[House Hearing, 117 Congress]
[From the U.S. Government Publishing Office]
SECURING THE FUTURE: HARNESSING THE POTENTIAL OF EMERGING TECHNOLOGIES
WHILE MITIGATING SECURITY RISKS
=======================================================================
HEARING
before the
SUBCOMMITTEE ON
CYBERSECURITY, INFRASTRUCTURE
PROTECTION, AND INNOVATION
of the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED SEVENTEENTH CONGRESS
SECOND SESSION
__________
JUNE 22, 2022
__________
Serial No. 117-63
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.govinfo.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
48-856 PDF WASHINGTON : 2022
COMMITTEE ON HOMELAND SECURITY
Bennie G. Thompson, Mississippi, Chairman
Sheila Jackson Lee, Texas John Katko, New York
James R. Langevin, Rhode Island Michael T. McCaul, Texas
Donald M. Payne, Jr., New Jersey Clay Higgins, Louisiana
J. Luis Correa, California Michael Guest, Mississippi
Elissa Slotkin, Michigan Dan Bishop, North Carolina
Emanuel Cleaver, Missouri Jefferson Van Drew, New Jersey
Al Green, Texas Mariannette Miller-Meeks, Iowa
Yvette D. Clarke, New York Diana Harshbarger, Tennessee
Eric Swalwell, California Andrew S. Clyde, Georgia
Dina Titus, Nevada Carlos A. Gimenez, Florida
Bonnie Watson Coleman, New Jersey Jake LaTurner, Kansas
Kathleen M. Rice, New York Peter Meijer, Michigan
Val Butler Demings, Florida Kat Cammack, Florida
Nanette Diaz Barragan, California August Pfluger, Texas
Josh Gottheimer, New Jersey Andrew R. Garbarino, New York
Elaine G. Luria, Virginia Mayra Flores, Texas
Tom Malinowski, New Jersey
Ritchie Torres, New York
Hope Goins, Staff Director
Daniel Kroese, Minority Staff Director
Natalie Nixon, Clerk
------
SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND
INNOVATION
Yvette D. Clarke, New York, Chairwoman
Sheila Jackson Lee, Texas Andrew R. Garbarino, New York,
James R. Langevin, Rhode Island Ranking Member
Elissa Slotkin, Michigan Michael Guest, Mississippi
Kathleen M. Rice, New York Diana Harshbarger, Tennessee
Ritchie Torres, New York Andrew S. Clyde, Georgia
Bennie G. Thompson, Mississippi (ex Jake LaTurner, Kansas
officio) John Katko, New York (ex officio)
Moira Bergin, Subcommittee Staff Director
Austin Agrella, Minority Subcommittee Staff Director
Aaron Greene, Subcommittee Clerk
C O N T E N T S
----------
Page
Statements
The Honorable Yvette D. Clarke, a Representative in Congress From
the State of New York, and Chairwoman, Subcommittee on
Cybersecurity, Infrastructure Protection, and Innovation:
Oral Statement................................................. 1
Prepared Statement............................................. 3
The Honorable Andrew R. Garbarino, a Representative in Congress
From the State of New York, and Ranking Member, Subcommittee on
Cybersecurity, Infrastructure Protection, and Innovation:
Oral Statement................................................. 3
Prepared Statement............................................. 4
The Honorable Bennie G. Thompson, a Representative in Congress
From the State of Mississippi, and Chairman, Committee on
Homeland Security:
Prepared Statement............................................. 5
Witnesses
Mr. Charles W. Robinson, Public Sector Leader, Quantum Computing,
IBM:
Oral Statement................................................. 7
Prepared Statement............................................. 8
Mr. Andrew Lohn, Ph.D., Senior Fellow, Center for Security and
Emerging Technology, Georgetown University:
Oral Statement................................................. 11
Prepared Statement............................................. 13
Mr. Ron Green, Executive Vice President and Chief Security
Officer, Mastercard International Incorporated:
Oral Statement................................................. 15
Prepared Statement............................................. 16
Mr. Rob Strayer, Executive Vice President for Policy, Information
Technology Industry Council:
Oral Statement................................................. 25
Prepared Statement............................................. 27
SECURING THE FUTURE: HARNESSING THE POTENTIAL OF EMERGING TECHNOLOGIES
WHILE MITIGATING SECURITY RISKS
----------
Wednesday, June 22, 2022
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Cybersecurity,
Infrastructure Protection,
and Innovation,
Washington, DC.
The subcommittee met, pursuant to notice, at 2:31 p.m., in
room 310, Cannon House Office Building, Hon. Yvette D. Clarke
[Chairwoman of the subcommittee] presiding.
Present: Representatives Clarke, Jackson Lee, Slotkin,
Rice, Torres, Garbarino, and Harshbarger.
Ms. Clarke. The Subcommittee on Cybersecurity,
Infrastructure Protection, and Innovation will come to order.
The subcommittee is meeting today to receive testimony on
``Securing the Future: Harnessing the Potential of Emerging
Technologies While Mitigating Security Risks.''
Without objection, the Chair is authorized to declare the
committee in recess at any point.
Good afternoon.
With each passing day, we see the pace of innovation
accelerate exponentially. Advances in quantum computing,
artificial intelligence (AI), 5G, and the internet of things
present both opportunities and challenges in National security.
As such, we must constantly reevaluate the threat landscape and
adapt our defenses accordingly.
Today, we will explore how to harness the potential of
these technologies while mitigating the security risks
associated with them. In doing so, we will discuss how the
Federal Government and the private sector can better work
together to anticipate future threats stemming from emerging
technologies, inform international standards, and protect U.S.
economic and National security interests.
Quantum computing, for example, is a transformative,
sophisticated computing system that can operate at higher
speeds and process large amounts of data in shorter periods of
time. The National Academy of Science predicts that this
technology could improve machine learning, sensor technology,
electronic warfare capabilities, and communications, among
other things.
Our adversaries have also taken note of the potential that
quantum computing presents. China and other state actors are
investing in quantum in pursuit of gaining a strategic
advantage over the United States.
We expect, for instance, that quantum computers will be
able to break conventional encryption standards, which could
expose sensitive information held by the U.S. Government,
military, and the private sector.
As the global competition for quantum supremacy continues,
the United States must not only work to innovate in this space,
but proactively mitigate against threats posed by adversaries.
For its part, the Biden administration has provided much-
needed White House leadership on the United States' quantum
technology strategy. Last month, President Biden signed an
Executive Order and a National security memorandum to preserve
the United States' position as the global leader in quantum
computing.
Together, these documents chart a course for public-private
collaboration in the following key areas: Developing and
deploying quantum-resistant encryption on Federal networks;
educating non-Federal entities about risks to encryption from
quantum computing; and promoting U.S. supremacy in this space.
Turning to AI, there is broad agreement that it has
security applications that could enable network defenders to
automate threat detection and prioritize response, spot
irregular network activity, and better detect new malware.
At the same time, there is concern that hackers will be
able to exploit vulnerabilities in AI for nefarious purposes.
We have already seen advantages in AI fostering conditions
for the growing speed of deepfakes, which is a class of
synthetic media that appears to be authentic.
As deepfake technology becomes more sophisticated, experts
anticipate that it will be used to further sow political
tensions, disrupt public confidence in election outcomes,
violate human rights, and facilitate criminal activity.
That is why I have introduced the DEEPFAKES Accountability
Act to implement criminal and civil penalties for malicious
deepfakes. My legislation also directs DHS to establish a task
force to better prepare for the National security implications
of deepfakes.
Emerging technologies carry with them National security
implications and should be developed in a manner that protects
National security.
This hearing comes at a critical time, as the House and
Senate are engaged in a conference committee on the America
COMPETES Act, which passed the House earlier this year. We have
a historic opportunity to preserve the United States' place as
a global leader in emerging technologies and chart a course for
further advancement well into the future.
As we close in on this urgent need, it is incumbent upon us
to make sure that economic security and National security are
part and parcel of how we support innovation.
I want to thank our witnesses for joining us today, and I
look forward to our discussion.
[The statement of Chairwoman Clarke follows:]
Statement of Chairwoman Yvette D. Clarke
June 22, 2022
With each passing day, we see the pace of innovation accelerate
exponentially. Advances in quantum computing, artificial intelligence
(AI), 5G, and the internet of things present both opportunities and
challenges in National security. As such, we must constantly reevaluate
the threat landscape and adapt our defenses accordingly.
Today, we will explore how to harness the potential of these
technologies while mitigating the security risks associated with them.
In doing so, we will discuss how the Federal Government and the private
sector can better work together to anticipate future threats stemming
from emerging technologies, inform international standards, and protect
U.S. economic and National security interests.
Quantum computing, for example, is a transformative sophisticated
computing system that can operate at higher speeds and process large
amounts of data in shorter periods of time. The National Academy of
Science predicts this technology could improve machine learning, sensor
technology, electronic warfare capabilities, and communications, among
other things. Our adversaries have also taken note of the potential
that quantum computing presents.
China and other State actors are investing in quantum in pursuit of
gaining a strategic advantage over the United States. We expect, for
instance, that quantum computers will be able to break conventional
encryption standards, which could expose sensitive information held by
the U.S. Government, military, and the private sector. As the global
competition for quantum supremacy continues, the United States must not
only work to innovate in this space but proactively mitigate against
threats posed by adversaries.
For its part, the Biden administration has provided much-needed
White House leadership on the United States' quantum technology
strategy. Last month, President Biden signed an Executive Order and a
National Security Memorandum to preserve the United States' position as
the global leader in quantum computing. Together, these documents chart
a course for public-private collaboration in the following key areas:
Developing and deploying quantum-resistant encryption on Federal
networks, educating non-Federal entities about risks to encryption from
quantum computing, and promoting U.S. supremacy in this space.
