars of encryption, which is the best \nmathematical safeguard of data. First, we have encryption in \ntransit, which secures the transmission between the sender and \nthe receiver. Second, encryption at rest, which secures data \nstorage while it is sitting on a hard disk. And third, we have \nencryption in use, such as homomorphic encryption and \nmultiparty computation, which secures data in memory while it \nis being processed.\n    In-transit and at-rest encryption are already ubiquitous. \nEncryption in-use is rapidly evolving from academic research \ninto practical applications today, as its computing performance \nfor large data sets quantifiably improves.\n    For example, at Inpher, we have made multiple order-of-\nmagnitude improvements in the performance of both homomorphic \nencryption and multiparty computation without compromising \naccuracy. We are currently deploying this technology to solve \nreal-world privacy and security challenges in banking, defense, \nhealthcare, and other industries.\n    Our platform keeps data private, secure, and resident, \nprecluding the need to centralize information into a single \nrepository. This proactive safeguard enables financial \ninstitutions to minimize risk and leverage the full benefits of \nAI without a privacy tradeoff. PETs thus internalize the letter \nand the spirit of U.S. and international data privacy regimes \nwhich jointly emphasize privacy by design.\n    Specifically, in the financial services sector, we are \nwitnessing the application of PETs in fraud and anti-money-\nlaundering, credit scoring, trade surveillance, and all forms \nof predictive modeling where compliant data sharing is \ncritical. PETs safely overcome data silos and increase data \nutility.\n    Regulators and law enforcement also benefit from privacy-\npreserving computing, as they are able to run forensics and \nsurveillance on encrypted data for pattern matching and event \ndetection without compromising individual privacy or inviting \npotential liability. They can find the bad guys without \ncompromising on its citizens. To this end, we have briefed many \ndomestic and international regulators about these capabilities \nover the last year, and we are encouraged by their enthusiastic \nsupport.\n    To conclude, as a nation, we are in a technology arms race \nwith countries like China that do not share our views on \nindividual rights. We must not accept the false dichotomy \nbetween AI and our privacy. We can have both. Privacy-\npreserving computing not only champions and achieves this \noutcome, but also fosters new innovation and economic expansion \nthat benefits our government, industry, and every American \ncitizen.\n    We truly appreciate your interest and desire to learn more \nabout this very complex topic, and we remain at your disposal \nfor any further questions that you may have.\n    [The prepared statement of Dr. Brandt can be found on page \n36 of the appendix.]\n    Chairman Foster. Thank you.\n    And, Mr. Benda, you are now recognized for 5 minutes.\n\n   STATEMENT OF PAUL BENDA, SENIOR VICE PRESIDENT, RISK AND \n       CYBERSECURITY POLICY, AMERICAN BANKERS ASSOCIATION\n\n    Mr. Benda. Thank you.\n    Good morning, Chairman Foster, Acting Ranking Member \nRiggleman, and distinguished members of the task force. I \nappreciate the opportunity to come before you today to discuss \nhow financial data is stored, protected, and maintained by \ncloud providers. My name is Paul Benda, and I am a senior vice \npresident for risk and cybersecurity policy at the American \nBankers Association (ABA).\n    Prior to joining the ABA, I served in the government, both \nin the Air Force and as a civilian in the Departments of \nDefense and Homeland Security, where I focused on research and \ndevelopment of new technologies to protect against kinetic and \ncyber threats. After I transitioned to the private sector, I \nfocused on assessing physical and cybersecurity practices of \nbusinesses and recommended improvements to make them more \nsecure.\n    At the ABA, my portfolio is on physical and cybersecurity \npolicy, helping our members understand emerging threats, new \ntechnologies, and the political and legislative environments \nsurrounding their use. The ABA believes the flexibility, \nscaleability, and advanced technologies available in the cloud \nmake it a valuable tool for financial institutions to consider \nusing. We appreciate the opportunity to share our thoughts on \nhow financial data is stored and protected in the cloud, and we \nwould like to highlight four main points.\n    First, banks are responsible for their data. Title V of the \nGramm-Leach-Bliley Act (GLBA) has long-established standards \nthat require a bank to take meaningful steps designed to ensure \nthe security and confidentiality of its customers' information. \nThese requirements are in place regardless of whether that \ninformation is stored on premise, by a third party, or in the \ncloud. Regardless of the location, banks are responsible for \nensuring that data is protected.