Turning to AI, there is broad agreement that it has security
applications that could enable network defenders to automate threat
detection and prioritize response, spot irregular network activity, and
better detect new malware. At the same time, there is concern that
hackers will be able to exploit vulnerabilities in AI for nefarious
purposes. We have already seen advances in AI fostering conditions for
the growing spread of deepfakes, which is a class of synthetic media
that appears to be authentic.
As deepfake technology becomes more sophisticated, experts
anticipate that it will be used to further sow political tensions,
disrupt public confidence in election outcomes, violate human rights,
and facilitate criminal activity. That is why I have introduced the
DEEPFAKES Accountability Act to implement criminal and civil penalties
for malicious deepfakes. My legislation also directs DHS to establish a
task force to better prepare for the National security implications of
deepfakes. Emerging technologies carry with them National security
implications and should be developed in a manner that protects National
security.
This hearing comes at a critical time, as the House and Senate are
engaged in a conference committee on the America COMPETES Act, which
passed the House earlier this year. We have a historic opportunity to
preserve the United States' place as a global leader in emerging
technologies and chart a course for further advancements well into the
future. As we close in on this urgent need, it is incumbent upon us to
make sure that economic security and National security are part and
parcel of how we support innovation.
Ms. Clarke. The Chair now recognizes the Ranking Member of
the subcommittee, the gentleman from New York, Mr. Garbarino,
for an opening statement.
Mr. Garbarino. Thank you, Madam Chair, for holding this
critical conversation regarding new and emerging technologies
and their implications for the security and longevity of the
United States.
I would like to thank our witnesses for being here today,
and I look forward to a constructive dialog.
Cyber incidents are growing increasingly complex, with
threat vectors and opportunities for attacks rising as quickly
as new technologies develop.
With this expanding threat landscape comes both risk and
opportunity. Given technologies such as quantum computing,
artificial intelligence, and deepfakes, coupled with potential
for malicious adversarial nation-states and criminals, this
topic is timely and important.
It is paramount that the U.S. Government ensures our cyber
capabilities and maintains pace with lightning speed evolution
of technological change. Striking the proper balance between
security and harnessing technological innovation is critical in
maintaining an edge against our adversaries and criminal
entities in ensuring National prosperity.
As the lead for coordinating Federal civilian
cybersecurity, CISA will continue to play a vital role securing
our Federal networks and critically important infrastructure as
we witness the emergence of new technologies.
This effort to develop a Federal cloud security strategy to
define transparent cyber incident reporting requirements and to
work with Federal partners, such as NIST, to develop network
and software standards will go a long way in this fight.
As we prepare for new tech capabilities on the horizon,
CISA is uniquely equipped to lead the Federal Government on
cybersecurity measures. I look forward to supporting CISA as it
adapts and evolves to address the challenges ahead.
As the Ranking Member of this subcommittee, I have always
prioritized industry input. I believe that Congress must
appropriately consult with players such as each of our
witnesses today to implement practical legislation that will
successfully play out in the real world.
Given this, I look forward to hearing from our witnesses on
their particular emerging technology focus.
I specifically look forward to hearing from Mr. Rob
Strayer, executive vice president of policy at the Information
Industry Council. I trust Mr. Strayer can provide a valuable
perspective on emerging technologies' resulting cybersecurity
challenges and opportunities.
I am also pleased to hear from Mr. Ron Green, here not only
as chief security officer for Mastercard, but also,
importantly, as chairman of the U.S. Secret Service Cyber
Investigation Advisory Board.
I, again, thank the Chairwoman for holding this important
hearing today.
[The statement of Ranking Member Garbarino follows:]
Statement of Ranking Member Andrew Garbarino
Thank you, Madam Chair, for holding this critical conversation
regarding new and emerging technologies, and their implications for the
security and longevity of the United States. I would like to thank our
witnesses for being here today. I look forward to a constructive
dialog.
Cyber incidents are increasing at a staggering rate, with threat
vectors and opportunities for attack rising as quickly as new
technologies are developed. With this expanding threat landscape comes
both risk and opportunity.
With technologies such as quantum computing, artificial
intelligence, and deepfakes, coupled with the potential for malicious
actors such as adversarial nation-state actors seeking cyber dominance
and criminal actors seeking financial gain, this topic is timely and
important.
It is paramount that the U.S. Government ensures our cyber
capabilities maintain pace with the lightning speed evolution of
technological change. Striking the proper balance between security and
harnessing technological innovation is critical in maintaining an edge
against our adversaries and criminal entities, ensuring National
prosperity.
As the lead for coordinating Federal cybersecurity, CISA will have
a vast role in securing our Federal networks and critically important
infrastructure as we witness the emergence of new technologies. Efforts
like developing a Federal cloud security strategy, ensuring transparent
cyber incident reporting requirements are well-defined and articulated,
and working with Federal partners like NIST to develop standards to
keep our networks and dependencies like software secure will go a long
way in this fight. CISA is uniquely equipped to lead the Federal
Government on cybersecurity measures as we prepare for new tech
capabilities on the horizon. I look forward to CISA continuing to adapt
and evolve to address the challenges ahead.
This hearing is an opportunity to learn from industry
representatives about the evolving nature of cyber threats and
technological developments which will have significant implications for
the cyber domain and U.S. interests. I look forward to hearing from our
witnesses on their particular emerging technology focus.
I specifically look forward to hearing from Mr. Rob Strayer, the
executive vice president of policy at the Information Industry Council
(ITI). I trust Mr. Strayer can provide a valuable perspective on
emerging technologies and resulting cybersecurity challenges and
opportunities.
I am also pleased to see Mr. Ron Green here, as the chief security
officer for Mastercard but also, importantly, as the chairman of the
U.S. Secret Service Cyber Investigation Advisory Board.
I again thank the Chairwoman for holding this important hearing
today.
Ms. Clarke. I thank the Ranking Member.
Members are also reminded that the subcommittee will
operate according to the guidelines laid out by the Chairman
and Ranking Member in their February 3, 2021, colloquy
regarding remote procedures.
Additional statements may be submitted for the record.
[The statement of Chairman Thompson follows:]
Statement of Chairman Bennie G. Thompson
June 22, 2022
Over the past several years, this country has seen a rapid
proliferation of new technologies, from artificial intelligence (AI) to
internet of things (IoT) to quantum computing. As a result of these new
technologies, our attack surface has grown, and our adversaries have
developed new tactics designed to directly harm U.S. democratic
institutions, economic interests, and National security. As these new
technologies have entered the marketplace, many became so mesmerized by
their potential for good that we failed to appreciate and plan for the
security consequences. With an enhanced threat landscape, we are now
facing more cyber threats from our adversaries than ever before.
Furthermore, our adversaries are continuing to increase their own
capabilities to take advantage of the security vulnerabilities within
these new technologies. The DNI's 2022 Annual Threat Assessment of the
U.S. intelligence community noted that a growing number of state and
non-state actors are developing novel approaches to utilize both mature
and new technologies to directly threaten U.S. National security. We
are already very aware that this is happening.
There is a myriad of examples of Russia relying on its cyber and
influence capabilities to directly threaten emerging technologies in
the United States, including those that are upholding our democratic
institutions and critical infrastructure. Additionally, there is
continuing concern that Russia will employ an array of tools targeting
various emerging technologies to retaliate against the United States
for its sanctions in the wake of their unlawful and horrific war with
Ukraine.
When it comes to China, we know that they have engaged in
intelligence gathering and economic espionage. We know they have strong
hacking capabilities. Chinese hackers were recently able to hack
poorly-secured IoT devices on the Indo-China border. Additionally,
China is continuing to invest and grow in the field of quantum
computing--this is only going to increase in the coming years, which is
a great concern for the security value of encryption moving forward.
Furthermore, China's AI Plan for 2030 highlights the government's
plan to become a leader in AI, which they believe is vital to their
military and economic position in the world. The Chinese government
could easily take advantage of their continued work in this field and
utilize it to directly harm U.S. interests. Notably, there are serious
questions regarding the influence of the Chinese government in global
standards-setting bodies related to information and communications
technology. The unchecked influence of our adversaries in global
standards-setting bodies would disrupt the security of supply chains
for decades to come. Moreover, there are many unanswered questions
regarding Federal Government's role in regulating these technologies to
promote strong security.
I appreciate Chairwoman Clarke for holding this hearing today
because it gives us an opportunity to understand the challenges
emerging technologies present, how the private sector is proactively
preparing for those challenges, and the right role for the Federal
Government. We must prepare ourselves to harness the security benefits
and economic opportunities that emerging technologies like AI, IoT, and
quantum computing will yield, while defending ourselves against
adversaries who would use technology against us. But the Government
cannot do it alone.
Achieving our National and economic security goals will depend on
whether the Federal Government can partner with the private sector, as
well as State and local partners, to develop policies that will enhance
investment in emerging technology while also managing the risks
associated with these technologies. I am eager to hear from our
witnesses how the Federal Government can ensure both the responsible
deployment of emerging technologies, as well as managing security
risks.
Ms. Clarke. I now welcome our panel of witnesses.
First, we will hear from Mr. Charles Robinson, who serves
as the Public Sector Quantum Computer leader for IBM. In this
role, he is responsible for preparing the National security
community for the Quantum Computer Age and drove the formation
of the IBM HBCU Quantum Computer Program. A Navy veteran, Mr.
Robinson has over 30 years of experience in engineering.
I would also like to welcome Dr. Andrew Lohn, who is a
senior fellow to Georgetown University's Center for Security
and Emerging Technology, CSET, where he works on the Cyber AI
Project.
Prior to CSET, he was an information scientist at the RAND
Corporation, where he led research on cybersecurity and
artificial intelligence. Dr. Lohn has also worked at Sandia
National Laboratories, NASA, and Hewlett Packard Labs.
Next we will hear from Mr. Ron Green, the chief security
officer at Mastercard. Mr. Green leads a global team that is
responsible for a wide range of security activities, including
corporate security, security architecture and engineering,
business continuity, and emergency management. An Army veteran,
Mr. Green has nearly three decades of public and private-sector
experience in network security.
Then, finally, I look forward to hearing from Mr. Robert
Strayer, executive vice president of policy at the Information
Technology Industry Council. There, he leads ITI's effort to
shape technology policy around the globe to enable innovation
while supporting public policy objectives.
Prior to joining ITI, Mr. Strayer served as the deputy
assistant secretary of state for cyber and international
communications and information policy at the United States
State Department.
Without objection, the witnesses' full statements will be
inserted into the record.
I now ask that witnesses summarize their statements for 5
minutes, beginning with Mr. Robinson.
STATEMENT OF CHARLES W. ROBINSON, PUBLIC SECTOR LEADER, QUANTUM
COMPUTING, IBM
Mr. Robinson. Thank you, Chairwoman Clarke and Ranking
Member Garbarino. My name is Charles Robinson, and I am a
quantum computing public sector leader at IBM. I am honored to
testify.
Quantum computing has the potential to shape the future of
our Nation. My testimony today will explain what quantum
computing is, its potential, and the recommendations to harness
its value, while ensuring our National security.
So what is quantum? Quantum computing is not simply a
faster way of doing what today's computers do. It is a
fundamentally different approach.
Think of it this way. Classical supercomputers explore
every possible path to a solution. But as the problems and data
grow exponentially more complex, there simply isn't enough
computing power to find a solution.
In contrast, quantum computers double the problem space
they can analyze with every quantum bit, or qubit. With
relatively few qubits, quantum computers can solve large,
complex problems that today's computers cannot.
Quantum computers can help drug discovery, new materials,
and many other scientific endeavors. We call this the Quantum
Advantage. As early adopters, we can lock in economic and
strategic advantage.
It is then fair to ask: How can quantum computing affect
our National security? As we transition into the quantum era,
government, commerce, education, and health care systems may
become increasingly vulnerable. Simply put, quantum computers
pose a challenge for a key part of our digital life:
Encryption.
Today's cryptologic algorithms derive their strength from
the difficulty of solving certain math problems. Quantum
computers, however, may be able to solve those math problems in
just hours or minutes instead of millions of years. This is
where quantum-safe cryptography comes in.
Let me be clear: While we don't currently have quantum
computers that can break today's widely-used cryptography,
encryption that is resistant to quantum computer attacks is
essential and only a start.
So how do we get to where we need to go? Policy makers and
industry need to mitigate against these risks by future-
proofing in the present.
IBM is acting now. In collaboration with others, our
researchers are developing cryptographic solutions resistant to
threats posed by quantum computers. We have identified several
cryptographic schemes believed to be quantum safe.
First, we need to accelerate quantum science and the use of
quantum computing. We urge Congress to meet this challenge by
passing the final Bipartisan Innovation Act and the QUEST Act
without delay.
Second, we should expand and diversify the quantum
ecosystem.
Third, we must future-proof our encryption now.
Finally, fourth, we should encourage responsible
collaboration with international partners.
Let me close with this. We don't know exactly when large-
scale quantum computers capable of breaking widely used
cryptography will be available, but some experts predict
possibly by the end of the decade.
That means we must act now to ensure the United States
reaps the benefits of quantum computing while protecting our
National security.
If we were work collaboratively and take the actions that I
just described, we will be ready and our Nation will be secure.
Thank you. I welcome your questions.
[The prepared statement of Mr. Robinson follows:]
Prepared Statement of Charles W. Robinson
June 22, 2022
introduction
Chairwoman Clarke, Ranking Member Garbarino, and distinguished
Members of the subcommittee, I am honored to appear before you today to
discuss how to harness the benefits of emerging technologies,
particularly quantum, while mitigating the potential National security
consequences before this important subcommittee.
My name is Charles Robinson, and I am IBM's Quantum Computing
Public Sector Leader. In addition to serving in corporate America, I've
had the great privilege and honor to serve in the United States Navy.
Today, I have the pleasure of supporting the preparation of the
National Security Community for the Quantum Computer Age.
Leveraging the power of emerging technology while bolstering our
National security is an increasingly complex mission which demands
dynamic solutions and collective actions by industry and Government.
While these technologies promise to produce immense value to our
society, new threats related to these disruptive emerging technologies
create a multitude of challenges to securing and protecting people, the
Nation, and information. To mitigate these threats, we must understand
these technologies and take actions today to prepare us for tomorrow.
My testimony will explain how we can do this effectively through
collaboration. First, it is important to level set and provide a brief
explanation of quantum, its importance to society, and its relationship
to National security. Just as important is understanding what industry,
academia, and Government can do today to promote quantum resistant
encryption and strengthen National security tomorrow.
what is quantum--its importance and relationship to national security
Quantum computing is not simply a faster way of doing what today's
computers do--it is a fundamentally different approach that promises to
solve problems that classical computing cannot realistically solve.
Quantum computers are not simply more powerful supercomputers.
Instead of computing with the traditional bit of a 1 or 0, quantum
computers use quantum bits, or qubits (CUE-bits), that can run
multidimensional quantum algorithms.
Think of it this way, a classical supercomputer solves a problem
sequentially. Supercomputers leverage their many processors to explore
every possible path to a solution before arriving at an answer. But as
the problem and data grow more complex, there simply isn't enough
computing power to solve problems that grow exponentially. For example,
there are 40,000 different ways to seat 8 people around a table. If you
add one person, it becomes 362,000. Make it 10 people and the number of
combinations is more than 3.5 million. Eleven people, almost 40
million. No existing computer has the working memory to handle all the
possible combinations as problem sizes grow exponentially large. By
contrast, a quantum computer can double the size of the problem space
it can analyze by adding only one qubit.
A. Quantum and its Value
Quantum algorithms take a new approach to these sorts of complex
problems--creating multidimensional spaces where the patterns linking
individual data points emerge. For example, in the case of the protein
folding problem, where a chain of 100 amino acids could theoretically
fold into trillions of ways, the optimal pattern is the combination of
folds requiring the least energy to be viable. Compared to today's
supercomputers, a quantum computer could find that combination of folds
faster enabling the prediction of protein structures to address diverse
use cases from drug discovery to agriculture.
Through these vastly improved chemical simulations in drug
discovery and development, quantum computing can help expedite the
response to future pandemics, on-going health crises, and the
proliferation of debilitating diseases affecting millions world-wide.
Today, between 1 and 2 percent of the global energy output goes into
making ammonia-based fertilizer through the nitrogen fixation process.
If quantum simulations can find a way to use even a fraction less
energy in that process, it would have a significant impact. Quantum
computing holds the promise to help humanity confront these and many
other important challenges, from solving long-standing questions in
science to overcoming obstacles in improving industrial efficiency.
Working in conjunction with classical computers and cloud-based
architectures, quantum computers could even find answers to problems we
haven't yet dreamed of. The opportunities for society and the economy
are potentially limitless.
The future of this technology is truly exciting--it's likely that
by the middle of this decade, we'll see applications of quantum
computing that will solve practical problems faster, cheaper, or with
more accuracy than classical computers. We call this the Quantum
Advantage. It is essential the United States rapidly strives to
leverage this advantage. As early adopters, we will have the
opportunity to lock in economic and strategic advantages that will be
enormously difficult to challenge.
B. Quantum and National Security
As we transition into an era in which quantum computers become more
ubiquitous, the digital platforms that underpin our Government,
commerce, education, and health care systems may become increasingly
vulnerable. This vulnerability to the technological fabric we depend on
every day puts our National security at risk. However, we can protect
against this via concurrent development and adoption of quantum-safe
cryptography.
Simply put, quantum computers pose a challenge for a key part of
our digital life: Encryption.
When you send an email, make an on-line purchase, or make a
withdrawal from an ATM, cryptography helps keep your data private and
authenticate your identity.
Today's cryptographic algorithms derive their strength from the
difficulty of solving certain math problems using classical computers
or searching for the right secret key or message.
Quantum computers, however, work in a fundamentally different way.
Solving a problem that might take millions of years on a classical
computer may take hours or minutes on a sufficiently large quantum
computer, which will have a significant impact on the encryption,
hashing, and public key algorithms we use today. This is where quantum-
safe cryptography comes in.
Let me be clear: While we do not currently have quantum computers
that can break today's widely-used cryptography, we expect significant
advancements in the coming years, and although we already know how to
perform encryption that will be resistant to a quantum computer's
attack, these foundational quantum-safe algorithms should only be
considered the start.
Many industry security standards and protocols need to be updated
with these new algorithms, and advances in quantum computing will need
to coincide with advances in quantum-safe cryptography to ensure data
and systems are secured now from these future threats.
So how do we get there?
preparing for tomorrow by future-proofing in the present--industry &
government collaboration & policy
Policy makers and industry need to look to mitigate against these
risks by future-proofing in the present.
A. Industry Collaborations
IBM is taking action now. Our researchers are developing practical
cryptographic solutions that are resistant to the threats posed by
quantum computers. We have identified a number of cryptographic schemes
that are believed to be quantum-safe. These include lattice-based
cryptography, hash trees, multivariate equations, and super-singular
isogeny elliptic curves.
The key advantage of such quantum-safe schemes is the absence of an
exploitable structure in the mathematical problem an attacker needs to
solve in order to break the encryption. Certain quantum-safe schemes
(e.g., supersingular isogeny) will protect us against particularly
patient attackers who store their victims' encrypted messages today
only to decrypt them with new and more powerful methods in the future.
Other encryption schemes (e.g., lattice cryptography) can enable game-
changing technologies like Fully Homomorphic Encryption (FHE), in which
data can be directly computed in encrypted form, stymieing a common
strategy of attackers to loiter in a victim's computer system until
sensitive data is decrypted to be used. Existing encryption today can
only protect data when stored and in transit. This new technique closes
this vulnerability by keeping data encrypted while it is in use.