\n    Second, the cloud offers benefits, but risks must be \nmanaged. It is clear that there are potential benefits as well \nas risks regarding use of the cloud. But the decision on its \nuse should be left to each individual bank, as each bank is \ndifferent and is most capable of performing an overall risk-\nbenefit calculation for their environment. If done \nappropriately, use of the cloud is likely to have no adverse \neffect on the overall risk profile of a bank and would most \nlikely improve their resiliency.\n    Third, all parties should collaborate to improve cloud \nsecurity and efficiency. Banks inhabit a unique regulatory \nspace. No other industry has the level of regulator guidance, \noversight, or examination structure in place to ensure that \nfinancial data is protected. The baseline shared responsibility \nmodel of security used by CSPs attempts to shift all \nresponsibility for information security to its customers, \nalthough many CSPs do offer to manage certain IT controls on \nbehalf of their customers, which can blur the lines of \nresponsibility.\n    We believe it would be helpful, especially for financial \ndata deployments, that a transparent set of unified security \ncontrols be developed, that security control responsibilities \nare clearly delineated for each deployment, and that a process \nfor CSPs to notify customers of potential security \nmisconfigurations in their cloud deployments be instituted. \nThis cooperative approach to security would increase overall \nsecurity of the data and aid in the management of this critical \ndata as it resides in the public cloud.\n    We would welcome a discussion between banks, cloud service \nproviders, and regulators that will allow us to work in a \ncollaborative manner to ensure that the right frameworks, \nprocesses, and programs are in place to allow adoption of these \nnew technologies, while maintaining the safety and soundness of \nthe financial institution.\n    Fourth, regulatory clarity is important. From a financial \nservices perspective, the GLBA, the Bank Service Company Act, \nand banking agency guidance already provide a robust regulatory \nframework to oversee bank utilization of their cloud. But \nadditional clarity would be helpful on the roles and \nresponsibilities of regulators with respect to their direct \noversight of cloud service providers. We believe that the \noversight authorities in the Bank Service Company Act could be \naligned and coordinated with the proposed set of unified \nsecurity controls for financial data deployed in the cloud so \nthat banks could clearly understand those areas where they \ncould depend on regulators to provide oversight of the cloud \nservice providers, and where banks must utilize private-sector \nmethods to ensure that appropriate due diligence is done.\n    A clear delineation of roles and responsibilities that is \narrived at in a collaborative manner would improve overall \nsecurity as well as efficiency into the oversight process for \nbanks of all sizes.\n    The challenges in the space are complex. We believe that \nevery stakeholder wants to ensure that security of these \ncritical systems is maintained, and at the same time, \ninnovation is not hindered. A collaborative approach that \nmerges the best of the safety and soundness culture of banks \nand regulators with the entrepreneurial spirit of cloud service \nproviders is likely to achieve a lasting outcome that is \nacceptable to all parties.\n    Thank you for the opportunity to testify, and I look \nforward to your questions.\n    [The prepared statement of Mr. Benda can be found on page \n24 of the appendix.]\n    Chairman Foster. Thank you.\n    I will now recognize myself for 5 minutes for questions.\n    Our witnesses here seem to have identified four lines of \ndefense here. The first line of defense that Ms. Seiffert \nmentioned was just that cloud service providers have multiple \nphysical locations. And so, when you are talking about physical \nattacks, that is a pretty solid strategy.\n    The second one that, I guess, Mr. Grobman mentioned, is the \nuse of multiple cloud providers. And I would be interested, I \nwill be asking questions on whether that is--how realistic a \npossibility that is.\n    The third one is advanced encryption techniques as a way to \nbe able to survive even a significant cyber breach.\n    And the fourth general thing is just the future of AI as \nthe main tool that will be used for real-time cyber defense.\n    And so starting with the first point, Ms. Seiffert, to what \nextent is having multiple physical locations a real protection, \nand to what extent could it be illusory, if you have a shared \nhardware vulnerability? For example, if you lose your hardware \nroot of trust, the key used to download software updates, for \nexample, and if that gets corrupted or lost or the bad guys get \ntheir whole--you could be in a situation where, yes, we have \nmultiple locations, but because of a shared hardware \nvulnerability or a silicon bug that is discovered.\n    Can you say little bit about that, whether that is going to \nprove illusory or not?\n    Ms. Seiffert. Thank you for your question. That is without \na doubt a possibility, but nevertheless, the multiple \navailability zone architecture of cloud computing really does \nlead to significant increases in resiliency. There are a number \nof ways to configure cloud-native applications with respect to \nthe failover mechanism. I think your point is incredibly valid, \nwhat if a vulnerability exists upon multiple availability \nzones, but it is my understanding that there is a way to \narchitect applications such that in order to have backup and \nredundancy storage, and essentially seamless failover, in the \nevent of issues in one location.\n    Chairman Foster. Let's see. The question of whether \nmultiple cloud providers are also a realistic useful defense, \nthat is something that Congress, for example, could mandate for \ntoo-big-to-fail banks, that they simply maintain a hot spare \nprovider, in addition to the hot spares that are provided \ninternal to each cloud service provider. And I was wondering if \nanyone, Mr. Grobman or Mr. Benda, might have a comment on that, \nwhere obviously that would impose costs.\n    Mr. Grobman. Sure.\n    Chairman Foster. And we struggle with this all the time in \nthis committee, the tradeoff between short-term profitability \nand reducing tail risk.\n    Mr. Grobman. I think, in general, having diverse \nimplementations can add some additional levels of security, but \nwe also need to recognize that a lot of the issues here are not \nnew. In your last question, you pointed out that a single \ntechnical vulnerability could impact multiple physical \nlocations. That is true regardless of whether it is a cloud or \na traditional on-premise implementation. I think similarly, if \nyou look at multiple cloud providers, there are going to be \nsome issues that are cloud provider-specific and some that \nwould be at an application level or really not matter whether \nor not it had multiple providers. So, I think it is going to \nadd some help but not be the silver bullet solution.\n    Chairman Foster. Yes, like the meltdown inspector bugs, for \nexample, applied to multiple processor architectures, so that \neven having a separate set of processes your cloud is running \non was not necessarily a defense.\n    Mr. Grobman. Correct. I do think that particular issue is \nillustrative of how effective the large cloud providers are at \nremediating vulnerabilities. All of the large cloud providers \npatched their hardware with new firmware literally within days, \nwhereas we have seen private data centers usually take many \nweeks, if not months, to get those same patches.\n    Chairman Foster. Okay. Now, in terms of advanced encryption \ntechniques, Dr. Brandt, you said that you had made big \nimprovements in the speed, and I guess you probably have \ncompetitors in this. If you look at the overall trajectory of \nperformance of privacy-preserving computing, is there a way to \nestimate the point at which it might be a pretty small overhead \nfor things like training neural networks and so on?\n    Mr. Brandt. Yes. Thank you for the question. Indeed, there \nhave been drastic improvements over the last several years, \norders-of-magnitude improvements that we have seen in the \nperformance of encryption and use specifically. Again, keeping \ndata encrypted while it is being processed, which can also help \nprotect against these hardware vulnerabilities. If you focus on \nthe data itself, even if the hardware is compromised, the data \nitself would be secure.\n    Of course, the tradeoff has been higher computational \noverhead to achieve this. With the current trajectory, we are \nseeing that large data sets to be used for training neural \nnetworks or training AI models in general is becoming quite \npractical. This is especially because that is an offline \nprocess. It doesn't need to be done necessarily in real time. \nEven if you are talking about an order of magnitude higher \ncompute overhead than you would have in plain text, it still \ncan be--\n    Chairman Foster. Okay. Now, unfortunately, I must bring the \ngavel down on myself and recognize my colleague, Mr. Riggleman, \nfor 5 minutes.\n    Mr. Riggleman. Thank you, Mr. Chairman. And thank you again \nto the witnesses.\n    And I first want to thank Ms. Broussard for your definition \non AI and ML. That is an argument I have had in the DOD, I \nthink, for the past 5 years. So, I appreciate that before we \nget started.