Moreover, development of quantum-safe systems, which are systems
that leverage the use of both quantum-safe cryptography as well as
other security mechanisms like secure boot (meaning that bad actors
cannot inject malware into the boot process to take over the system
during start-up) is crucial to ensure the security of systems now and
in the future. IBM has invested in these technologies with its
development of the industry's first quantum-safe system, the IBM z16.
To advance these and other innovative new methods for securing data
in an age of quantum computing, we are collaborating with academic
institutions--such as the State University of New York at Stony Brook
and the University of Notre Dame--to advance the science behind these
techniques.
B. U.S. Government--the critical role of Government
IBM joins others in industry to work with our Government to
strengthen our future National security. Key among these activities is
the work of the National Institute of Standards and Technology (NIST),
which initiated a Post-Quantum Cryptography Standardization Program to
identify new algorithms that can resist threats posed by quantum
computers.
After 3 rounds of evaluation, NIST identified 7 finalists. It plans
to select a small number of new quantum-safe algorithms this year and
implement new quantum-safe standards by 2024. As part of this program,
IBM Researchers have been involved in the development of 3 quantum-safe
cryptographic algorithms based on lattice cryptography that are in the
final round of consideration: CRYSTALS-Kyber, CRYSTALS-Dilithium and
Falcon.
More must be done to supplement private industry's engagement in
standards development and to accelerate investments in, and to promote
the adoption of, quantum-safe cryptographic schemes that can safeguard
data now and long into the future.
C. Policy Recommendations
As I just shared, companies and governments are preparing for a
quantum computing future and positioning themselves to capture the many
benefits of this technology. Yet more can and should be done.
Collaboration among all stakeholders is key to making progress.
Governments, researchers, academics, and industry must work together on
policies to accelerate the adoption of new educational curricula, fund
R&D, future-proof encryption, create new talent pipelines, and more.
As the U.S. Government considers how best to protect National
security and prepare for our quantum future, IBM recommends Congress
consider policies that would:
Accelerate quantum science and the use of quantum computing--
Significant investments to keep America at the forefront of the quantum
computing race. Congress should support funding for fundamental
research in quantum theory, hardware, and software; the rapid
deployment of advanced, reliable quantum systems; and ``proof of
concept'' programs for the U.S. Government to purchase commercial-grade
quantum technologies. Specifically, we urge passage of:
The Quantum User Expansion for Science and Technology
program (QUEST) Act with $30 million of funding to increase
access to U.S. quantum computing hardware and quantum computing
clouds for research, thereby accelerating U.S. economic
development and National security; and
a final Bipartisan Innovation Act (BIA), including increased
funding for the Department of Energy's work as well as Quantum
Network Infrastructure and Workforce Development support, which
will bolster research in quantum networking and communications.
Expand and diversify the ecosystem--Support and fund initiatives
that help build a robust enabling technology ecosystem of industry and
academia players, as well as a supply chain for the quantum industry.
This includes promoting education and training to expand the necessary
workforce to make the industry sustainable as was called for in the
Presidential Directives to Advance Quantum Technologies. Congress
should also help to advance and expand existing initiatives such as:
Reauthorization of the National Quantum Initiative Act for
another 5 years to ensure continued support of
Multidisciplinary Centers for Quantum Research and Education
and National Quantum Information Science Research Centers to
accelerate scientific breakthroughs in quantum science and
technology;
Quantum Economic Development Consortium (QED-C) to build up
quantum industry supply chains;
NSF's Q2Work and similar post-secondary studies and high-
school education; and
programs promoting greater diversity among this emerging
workforce (e.g., IBM's HBCU Quantum Center) to ensure we have a
quantum era-ready workforce; and
open-source research and development projects that enable
the creation of platforms such as Qiskit, an open-source
software development kit, that provides tools to create and
manipulate quantum programs and run them on prototype quantum
devices.
Future-proof encryption now--Accelerate efforts around new quantum-
safe cryptographic methods and prioritize workstreams to establish a
quantum-safe infrastructure that has cryptographic agility (a flexible
approach that enables future updates without major changes to the
existing infrastructure). History has shown broad adoption of new
cryptography can take more than a decade, thus we must act now. This
acceleration was also called for in the Presidential Directives, which
IBM strongly supports. On this, we encourage Congress to:
Obtain from NIST an update on its Post-Quantum Cryptography
Standardization Program and its National Cybersecurity Center
of Excellence (NCCoE) plan for the replacement of hardware,
software, and services that use public-key algorithms so that
information is protected from future attacks;
accelerate the legislative process to pass the Quantum
Computing Cybersecurity Preparedness Act, which prioritizes the
migration to post-quantum cryptography; and
encourage NIST and other relevant agencies to prioritize the
engagement with standards development organizations that are
updating system-relevant industry standards, including those
for critical infrastructure and financial industry, such as:
ISO 27001, COBIT, NIST SP 800-53, ANSI/ISA-62443, and standards
developed by the Council on Cybersecurity Critical Security
Controls.
Encourage responsible collaboration with international partners--
Leverage existing global engagements and create new ones as needed to
review and ensure military and commercial trade agreements are
addressing post quantum cryptography. Further, Congress should:
Encourage the Department of State, through its new Bureau of
Cyberspace and Digital Policy, and the Department of Defense to
find new ways to work collaboratively with our allies and
partners to promote quantum innovation and accelerate the
adoption of quantum-safe encryption; and,
support the tailoring of export controls to keep sensitive
technologies out of the hands of nefarious actors given the
sensitive nature of quantum R&D and that its technological
components present possible dual-use concerns.
conclusion
We don't know exactly when a large-scale quantum computer capable
of breaking public key cryptographic algorithms will be available, but
some experts predict this could be possible by the end of the decade.
While we have some time to implement policies that counter developing
threats and develop quantum-safe solutions, these years go fast, so we
must act now to ensure the United States reaps the benefits of quantum
computing while protecting our National security.
Moving to new cryptography is complex and will require significant
time and investment. As a starting point, we urge Congress to meet this
challenge by passing a final BIA without delay and accelerating the
legislative process on QUEST and the Quantum Computing Cybersecurity
Preparedness Act.
If we continuing to work collaboratively and take the actions I
just described, we will be better prepared, and our Nation will be more
secure for it.
Thank you.
Ms. Clarke. Thank you, Mr. Robinson.
I now recognize Dr. Lohn to summarize his statement for 5
minutes.
STATEMENT OF ANDREW LOHN, PH.D., SENIOR FELLOW, CENTER FOR
SECURITY AND EMERGING TECHNOLOGY, GEORGETOWN UNIVERSITY
Mr. Lohn. Chairwoman Clarke, Ranking Member Garbarino, and
Members of the subcommittee, thank you for the opportunity to
testify today. I am Andrew Lohn, senior fellow in the CyberAI
Project at the Center for Security and Emerging Technology at
Georgetown University. It is an honor to be here.
During the next few minutes, I would like to discuss a few
of the ways that artificial intelligence intersects with
cybersecurity.
To start, it is worth being clear about what makes these
two related topics different. Cybersecurity is about protecting
the digital world from miscreants, and AI is just one part of
the that digital world.
What distinguishes AI capabilities from more traditional
technology is when they perform tasks that until recently
required a human, such as a ``smart'' refrigerator that sees
what is on its shelves and suggests a recipe or an AI-assisted
computer that helps drive a car.
The distinction between cyber and AI does get murky
sometimes. For one, some of the most promising AI systems can
help protect digital systems. That has been true for many years
in the fight to detect spam or phishing emails, and the
capabilities continue to improve to keep pace with attackers.
Another area where AI has shown promise is in detecting
attackers once they are in the network, which is known as
intrusion detection.
Hackers often try to act like normal users or write their
malware to blend in with normal software, but there are usually
subtle differences that AI can detect to weed them out.
This too requires a continual stream of new advances to
keep up with attackers who are constantly adapting.
At the same time, AI systems are digital, too, so they need
their own cybersecurity protection.
While AI-enabled systems have similar vulnerabilities to
other types of software, they also have their own unique
vulnerabilities.
They learn to recognize patterns in data, such as which
aspects of an image represent a dog, or which streams of data
between two computers are benign and which are malicious. But a
clever attacker can change that image or the data stream to
fool the AI.
There are also ways to trick the AI into revealing data
that is meant to remain private.
Further, the systems are vulnerable throughout their design
process. AI is usually assembled from publicly-available
components, like data, programming libraries, and other AI
models, that can all be potentially compromised.
Now, while AI needs cybersecurity protections, it can also
be a means to create new cybersecurity problems. In rare cases,
AI might be used to create disruptions in the digital world,
such as by finding security holes or by helping disguise a
digital intrusion.
But I would like to highlight how AI threatens to move
beyond the digital world to disrupt our society.
AI is able to create images and videos of fake people or of
real people doing or saying things they never said or did.
These deepfakes receive a lot of attention, deservedly so. But
AI's ability to write text is equally concerning and gets less
attention.
Several of the most powerful AI systems today are dedicated
to writing text, and they are convincing enough to shift
people's stance on important National security topics.
CSET's report, ``Truth, Lies, and Automation,'' illustrated
this point. We used one such system to write tweet-length
messages that either supported or opposed sanctions on China
and that either supported or opposed withdrawal from
Afghanistan.
In a controlled environment, we showed volunteers a sample
of five of these messages and measured whether it shifted their
opinions. Comparing the group that read the pro-withdrawal
messages to the group that saw the anti-withdrawal messages,
they were 50 percent more likely to want to remove troops and
30 percent less likely to want to maintain troop levels.
The Chinese sanction topic was even more dramatic. In the
control group that didn't read any messages, just over half
favored sanctions. After reading the five messages, though,
that flipped. Almost half the population came to oppose
sanctions, twice as many as in the control group.