\n    We have had a few hearings here in Congress, and we have a \nlot of things here. I want to make sure we get to our \ncolleagues. I have written down, you were talking about--the \nchairman was talking about the four issues that he saw here. I \nhave some specific questions just based on my background in, \nnot really cloud computing, but trying to do the governance and \nsecurity, overseeing cloud computing in the DOD, specifically \nthe challenges with competition amongst cloud computing and the \nfun that we have had there with security, but also the \nregulatory issues.\n    I want to start with Mr. Grobman, and then I want to go to \nMr. Benda. We were talking about continuity of operations, I \nthink, a little bit earlier is how I would look at it, and this \nis something that I am looking at as we are going forward. Do \nyou think continuity of operations (COOP) would be less \nexpensive with cloud applications, even based on scaleability--\nwhich I will go to Mr. Benda about--but do you think actually \nwhen you are looking at the cloud and where we are going right \nnow, do you believe that would be less expensive for continuity \nof operations going forward rather than staying on premise?\n    Mr. Grobman. Yes. And the reason is, cloud operators are \nable to execute at scale and be able to have expertise in \nspecific areas that would not be practical at the typical \ninstitutions that use them. So, for the financial services \nsector or the DOD to have the same level of competence in the \nlow-level capabilities a CSP has would not be practical. I \nthink it does make things work a lot faster.\n    Mr. Riggleman. It is interesting because we talked about \ndata stovepipes beforehand, before cloud computing became a \nthing, right? And my worry is creating funnel clouds of \nexcellence also, which we called them. But talking about that, \nwe talked about cost and scaleability, and talking about \ncontinuity of operations--and going to Mr. Benda--and sorry, I \nam off script right now, so we are having fun right now--so \ntalking about scaleability, would you say maybe that it \nimproves--and going on, Mr. Grobman, would you say it would \nimprove our security posture based on the fact it could be less \nexpensive, based on cloud computing, to have more continuity of \noperations as far as cost and scaleability?\n    Mr. Benda. I think that the value of the cloud is certainly \nthe pay-as-you-go model. You pay for what you use. The \nscaleability is there, in that the cloud has several server \nfarms that you can access and provide you failover capabilities \nthat are in there. I think the cost process or the cost model \nis that you are not--the way I have heard it described is that \nit is an operational expense versus capital expense. So, the \nclouds take on that capital expense. It should reduce costs \noverall and provide a better resilience capability because that \nscaleability is there on an instant and that is when you pay \nfor it.\n    Mr. Riggleman. If we are becoming increasingly reliant on \ntechnologies, why do you think at this time anybody would wait \nto adopt them?\n    Mr. Benda. I think if you look at it from a financial \nservices perspective, there are multiple reasons. One, the \ncloud is new. You have to learn a whole new set of things on \nhow to secure it. It can be more secure, or it can be less \nsecure, depending on how well you know it.\n    The other thing is, I think there is a lack of regulatory \nclarity in how the cloud is treated and how it is examined. It \nis a real issue for banks, and I think the Treasury report that \nyou referenced, sir, makes some really good recommendations.\n    Mr. Riggleman. Thank you very much.\n    Ms. Seiffert, the same question to you, do you think there \nis an ability for any scaleable pricing that targets smaller \ninstitutions? And this is what I get excited about a little \nbit, is that when we are looking at smaller institutions trying \nto enter into the cloud computing space, do you think that \nscaleable pricing is there based on the fact that we have a \nbetter way of doing business than on premise?\n    Ms. Seiffert. Thank you for the question. Small and \nmidsized institution absolutely have the ability to really \nleverage the power of the cloud to save money, as well as \nreally piggyback on a fair amount of cybersecurity know-how \nthat the cloud service providers bring to the table. A small or \nmidsized institution, a credit union in Texas, a small bank in \nMissouri, they are really not able to retain the level of staff \nor technical know-how to keep their systems as secure as the \ncloud service providers are able to keep their infrastructure.\n    And so, in that respect, the consumption-based pricing \nmodel really favors smaller institutions because their compute \nspend is just going to be less. It is also going to be more \npredictable than needing to not only buy a data center, but \nalso patch it to include with the vulnerabilities that were \nmentioned earlier.\n    Mr. Riggleman. This allows me to mention to everybody, so \npiggybacking off Dr. Brandt, and then going to Mr. Benda, when \nyou are talking about technology, and advances that we had, and \ngoing to Mr. Benda and seeing everything that is happening, in \nthe last 25 seconds here--yes, sir, I see the gavel ready--in \nthe last 25 seconds, are we to a point where really it isn't \nabout location anymore, it is about access, right? If we are to \nthat point right now, should we be more aggressive in making \nsure that our regulatory structure supports that?\n    Mr. Benda. I would agree, I think it is about access, but \nwe have to make sure that those physical security controls are \nin place, and I think that is really where regulators can help.\n    Mr. Riggleman. Thank you, and I yield back. The witnesses \nwere wonderful. Thank you.\n    Chairman Foster. Thank you.\n    The gentlewoman from Texas, Ms. Garcia, is now recognized \nfor 5 minutes.\n    Ms. Garcia of Texas. Thank you, Mr. Chairman. And thank you \nto all the witnesses today.\n    First, let me say that I still don't have clarity. I think \nit is a little cloudy in my head as to exactly what the real \nchallenges are here. And I am concerned more about the \nconsumer, perhaps a consumer like myself, who still keeps a \ncheckbook, who doesn't trust a lot of online banking or online \nshopping because I find a lot of mistakes, even in some of my \ncredit card statements. The very idea that somewhere in never-\nnever land, there is a cloud taking care of my financial \ninformation, has made me even more nervous today than I was \nbefore.\n    Ms. Seiffert, you said there was a shared responsibility, \nthat security in the cloud was the responsibility of the \ncustomer financial institution, and security of the cloud was \nthe CSP. What does that really mean?\n    Ms. Seiffert. Sure. Thank you very much for the question. \nWhat that means is there are a variety of services that are \navailable for banks to configure--\n    Ms. Garcia of Texas. No, I know that, but can you give me \nan example of what you mean by the difference between ``of'' \nthe cloud and ``in'' the cloud? So that a person like me who is \nwatching this today can really understand.\n    Ms. Seiffert. Absolutely. When it comes to the software, so \nwhereas you pull up your phone and you have your banking \napplication there, when it is your time to log in, you enter \nyour user name and your password, maybe there is a two-factor \nauthentication. The security of the application as it \ncommunicates with the data that is possibly stored in the \ncloud, it is your bank's responsibility to make sure that \napplication is secure.\n    So you as a consumer, you are seeing an application, that \nis all the financial services--\n    Ms. Garcia of Texas. So if I don't use my phone for \nbanking, I don't have to worry about this cloud business?\n    Ms. Seiffert. Not quite.\n    Ms. Garcia of Texas. Okay.\n    Ms. Seiffert. It depends on what your--\n    Ms. Garcia of Texas. Again, remember you are talking to a \nconsumer who doesn't do online banking.\n    Ms. Seiffert. So, let's say you are--\n    Ms. Garcia of Texas. But you have my data over there in \nWest Virginia in the same place where the FBI has a data \ncenter, and that makes me nervous too.\n    Ms. Seiffert. It is a very secure data center.\n    But sort of the physical security of the data center, who \nis allowed to get in, you and I probably can't just walk into \nsome data center and have a look around just because we would \nlike to. And the physical security of data centers is a cloud \nservice provider's responsibility. The specific application \ndata that is stored there, let's say that you are accessing a \nloan through a bank. Let's say you go in person to a bank \nbranch in order to apply for a loan. The security of the \napplication, let's say they take down your data on a website or \non some sort of document, and they e-mail it for processing. \nThe security of that is the bank's responsibility.\n    Ms. Garcia of Texas. Okay. Well, it is a little cloudy, \nokay? But I will move on to Ms. Broussard.\n    Do you agree with this shared responsibility? Because I \nthink you said that no one in tech thinks about regulatory \nissues, and instead, they want to move fast and break things. \nAnd so if my data as a consumer is stolen or misused, should \nthe liability fall on the CSP or on the financial institution \nthat is using the CSP?\n    Ms. Broussard. Thank you for the question. The issue of \nliability is a really good one. We can think about shared \nresponsibility and we can think about shared liability. For \nexample, if you go to a hotel and you are injured at a hotel \nbecause of something that the hotel did, then the hotel bears \nsome responsibility, right? The best way to think about \ncybersecurity issues and issues of liability in the \ncomputational world is to think about the equivalence in the \nreal world and think through how things would proceed in that \nway.\n    And specifically in this case, we do have a communication \nissue, a really major communication issue around compliance and \naround tech, because AI issues are very difficult to \nunderstand, and bank regulatory issues are pretty hard to \nunderstand if you are not trained in it.