Although we do not know how long-lasting the effect might
be, this technique likely appeals to foreign powers who might
want to shape our views and control our collective actions.
When we did this study last year, these text generators
were carefully guarded proprietary technologies. But now
comparable systems are freely available. They are likely within
reach of all dedicated nations and even many technologically-
sophisticated individuals.
In conclusion, AI systems come with risks, but can also
pave the way for economic and scientific breakthroughs. Access
to these tools should be supported, perhaps through initiatives
like the National AI Research Resource.
But we should also monitor which countries are acquiring
them and for which purposes. We should try to harden our
population against future malicious uses while promoting
trustworthy sources and media literacy, while discouraging the
spread of disinformation.
At the same time, we need to be careful not to deflate the
value of all information. Pairing these societal-level defenses
with efforts to understand the vulnerabilities of AI systems
and the ways AI can boost cybersecurity will go a long way
toward securing the Nation.
[The prepared statement of Mr. Lohn follows:]
Prepared Statement of Andrew Lohn
June 22, 2022
Chairwoman Clarke, Ranking Member Garbarino, and Members of the
subcommittee, thank you for the opportunity to testify today. I am
Andrew Lohn, senior fellow in the Cyber AI Project of the Center for
Security and Emerging Technology at Georgetown University. It is an
honor to be here. During the next few minutes, I would like to discuss
a few of the ways that artificial intelligence intersects with
cybersecurity.
To start, it is worth being clear about what makes these two
related topics different. Cybersecurity is about protecting the digital
world from miscreants, and AI is just one part of that digital world.
What distinguishes AI capabilities from more traditional technology is
when they perform tasks that until recently required a human--such as a
``smart'' refrigerator that sees what's on its shelves and suggests a
recipe, or an AI-assisted computer that helps drive a car.
ai for cybersecurity
The distinction between cyber and AI does get murky sometimes. For
one, some of the most promising AI systems can help protect digital
systems. That has been true for many years in the fight to detect spam
or phishing emails--and the capabilities continue to improve to keep
pace with attackers.
Another area where AI has shown promise is in detecting attackers
once they're in the network, which is known as intrusion detection.
Hackers often try to act like normal users and write their malware to
blend in with normal software, but there are usually subtle differences
that AI can detect to weed them out. This too requires a continual
stream of new advances to keep up with attackers who are constantly
adapting.
ai needs cybersecurity
At the same time, AI systems are digital too, so they need their
own cybersecurity protections. While AI-enabled systems have similar
vulnerabilities to other types of software, they also have their own
unique vulnerabilities. They learn to recognize patterns in data, such
as which aspects of an image represent a dog, or which streams of data
between two computers are benign and which are malicious. But a clever
attacker can change the image or the data stream to fool the AI. There
are also ways to trick the AI into revealing data that is meant to
remain private. Further, the systems are vulnerable throughout the
design process. AI is usually assembled from publicly-available
components like data, programming libraries, and other AI models that
can all potentially be compromised.
ai subverts cybersecurity
While AI needs cybersecurity protections, it can also be a means to
create new cybersecurity problems. In rare cases, AI might be used to
create disruptions in the digital world such as by finding security
holes or by helping disguise a digital intrusion. But I'd like to
highlight how AI threatens to move beyond the digital world to disrupt
our society. AI is able to create images and videos of fake people, or
of real people doing or saying things they never said or did. These
deepfakes receive a lot of attention, deservedly so, but AI's ability
to write text is equally concerning and gets less attention.
Several of the most powerful AI systems today are dedicated to
writing text, and they are convincing enough to shift people's stance
on important National security topics. CSET's report ``Truth, Lies, and
Automation'' illustrated this point: We used one such system to write
tweet-length messages that either supported or opposed sanctions on
China, and that either supported or opposed withdrawal from
Afghanistan. In a controlled environment, we then showed volunteers a
sample of five messages each and measured whether it shifted their
opinions.
Comparing the group that read pro-withdrawal messages to the group
that saw anti-withdrawal messages, they were 50 percent more likely to
want to remove troops and 30 percent less likely to want to maintain
troop levels. The Chinese sanctions topic was even more dramatic. In
the control group that didn't read any messages, just over half favored
sanctions. After reading the five messages though, that flipped. Almost
half the population came to oppose sanctions, twice as many as in the
control group.
Although we do not know how long-lasting the effect might be, this
technique likely appeals to foreign powers who might want to shape our
views and control our collective actions. When we did this study last
year, these text generators were carefully-guarded proprietary
technologies, but now comparable systems are freely available. They are
likely within reach of all dedicated nations and even many
technologically sophisticated individuals.
conclusion
In conclusion, AI systems come with risks but can also pave the way
for economic and scientific breakthroughs. Access to these tools should
be supported, perhaps through initiatives like the National AI Research
Resource, but we should also monitor which countries are acquiring them
and for which purposes. We should try to harden our population against
future malicious uses by promoting trustworthy sources and media
literacy while discouraging the spread of disinformation. At the same
time, we need to be careful not to deflate the value of all
information. Pairing these societal-level defenses with efforts to
understand the vulnerabilities of AI systems and the ways AI can boost
cybersecurity will go a long way toward securing the Nation.
Ms. Clarke. Thank you very much, Dr. Lohn, for your
testimony.
I now recognize Mr. Green to summarize his statement for 5
minutes.
STATEMENT OF RON GREEN, EXECUTIVE VICE PRESIDENT AND CHIEF
SECURITY OFFICER, MASTERCARD INTERNATIONAL INCORPORATED
Mr. Green. Chairwoman Clarke, Ranking Member Garbarino,
Members of the subcommittee, it is an honor to testify today.
My name is Ron Green, and I am the Mastercard chief security
officer.
Every day we enable commerce in a safe and secure way and
we help connect buyers and sellers. We enable many types of
ways to pay: Account to account, card, installments, and even
crypto.
As important, we use insights from the transactions that
cross our networks to help people, businesses, and governments
make better decisions. That informs an approach to security
organized around five layers--prevent, identify, detect,
experience, and network--each layer featuring cutting-edge
solutions that work together at every stage or transaction.
In a few minutes I will cover two areas: How we are seeing
the threat landscape evolve and how public and private sectors
can prepare for the challenges ahead.
Part of my job is threat forecasting, or threatcasting. My
team anticipates how risks might evolve due to technology and
world events.
We are often looking 10 years ahead. This may seem like
purely speculative work, but we are actually developing an
informed, textured picture of the future.
It starts with the analysis of 110 billion payment
transactions that we process around the globe each year. Add to
that the analysis of billions of other points from partners
across business, academia, and government.
We talk to futurists who specialize in AI and quantum
computing. We consult experts at the U.S. Treasury and CISA on
fraud and financial crimes. That helps us identify emerging and
intersecting trends.
We are anticipating how they might threaten businesses like
ours, institutions like Congress, and free societies like the
United States. Some of these trends this subcommittee is
familiar with, like misinformation. Others are more nuanced.
Remote work provides an enormous cybersecurity challenge.
It is far harder to safeguard a work force operating from
thousands of homes versus a few office buildings.
There is a growing complexity to what needs protecting.
Many critical parts of the supply chain are increasingly
subcontracted out to a few third-party vendors that companies
and cities often have little relationship with these vendors.
They don't know who they are influenced by or if they are
hardened against bad actors. They don't know who else shares
these vendor relationships. So these vendors can be weak
points, unlocked back doors through which bad actors can enter.
This is the story of the attack on SolarWinds, a vendor
that provided software to so many. It was an unlocked back door
that let hackers in everywhere. The risk of this kind of attack
is only growing.
Another key trend is the changing nature of criminal
operations themselves. Not long ago, hackers were like pirates.
They were committing crimes of their own personal accord for
their own profit. Now cyber crime is increasingly provided as a
service by black hat mercenaries. We are seeing more and more
foreign adversaries do just that.
How do we prepare for a world where everything is harder to
defend and easier to attack? It is a collective action problem
not unlike climate change or the pandemic.
Ultimately, our digital world is too interconnected and
threats are too fast-changing for any one organization to
counter them alone. We need far more coordination between the
public and private sectors, and I think that can take action in
a few concrete forms.
First, Congress should help CISA build a National cyber
training center. Planning for an attack is crucial, but those
plans are ultimately worthless without practice. It is the same
way that battle plans would be of little use without real world
war games and live fire exercises. That is why the Army has the
National Training Center at Fort Irwin. We need a similar
facility for cybersecurity.
Second is enhancing the intelligence sharing. Cyber crime
is not constrained by borders or sectors. The appropriate
Federal agencies have the authority to facilitate global,
cross-sector, agnostic intelligence sharing with the private-
sector participants and allied governments. Our defenses will
be better equipped with coordinated ability to analyze
incidents, review attack vectors, and spot trends.
Members of the subcommittee, these are just a few ideas out
of what I hope is a much larger pool. I am hopeful that we can
discover even more solutions today.
Thank you. I am happy to answer any questions.
[The prepared statement of Mr. Green follows:]
Prepared Statement of Ron Green
June 22, 2022
Good afternoon, Chairwoman Clarke, Ranking Member Garbarino, and
Members of the subcommittee. My name is Ron Green, and I am executive
vice president and chief security officer of Mastercard. In this role,
I am responsible for the cybersecurity of our network and operations as
well as the physical security of Mastercard and its assets.
In addition to my role with Mastercard, I serve in several
positions with government and industry groups coordinating private-
sector awareness of and responses to cyber threats.
I am chair of the Financial Services Sector Coordinating
Council (FSSCC).\1\
---------------------------------------------------------------------------
\1\ The FSSCC was established in 2002 by financial institutions to
work collaboratively with key government agencies while coordinating
critical infrastructure and homeland security activities within the
financial services industry. The FSSCC is an industry-led non-profit
organization and its mission is to bring together members from
financial services, trade associations, and other industry leaders to
assist the sector's response to natural disasters, threats from
terrorists, and cybersecurity issues of all types. The FSSCC partners
with the public sector on policy issues to enhance the security and
resiliency of the U.S. financial system. The U.S. Department of
Homeland Security recognizes the FSSCC as a member of the Critical
Infrastructure Partnership Advisory Council on behalf of the banking
and finance sector.