\n    One of the things that I think we need is we need better \ntraining for cloud computing staff about bank regulatory \nissues. And we need better communication by both parties about \nwhat are the regulations and what is actually happening on the \ndigital side and how is everybody staying protected.\n    Ms. Garcia of Texas. All right. Thank you.\n    Ms. Broussard. Thank you.\n    Ms. Garcia of Texas. I yield back. Thank you, Mr. Chairman.\n    Chairman Foster. Thank you.\n    The gentleman from Ohio, Mr. Gonzalez, is recognized for 5 \nminutes.\n    Mr. Gonzalez of Ohio. Thank you, Mr. Chairman. And thank \nyou, everybody, for being here today for this important task \nforce hearing.\n    I want to start with some questions for Mr. Benda. You \nspoke about a collaborative approach between the CSPs, the \nregulators, and the banks to provide clarity and guidance on \nrules and responsibilities. I agree, that makes total sense. We \nneed to have this sort of collaboration. Right now, there is \nsort of this finger-pointing thing going on, which I think \neverybody really loves.\n    Not to put you on the spot here, but as you think through \nthat, from your perspective, what do you think the right roles \nand responsibilities for each of those three entities should \nbe? It is a big question, I know.\n    Mr. Benda. That is a big question.\n    Mr. Gonzalez of Ohio. Give me some broad brush strokes, if \nyou could?\n    Mr. Benda. The one thing I would say on that is that banks \nare comfortable and understand the requirements of GLBA and \ntheir responsibility to be, overall, the caretaker of that \ncustomer's data. We spend hundreds of millions of dollars every \nyear to make sure that happens. We are not interested in \noffloading that responsibility.\n    When we look at the different roles, we think there is a a \nclash of culture between safety and soundness, regulatory \ncompliance culture that banks have, versus move-fast-break-\nthings on the tech side. We would love to see a more efficient \nexamination process that allows banks to operate and utilize \nand take advantage of all the wonderful things that the cloud \ncan provide.\n    But then the regulators have their role of, instead of \nhaving 5,000 banks go and hit Amazon for a certain thing, we \nrely on the regulators to look at the physical security access \npoint. We look at them for those things where there is a multi-\ntenant cloud, the regulators have access that they need to \nensure that the banks' due diligence for that third-party \noversight is done and that the banks do their appropriate role.\n    I think working in a collaborative manner, we can make \nthings better for everyone and make things more secure.\n    Mr. Gonzalez of Ohio. And then as a followup, what is the \nbarrier to having that sort of collaboration, and how can we as \nCongress make sure that that actually occurs? Because it \nstrikes me that would be a more effective means than what we \nare doing now.\n    Mr. Benda. I think the Treasury report that Congressman \nRiggleman mentioned actually has this exact recommendation in \nit. I would just ask for an update from Treasury on where they \nstand on that, and we are happy to work together with the \nregulators to make that happen.\n    Mr. Gonzalez of Ohio. Great.\n    And then, Ms. Broussard, so your analogy of the hotel--and \nthis could be for anybody--but the analogy of the hotel \nsuggests that or implies that it is easy to make attribution, \nright? If something at the hotel was deficient, and I get hurt, \nthat is on the hotel. If it is something that I am doing \nmyself, that is probably on me. And that makes sense.\n    My question with respect to security in the cloud is, how \neasy is it to make those attributions and does that prevent any \nsort of barrier?\n    Ms. Broussard. Thank you for the question. I used the \nanalogy of the hotel because when you go into a hotel, you are \nrenting space.\n    Mr. Gonzalez of Ohio. Right.\n    Ms. Broussard. And in the cloud environment, you are also \nrenting space from one of the cloud providers.\n    As far as how easy it is to figure out what went wrong, it \nreally depends on the individual situation. Sometimes, it is \nquite obvious, for example, somebody forgot to patch a security \nhole, and a hacker got in through that security hole, and it is \na well-understood breach. Other times, we have folks who are \nreally, really creative about finding ways in, and so we have a \nnew kind of breach, an unknown unknown, if you will--\n    Mr. Gonzalez of Ohio. Right.\n    Ms. Broussard. --and we don't have ways to predict that \nbecause it hasn't happened yet. And AI is especially not \nhelpful in that regard, because AI can help us protect against \nthings that have already happened, that are known, but it can't \nbe creative in the same way that humans are creative. That is \none of the things that is hard about cybersecurity, is you \nalways have to keep up.