---------------------------------------------------------------------------
I am chairman of the U.S. Secret Service Cyber Investigation
Advisory Board (CIAB).\2\
---------------------------------------------------------------------------
\2\ Established in September 2020, the CIAB is an investigations-
focused Federal advisory committee, dedicated to providing outside
strategic guidance to shape the Secret Service's investigative efforts
in cyber crime and cyber-enabled fraud. As chair, I head the 16 member
CIAB, composed of senior executives and experts from industry,
government, and academia. The goal of the CIAB is to provide outside
strategic direction to the Secret Service's investigative mission. This
includes helping the Secret Service identify the latest cyber crime,
technology, and policy trends, providing guidance as the agency looks
to modernize their training, partnerships, and investigative
priorities. All CIAB members are appointed by the Department of
Homeland Security secretary through the Secret Service director.
Members serve in a volunteer capacity for 2 years with an opportunity
to renew their membership for up to 3 years. The CIAB meets twice a
year, unless requested by the Secret Service director.
---------------------------------------------------------------------------
I am vice chair of the Cybersecurity and Infrastructure
Security Agency (CISA) Cybersecurity Advisory Committee (CSAC)
and subcommittee chair for the Transforming Cyber Workforce
study.\3\
---------------------------------------------------------------------------
\3\ The CISA Cybersecurity Advisory Committee is a 22-member
committee that operates as a board of industry and State, local, and
Tribal government leaders who advise the CISA director on policies and
programs related to CISA's cybersecurity mission.
---------------------------------------------------------------------------
I am also a member of the Aspen Cybersecurity Group.\4\
---------------------------------------------------------------------------
\4\ The Aspen Institute gathers diverse, nonpartisan thought
leaders, creatives, scholars, and members of the public to address some
of the world's most complex problems. But the goal of these convenings
is to have an impact beyond the conference room. They are designed to
provoke, further, and improve actions taken in the real world.
---------------------------------------------------------------------------
I am here today to discuss the security implications of emerging
technologies, actions that Mastercard takes to forecast and mitigate
cyber threats against these emerging technologies, efforts Mastercard
participates in to enhance collaboration with industry and Government
partners to promote cybersecurity and resiliency, and recommendations
for Congress to further secure and enhance the resiliency of the
digital ecosystem from future cyber threats. Many of the topics that I
will discuss today are part of Mastercard's resiliency planning--things
that Mastercard needs to comprehend to be ready to guard against
strategic surprises and are practices we encourage to be adopted more
widely by both public and private-sector actors at home and abroad.
background on mastercard
Mastercard is a technology company in the global payments industry
that connects consumers, financial institutions, merchants,
governments, digital partners, businesses, and other organizations
world-wide, enabling them to use electronic payments instead of cash
and checks. We make payments easier and more efficient by providing a
range of payment services using our family of well-known brands,
including Mastercard�, Maestro�, and Cirrus�. We are a multi-rail
network (debit, credit, prepaid, and real-time payments) that offers
customers one partner for their domestic and international payment
needs.
Our payment solutions offer customers choice and flexibility to
ensure security for the global payments system. Mastercard seamlessly
processes more than 110 billion payments annually. With more than 2.9
billion cards issued through our family of brands globally, Mastercard
serves consumers and businesses in more than 200 countries and
territories.
Through our global payments network built over decades, which we
refer to as our core, we ``switch'' (i.e., authorize, clear, and
settle) payment transactions and deliver products and services. We also
supply payment capabilities that include automated clearing house
transactions (both batch and real-time account-based payments).
Moreover, we provide integrated value-add cyber and intelligence
products and solutions, information analytics and other security
consulting services.
As a global organization with a far-reaching network, we are
responsible for securing our organization, protecting our sector and
helping to protect the trust and confidence that people have in the
broader global ecosystem. We safeguard consumer data, protect points of
connection, and take a forward-looking approach toward mitigating risks
facing the digital world today and those it will encounter tomorrow.
the state of cybersecurity today and the high-stakes losses from cyber
attacks
The world in which we are living today looks different than it did
just a few years ago. Technology is continuing to evolve. It is
connecting the disconnected and making our lives more convenient. The
world was already rapidly moving toward a digital-first way of life,
which has only been accelerated by the COVID-19 pandemic. How people
shop, pay, and interact is changing. Consider the following:
In 2020, 2.5 quintillion bytes of data were generated per
day by people and their devices.\5\
---------------------------------------------------------------------------
\5\ Jacquelyn Bulao, Techjury, How Much Data is Created Every Day
in 2022? (Jun. 3, 2022) (citing Domo), available at: https://
techjury.net/blog/how-much-data-is-created-every-day/#gref.
---------------------------------------------------------------------------
As of January 2021, there were 4.66 billion active internet
users around the world, which is close to 60 percent of the
world's population.\6\
---------------------------------------------------------------------------
\6\ Id (citing Statista).
---------------------------------------------------------------------------
It is estimated that digital commerce transaction values
will total $18 trillion by 2024.\7\
---------------------------------------------------------------------------
\7\ Juniper Research, Digital Commerce Key Trends Sectors and
Forecasts 2016-2020.
---------------------------------------------------------------------------
By 2024, 50 percent of the world is expected to be using
digital wallets \8\
---------------------------------------------------------------------------
\8\ Juniper Research, Digital Wallets--Deep Dive Strategy &
Competition 2019-2024.
---------------------------------------------------------------------------
But as interactions go digital, criminals follow. Supercharged
attacks are becoming more common, indiscriminate, and sophisticated.
National infrastructure, health care research, and government services
are all being targeted.
The cost of global cyber crime is projected to reach $10.5 trillion
annually by 2025. But the consequences for businesses go beyond the
immediate financial loss. There is potential damage to users' trust.
With so many connections, it is more important than ever for all of us
to maintain trust throughout the digital ecosystem.
The constantly growing interconnected spider web of digital devices
and services means that the problem is only going to grow. Tapping into
all the digital economy has to offer results in creating more data--
therefore, more to protect. Organizations or individual actors can no
longer invest in cybersecurity systems that only offer protection for
their own operations. The public and private sector must invest in the
right foundations and guardrails that create a long-term, sustainable
shield around the whole supply chain.
mastercard leads on security and privacy
Mastercard secures trust in the modern digital economy. Consumers
and businesses are expanding their on-line interactions beyond cards
and payments, significantly increasing information exposure risks and
creating more potential vulnerabilities for cyber criminals to exploit.
As such, Mastercard is investing in innovative technologies to secure
digital interactions more comprehensively. We rolled out chip card
technology across the United States and have committed to phasing out
the magnetic stripes on newly-issued cards. We are now tokenizing
transactions, shifting away from static data that can easily be stolen
or replicated and replacing it with dynamic data. All this is supported
through our use of real-time analytics to detect fraudulent activity
every time you use your card. In recent years, we have also introduced
security technologies such as Mastercard Safety Net, Mastercard
Identity Check, our Mastercard Biometric Card, and ID Theft Protection.
These innovations, which come at a significant cost, produce real
results. For example, our SafetyNet technology stopped real-time fraud
attacks and prevented more than $10 billion in potential fraud in 2021
alone.
Mastercard's cybersecurity efforts are evolving with the ecosystem.
We are focused on building security for all other types of
transactions--enabling consumers and businesses to benefit from years
of learning and development entrenched in our network security
solutions. As an example, we must ensure the validity of a website
within the cyber realm so that a payment in the digital payments space
can go through intelligent decision making. By expanding to new types
of transactions, we are focused on growing existing security for
customers, consumers, and businesses--not only to keep them safe but
also as a means of making their digital lives easier. Another objective
is to ensure the stability of the system itself by reducing systemic
risk.
Many aspects of the digital world are intertwined and dependent on
one another. In undertaking these steps, we hope to build trust from
participants in the system. This is not a responsibility that we take
lightly. We take a multi-layered, principled approach to cybersecurity
that enables us to work extensively with emerging technologies while
using cutting-edge tactics to comprehend threats and guard against
strategic surprise.
Privacy is central to securing trust in the modern digital economy,
but there is a major trust deficit in how organizations and governments
collect, use, and share people's data. At Mastercard, we embrace a
strong, individual-first view of Privacy and Data.
We have instilled a Privacy By Design culture and mindset in our
people. This looks like keeping privacy in mind from ideation through
development and delivery of a product. There are multiple layers of
privacy and security safeguards embedded into the design of our
innovations to protect people's data--including through tokenization,
encryption, and anonymization. We only collect the information we need
to get the job done. Moreover, we have extended GDPR's high standards
and privacy rights to all individuals around the world.
Further emphasizing our commitment to the responsible use of data,
we have established data responsibility principles establishing our
vision of how data should be managed. When it comes to your data,
you're at the center. You own it. You control it. You should benefit
from the use of it, and we protect it. While we use data to help
businesses, governments, the public sector and individuals better
understand the world around them through identifying trends and
insights, we anonymize and aggregate it to maintain our privacy and
security standards. We also leverage these trends and insights for
social good, helping us to advance financial inclusion and global
humanitarian efforts.
threatcasting
I would like to discuss one particular tactic that has become an
important part of our resilience planning and ability to anticipate
future threat trends, Threatcasting. There are several Government
entities, including the U.S. Army and the U.S. Secret Service, that
also leverage the Threatcasting process. I would encourage both public
and private entities to also adopt Threatcasting as part of their own
resiliency planning.