\n    Mr. Gonzalez of Ohio. Thank you.\n    Mr. Grobman?\n    Mr. Grobman. Representative, I really think it is very \nsimilar to in the physical world, that in order to have safe \nuse of technology, it is a combination of the technology and \nthe use. For example, in order to safely drive a car, having \nsafety features in the car is a critical component, but as a \ndriver, you also need to apply the rules of the road. So if you \nare in a auto accident, it could be either because of a failure \nof the automobile or because you did something improper as a \ndriver.\n    And it is very much the same in the world of the cloud, in \nthat we do need to recognize that the underlying technology can \nhave vulnerabilities, but also, the users of that technology \ncan have misconfigurations or make other mistakes that would \nlead to issues.\n    Mr. Gonzalez of Ohio. Yes, and I agree. I guess the point I \nam trying to drive home is, so we get the clear rules of the \nroad, we get the guidelines, we make sure that everything is \nright, I still think we have this attribution question that I \nam not sure that we have a great answer for right now.\n    With that, I yield back.\n    Chairman Foster. Thank you.\n    The gentleman from Illinois, Mr. Casten, is now recognized \nfor 5 minutes.\n    Mr. Casten. Thank you, Mr. Chairman. And thank you all so \nmuch.\n    It strikes me that the thing that makes cloud computing so \nawesome is that its strength is its weakness, right? You have \nall of this organized data that you can access remotely, which \nmeans that if I am going to wear a black hat and find a place \nto target, that is a lot more attractive than getting onto my \nlittle laptop. The issues, and as Congresswoman Garcia raised, \nis this gap between who bears the liability for that, and then \nthere is separately, who bears the cost, which is not always \nthe same, and sometimes don't tie out.\n    My first question for Mr. Benda is, let's say you are a \nmajor U.S. bank. You have customer data from all 50 States \nwithin your system. Jurisdictionally, how many different \njurisdictions constrain how you regulate the data? Is it 51? Is \nthere one overarching jurisdiction that sets what kind of \nconstraints you have to impose or liabilities you have to \nmanage to?\n    Mr. Benda. There can be. A national bank like that is \nchartered by the OCC. That is the primary regulator. They would \nhave the overarching control or regulation of that. What we \nwould like to see is a harmonization of those regulations. We \nwould like to see that we don't have to answer to 51 different \nmasters, that we harmonize those regulations through a Federal \nregulator.\n    Mr. Casten. Are the obligations substantively different \nbetween the State and the Federal, and between the States?\n    Mr. Benda. They can be, sir.\n    Mr. Casten. What if you have international clients, or one \nof your clients has a London account in addition to your U.S. \naccount that is managed in your same system?\n    Mr. Benda. Large banks have a lot of regulatory oversight \nand a lot of different challenges they have to face. Those are \nreal issues that we work through every day, and we do our best \nto address them as best we can.\n    Mr. Casten. Given different liabilities for those different \njurisdictions, to what degree do the banks segment the data? In \nother words, if I have data that is only subject to my London \naccount, is that on the same network and the same accessible \nserver as the one that is my Arkansas account?\n    Mr. Benda. That is a great question, sir. I would have to \nget back to you on that. I don't know a specific implementation \non how they would handle that.\n    Mr. Casten. Is it even possible to do that segmentation if \nyour customer in Arkansas also has a London account?\n    Mr. Benda. Per customer, that is a great question, sir. I \ndon't know the ins and outs of that. I would have to get back \nto you on that.\n    Mr. Casten. Ms. Broussard, you seem like a nice person, but \nI am going to pretend you have on a black hat now.\n    Ms. Broussard. Okay.\n    Mr. Casten. If you have all of these different regulations \nand you have a gap between the liability and the cost of--who \nbears liability and who bears cost between the cloud provider \nand the bank and the customer whose data is stored, and \ndifferent international and State and Federal rules, where are \nthe regulatory gaps? If you are going to hack into that system \nand say, where would I exploit the vulnerabilities? Because, \ngiven your brain power, if you can say with a black hat and \nthen we can think about where we ought to be, where we ought to \nbe bolstering the defenses, I am going to put you on the spot, \nbut I would love your thoughts.\n    Ms. Broussard. Sure. I actually think about this a lot. As \na data journalist, one of the things you do is you look for \nwhere can things go wrong and you look for the things that go \nwrong, so thank you for the question.\n    I would say that cybersecurity is very important to \nconsider holistically. We need to consider the attack surfaces \nin the real world as well as the virtual world. As far as who \nbears the responsibility, this is such a complicated question, \nand I have talked about it with a lot of lawyers, and it is \nhard to find a consensus. I would go back to your earlier \nquestion about how easy is it to write code against all of \nthese different regulations.\n    One of the problems with making banking technology is that, \nas a programmer, you want to write once and run anywhere, but \nif we have 50 different States with different rules \nindividually, and the computer is considered to be in \ncyberspace, well, I could just shrug and say, oh, well, it is \nin cyberspace, it doesn't matter. Or I could say, I need the \nrules to adhere to the rules of the real world. These are \nindividual decisions, and I think that is one of the cultural \ndifferences between computer scientists and regulators.\n    Mr. Casten. Thank you. I yield back.\n    Chairman Foster. Thank you.\n    And Members are advised that votes have been called. The \ntime is currently at 6 minutes and 25 seconds.\n    The gentleman from Missouri, Mr. Cleaver, who is also the \nChair of our Subcommittee on National Security, International \nDevelopment and Monetary Policy, is recognized for 5 minutes.\n    Mr. Cleaver. Thank you, Mr. Chairman. I am going to try to \nroll three questions into one because of the votes.\n    My favorite time of the year is October because of \nHalloween and all of the movies, the horror movies that come \non. I know probably all of you are watching them at night with \nme. And I am on the Committee on Homeland Security as well, and \nI chair the Subcommittee on National Security. So I don't know \nif I am being troglodytic in my thinking, but a lot of this \nscares me more than Dracula does, and Dracula is real. I just \nwant to make sure you know that.\n    But, we have this plan, this financial plan to create a \nfinancial ecosystem by Facebook. They are calling it \nstablecoin. I call it scary. At Homeland Security, we are \nalways looking at what you said, Ms. Broussard, what can go \nwrong? What can happen? I am thinking power lines, water \ntreatment facilities, and then on top of that, human error.\n    We have a situation that is quite threatening, and we know \nfor a fact that the Chinese, the Iranians, and the Russians are \nall daily, daily messing with us, and you probably know about \nsome of them, and a lot of them you don't know about. Tell me \nit is going to be okay or tell me it is not.\n    Mr. Brandt. I think all of these discussions and some of \nthe lack of clarity around liability, if we just focused on \nwhat is the precious asset here, it is the data. And if we look \nat the poll of what the banks are worried about, it is the data \nprivacy, the data security. And regardless of what happens, if \nthere is a breach, if there is a vulnerability in the hardware \nor the physical location, if the data itself is protected, then \nwe are good. There are other bad things that can happen, of \ncourse, interruption of service, but at least people's data and \ntheir privacy are secured in that.\n    If we just focus on the life cycle of the data security \nitself, then it helps to, I think, simplify a lot of these \nquestions that we are having.\n    Mr. Grobman. Representative, I agree with your point that \nthe threat landscape is extremely broad. But one of the things \nthat we have to recognize is we can't put a priority on the \nmost important thing to worry about is energy or water or our \nfinancial system, because if any one of those systems had a \nmajor cyber breach, it would be catastrophic, which is why we \nneed to really have a comprehensive cyber defense approach \nacross all of our critical systems.\n    Mr. Cleaver. But we are not even close to that, are we?\n    Mr. Grobman. No, we are not.\n    Mr. Cleaver. I yield back, Mr. Chairman.\n    Chairman Foster. Thank you.\n    I would like to thank our witnesses for their testimony \ntoday.\n    The Chair notes that some Members may have additional \nquestions for this panel, which they may wish to submit in \nwriting. Without objection, the hearing record will remain open \nfor 5 legislative days for Members to submit written questions \nto these witnesses and to place their responses in the record. \nAlso, without objection, Members will have 5 legislative days \nto submit extraneous materials to the Chair for inclusion in \nthe record.\n    Thank you, and this task force hearing is adjourned.\n    [Whereupon, at 10:35 a.m., the hearing was adjourned.]\n\n                            A P P E N D I X\n\n\n                            October 18, 2019\n\n\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n\n                                  [all]\n</pre></body></html>\n"