Threatcasting is threat forecasting. Traditionally, organizations
think about their outlook on a 1-, 3-, or 5-year horizon. With
Threatcasting, Mastercard looks beyond those horizons, and we challenge
ourselves to think 10 years ahead. This approach offers us a process to
combine a wide range of inputs and exercises to imagine a broad range
of future threats. It also gives us a systemic way to look backwards
from these imagined future dates to understand the steps needed to
disrupt, mitigate, and recover from future threats.
To bring this to life, we partnered with noted futurist Brian David
Johnson. We gathered a group of global, public-private sector subject-
matter experts that represent a wide variety of cultural, sociological,
economic, and scientific fields. Like business planning, Threatcasting
is something Mastercard does annually. This gives us a chance to build
on our relationships, our thinking and our ideas year after year. It is
important to highlight that we are not thinking about only one singular
Future with a ``capital F.'' We are thinking about multiple futures
involving different types of people across the world, and we repeat
this thought process multiple times. Then we can step back and ask:
``What do we need to as an organization, as a nation, and as an
industry to prepare for those futures?''
We have used Threatcasting to forecast potential futures involving
emerging and disruptive technologies like quantum, IoT, and artificial
intelligence (AI). Threatcasting helps us understand these technologies
and the overlap between them. In the next decade, the adoption of
emerging technologies will expose greater vulnerabilities that will
allow criminals, nation-states, corporations, organizations, and
individuals to capture data (physical, digital, biological) and whole
identities to commit fraud. Opportunities for fraud will increase and
the motivation to commit this type of crime will grow. Beyond financial
gain, the perpetrators will have political and ideological goals, co-
opting criminals, proxy attackers, and unsuspecting combatants as
allies.
Some of the highlights at the intersection of fraud, cyber attacks,
and emerging technology from past Threatcasting exercises include:
The New Criminals.--In this future, criminals use emerging
autonomous technologies like AI, IoT, smart cities and cloud
computing to evolve their tactics resulting in the development
of a cyber crime economy to monetize these advances.
Hiding in the Complexity.--In this future, criminals will
use the expanding technological landscape to commit traditional
fraud by hiding in the complexity and scale of the technology,
business, and financial ecosystems. Think about it as ``Old
Fraud in New Ways.''
New Motivations.--In this future, bad actors will use
traditional fraud and broader criminal activities for
nontraditional effects, attacking beyond financial systems to
adjacent infrastructure. The logic of these attacks will be
orthogonal to traditional attacks with expanded goals to
destabilize, distract, disrupt, influence and just to prove it
is possible. Think of this future as ``New Fraud in Old Ways.''
Pandemic Problems.--When the COVID-19 pandemic took hold of
the globe, we convened a special session to Threatcast from a
pandemic perspective to specifically look at effects on
Mastercard's business operations. In 10 days, we were able to
deploy teams to address potential vulnerabilities identified
using this method.
Threatcasting is not something we have kept to ourselves at
Mastercard. It can be a truly global exercise because we are invested
in building a global digital ecosystem that is secure and connected. We
have partnered with others across the financial sector to collaborate
on Threatcasting. In my role as chair of the FSSCC, I worked to combine
the results from Mastercard's Threatcasting process with additional
insights drawn from members across the financial services sector to
further develop a comprehensive view of the threat landscape. Through
these partnerships, we can provide a more complete picture of what we
expect lies ahead. Mastercard has also shared our Threatcasting process
with the G-7 Cyber Experts Group, a group of cybersecurity experts from
G-7 nations that meets regularly to facilitate progress on major
international debates and reports their findings to G-7 ministers and
Governors.\9\
---------------------------------------------------------------------------
\8\ See https://www.cyberseek.org/heatmap.html.
---------------------------------------------------------------------------
the current threat landscape
I would like to highlight for the subcommittee some of the key
future threats that we see, which require public and private-sector
action to mitigate future losses. Using the insights gained from our
Threatcasting process as well as through our partnership engagements,
there are six key topic areas I would like to discuss.
1. Global Ground Systems to Space-Based Asset Attacks.--In the next
decade, the expansion of Financial and Communications Critical
Infrastructure (FIN/COM CI) from global ground systems to
satellites will generate a unique set of future conditions that
will multiply the scope, scale, and speed of attacks, taking
advantage of rising privatization and militarization as well as
undermining situational awareness of the operating environment.
The attack surface will no longer be ``Earth'' global, they
will be ``universe'' global. A new set of evolving future
threats will rise from these conditions, taking advantage of
threat multipliers with rapid cascading effects and advancing
FIN/COM CI as a minimum viable target for nation-states. These
FIN/COM CI consumer-centered attacks will have a destabilizing
chain reaction across systems and markets, leaving attribution
nearly impossible and retaliation an unlikely option. The
actors in the primary threat futures were the usual suspects:
Criminals, lone wolves, and state-sponsored attacks. However,
we determined that the goal of their threats will not be for
financial gain. Instead, the aim of their attacks will be to
destabilize industries, consumers, and governments via loss of
confidence and trust to the advantage of criminals, businesses,
and geopolitical actors. In some consumer-centric cases, the
goal may even be to incite civil and business chaos.
2. Mis-, Dis-, Mal-information to Cause Instability.--Mis-, dis-,
and mal-information (MDM) is a rapidly emerging tactic for
threat actors. Together, these three areas make up what CISA
defines as ``information activities.'' MDM campaigns promote
geopolitical instability, which amplifies destabilizing events.
Large-scale destabilizations like fuel, energy, food, or water
shortages can lead to financial fear and cause consumer panic.
Overall, MDM campaigns have the potential to radicalize people,
ultimately driving an increase in global geopolitical tensions
while heightening the risk of insider threat and undermining
trust. Building trust with stakeholders takes time, but it will
help to build resiliency. However, resiliency efforts at all
levels cannot be successful if people lack trust in the digital
ecosystem, and MDM campaigns actively work to undermine that.
From a technological standpoint, this can take different forms:
(i) Enhancing trust framework, inclusive of the hardware and
software that is used; and (ii) implementing solutions like
digital identity and zero trust frameworks that use methods to
authenticate and verify that people are who they claim to be.
3. Workforce Shortages.--There are three workforce-related threats
that I would like to highlight:
First and foremost, there are not enough cybersecurity
professionals. Currently, there are just under 715,000 open
cybersecurity jobs within the United States, and this gap
is rapidly increasing.\10\ For reference, in May 2021,
there were approximately 465,000 cybersecurity job
openings.\11\ Strong cybersecurity professionals require a
mix of soft and technical skills, which makes cyber
recruitment unique and more difficult. In my work as vice
chair of CSAC, I lead the subcommittee focused on
``Transforming the Cyber Workforce.'' That subcommittee is
in the process of finalizing and voting on a series of
recommendations that we believe will help begin to address
this problem.
---------------------------------------------------------------------------
\10\ See https://www.cyberseek.org/heatmap.html.
\11\ Kristopher J. Brooks, CBS News Moneywatch, U.S. has almost
500,000 job openings in cybersecurity (May 21, 2021) (citing Cyber
Seek), available at: https://www.cbsnews.com/news/cybersecurity-job-
openings-united-states/.
---------------------------------------------------------------------------
Second, we need to think through--and work to mitigate--
risks that come with our new normal of distributed
workforces. The COVID-19 pandemic drove an adoption of
hybrid work that is here to stay. It may look slightly
different in various companies and cultures, but at the end
of the day, the workforce has proven that this is a viable
operating model. While it brings some positives, it also
presents a real challenge from a security perspective.
Managing a distributed workforce means needing more complex
solutions and enabling access to more things that exist
outside of an organization's security perimeter. The more
points of connection that live beyond that perimeter, the
greater the security risks. In a distributed workforce, the
attack surface is greater.
Third, within the current workforce, corporate
organizations are seeing a rise in Insider Threat. Insider
Threat is a malicious threat to an organization that comes
from the people with access to privileged or protected
information. It takes two primary forms: Intentional and
unintentional. Intentional Insider Threat is when someone
knowingly, for a variety of motivations, misuses their own
access to the organization's confidential information or
trade secrets or its customers' data to deliberately share
them on an unauthorized basis outside of the organization.
Unintentional Insider Threat has the same result, but the
employee is fooled through naivete or lack of conscious
attention into falling for social engineering, phishing, or
other similar tactics. Thus, the unauthorized access does
not arise from the same motivations.
4. Cyber Crime for Hire.--As the ``cyber criminal workforce''
evolves, so do its tactics. We are in the midst of a rapid
expansion of cyber crime as a service. As such, participation
in cyber crime does not require any technical competency. In
fact, the barrier to entry is low. The target can be identified
and a simple email sent with nefarious content. Through cyber
crime-as-a-service offerings, it is now possible to purchase
turnkey criminal solutions, pay for cyber crime to be conducted
on one's behalf, or enlist cyber criminals to use the
technology, tactics, and procedures that allow the exploitation
of vulnerabilities in a system that have been disclosed but not
yet fixed, known in the industry as ``zero-day
vulnerabilities.'' In addition to these external services,
insider access to organizations can be bought for nefarious use
and ransomware gangs continue to offer ransomware as a service.
This growth of ``cyber crime for hire'' underscores the
importance of cyber hygiene, the practices and procedures that
are regularly performed to maintain the security of users,
devices, networks, and data. Good cyber hygiene can help
mitigate the increased risk that has resulted from this
outsourcing of cyber crime.
5. Coordination Between Threat Actors and Foreign Governments.--The
intersection between the worlds of cyber criminals and nation-
state operators will continue to grow. Whether deliberate or
not, cyber crime is becoming a shared exercise between
criminals and rogue nations. These lines, while once relatively
clear, have become blurred. The world has seen increased
geopolitical tensions give rise to more malicious cyber
activity. Complicating this is the fact that threat actors are
both acting independently and at the behest of nation-states.
Attribution, while difficult before, is now nearly impossible.
It has become incredibly challenging to discern when hackers
are acting on their own interest or when they are carrying out
an attack on behalf of nation-states.
6. Supply Chain Threats.--There are three supply chain-related
threats that I would like to highlight for you today:
COVID-19 has created an immature microcosm of small
businesses that established themselves due to economic need
and to meet a changing customer commercial demand for goods
and services. Such businesses were set up quickly and at
low cost, which meant cybersecurity was often not top of
mind. We are seeing small businesses that don't understand
cyber threats and lack an understanding of the basic
mitigations. As a result, they are falling victim to
preying criminals who are aware of their naivete and
immaturity.
Separately, it has also become essential for organizations
to be mindful of whom they are doing business with and
where they are doing business. Consider the recent PAX
point-of-sale terminals incident, for example. That
situation demonstrates the importance of knowing the source
of software as well as the location of data storage.
Organizations are also increasingly relying on the supply
services of others, including small businesses, to make
their businesses function (e.g. hosting providers,
marketeers, digital cooling systems, or distributors).
These are services that require connectivity to their
digital network but don't have control of the network.
These 3rd, 4th, and Nth party services within the supply
chain create a weakness that is readily exploited and can
create mass digital casualties globally through this one
business/vulnerability. This is a particularly acute risk
for municipalities in the United States. A recent RiskRecon
report on the state of cybersecurity in the 271 largest
U.S. cities revealed that 110 of the 271 cities may have
security gaps present in their systems that could
potentially result in data compromise.\12\ This concept
highlights the importance of understanding where our
critical nodes and concentration risks are when it comes to
National critical infrastructure. The SolarWinds supply
chain compromise demonstrates the potential devastation
that can come with the exploitation of critical nodes.
---------------------------------------------------------------------------
\12\ Riskrecon, Report: The state of cybersecurity in U.S. cities
(February 2022), available at: https://www.riskrecon.com/report-the-
state-of-cybersecurity-in-us-cities.
---------------------------------------------------------------------------
7. The Rise of Nationalism Fuels Divisions in the Global Digital
Ecosystem.--Cross-border payments play a critical role in the
global economy. Each step of a transaction--from capturing, to
processing, to authorizing a payment--relies on data, making
the free flow of data a critical prerequisite for a functioning
international payments ecosystem. Unfortunately, data
localization policies around the world have more than doubled
in 4 years. In 2017, 35 countries had implemented 67 such
barriers. Now, 62 countries have imposed 144 restrictions--and
dozens more are under consideration. These restrictions
introduce a new level of complexity to the ecosystem and how
organizations work to secure it. They require more data centers
in more places, reducing efficiency and driving up costs as
organizations work to maintain regulatory compliance. Data
localization also fragments cybersecurity, broadening the
attack surface for bad actors, limiting the scope of what
organizations can see, and making threat analysis and detection
much more complex. Global digital standards that are yet to be
written are an issue of cybersecurity. Every time we ignore a
country that promotes on-soil requirements, the ecosystem
becomes more fragmented and the ability of like-minded
governments to ensure effective cybersecurity is weakened.
mastercard's partnerships to bolster cybersecurity
Mastercard engages in partnerships with governments, academia, and
the private sector from around the world to secure the entire global
digital ecosystem from threats. Threats come from all parts of the
world and are often not isolated to a region. Opportunities exist for
the industry to work closely with government partners both domestically
and internationally. The cyber threat requires like-minded
organizations and governments to work together as one unit and use our
shared expertise to defend ourselves in the future. It requires the use
of creative, bold, and broadly beneficial ideas. Mastercard supports
the sharing of intelligence and best practices across the public and
private sectors around the world to drive detection, response, and
interoperability of cyber defense practices.
I would like to express our company's appreciation in the United
States for the role that CISA has played in leading the effort in
collaborating with the private sector to enhance the security,
resiliency, and reliability of the Nation's cybersecurity and
communications infrastructure.
The financial services sector also appreciates the role that the
U.S. Treasury plays as our Sector Risk Management Agency (SRMA).
Treasury supports our sector to ensure that CISA receives accurate,
comprehensive information about current sector operations and any
potential incidents.
Treasury coordinates with the sector and CISA to identify sector
risks and then assesses and mitigates them by conducting regular
exercises to test preparedness and emergency planning.
Additionally, Mastercard participates in domestic and international
cybersecurity exercises such as the North Atlantic Treaty
Organization's Locked Shields and CISA's Cyber Storm. We are active
contributors in the Financial Services Information Sharing and Analysis
Center (FS-ISAC) and participate in sector-specific and multi-sector
cyber defense exercises and information-sharing efforts. Mastercard
also organizes and hosts its own cyber defense exercises for the
financial services sector and the broader tri-sector community
(including the financial services, energy, and telecommunications
sectors). To provide a snapshot of some of our global cybersecurity
partnerships, we:
Engage with the European Cyber Resilience Board, European
Cyber Crime and Fraud Investigators, Europol, INTERPOL,
National Cybersecurity Authority and the National Cyber
Security Center to share cyber threat intelligence and build a
more secure digital ecosystem with partner communities.
Co-lead the Financial Services Cyber Collaboration Center
(FSCCC) in the United Kingdom with daily meetings with our
partners to identify systemic risks to the financial sector.
Partner with the National Cyber Forensics and Training
Alliance (NCFTA) to collaborate and combat cyber crime and
fraud.
Collaborate with the Dubai International Finance Center to
strengthen the cybersecurity of more than 3,000-plus financial
institutions in the region.
Support the Global Cyber Alliance, Cyber Readiness
Institute, National Cyber Security Alliance, and Small Business
Development Centers (SBDC) to equip small and mid-size
businesses with free cybersecurity tool kits, education, and
training.
Strengthen workforce development, education, and training
through our work with the National Institute of Standards and
Technology (NIST) and the National Initiative for Cybersecurity
Education (NICE) community to ensure our workforce is prepared
for today's threats, as well as those threats we will face in
the future.
Mastercard has centers of cyber innovation around the world:
The Intelligence & Cyber Centre of Excellence is in
Vancouver, Canada. The Centre was created in partnership with
the Government of Canada through its Strategic Innovation Fund,
with an additional $510 million investment by Mastercard.
Opened in 2022, the Centre is leading innovation in cyber and
intelligence, AI, and the IoT. Research from the Centre is
already enhancing Mastercard solutions, and combining the
Centre's biometric security algorithms with existing cyber
capabilities is creating new approaches to enhance on-line
security.
In partnership with EnelX and the Government of Israel,
Mastercard opened the FinSec Innovation Lab in Beer-Sheva,
Israel in 2021 to advance innovations in Israel in financial
technology and cybersecurity for the payments and energy
ecosystem globally. The Lab partners with Israeli startup
companies to test and develop products and solutions, with a
particular focus on cybersecurity and digital security, among
other fields.
Mastercard established a European Cyber Resilience Centre in
Waterloo, Belgium in 2020. The Centre drives collaboration
between both public and private sectors as well as regulatory
bodies to further support enterprise resilience in the region.
The Centre highlights Mastercard's on-going commitment to
addressing threats faced by the European payments ecosystem,
including financial institutions and fintechs. The facility
serves as a single cybersecurity hub for the region, bringing
together a diverse pool of talent from across Mastercard's
global community. The Centre works with various cyber
intelligence centres, industry groups, law enforcement
agencies, and central banks across Europe and helps drive
better prevention and mitigation practices against
international cyber crime and wider security threats.
Mastercard established a Fusion Center in St. Louis, Mo. The
Fusion Center leads and synchronizes Mastercard global
resources to anticipate, identify, and mitigate fraud and cyber
and physical security threats or events requiring a joint
response in order to protect Mastercard and contribute to the
financial ecosystem's security.
Mastercard established a DigiSec Lab in England to
proactively test threats to all forms of digital payments in
coordination with government security agencies and leading
academics. This team deconstructs technology and identifies
opportunities to strengthen it and continue to protect
consumers, merchants, and financial institutions from fraud.
The team also works in close partnership with other groups to
deliver a multi-layered approach to address security risks and
concerns in digital payments.
Mastercard operates tech hubs in Sydney, Australia; St.
Louis, Mo.; New York City; Arlington, Va.; Dublin, Ireland; and
in Pune and Vadodara, India.
policy recommendations
I would like to offer some cybersecurity policy recommendations for
Congress that would strengthen the U.S. and global resilience against
cyber threats given current trends in emerging technologies:
1. Establish a National Cybersecurity Training Center Within
CISA.--Congress should establish a National Cybersecurity
Training Center (NCTC) within CISA, which would enable CISA and
all critical infrastructure sectors to regularly coordinate and
conduct live-fire cyber training sessions that give critical
infrastructure owners and operators the chance to further
partner with the government, their sector, and cross-sector in
putting their cyber defense and resiliency plans into action.
Response plans and mitigation strategies are foundational to
any organization's cyber posture, but those plans are
meaningless if critical infrastructure owners and operators
have never executed them in real time under real circumstances.
Right now, the opportunities for most organizations to
undertake these tests as well as for cyber defenders to train
so they are skilled against world-class and nation-state
opposition forces are limited. But Congress can make these
opportunities more widely available. The NCTC would be modeled
after the U.S. Army's National Training Center, a large, live-
fire and maneuver training area at Fort Irwin, Calif.
2. Create a National Cyber Academy.--Congress should establish the
National Cyber Academy (NCA), which would be mostly virtual but
also a physical educational institution based on the current
model for U.S. military academies. It could help build a strong
cyber talent pipeline for both the public and private sectors.
As discussed earlier, there are not enough cybersecurity
professionals to fill all currently open roles, and this gap is
only poised to grow over the next several years in both the
public and private sectors. To help close this gap, I would
propose the establishment of the NCA to help build a strong
cyber talent pipeline based on common education and skill-based
requirements. To address the needs of both the public and
private sectors, the NCA would have two tracks: A traditional
military academy-style CISA Cadet track and an open public-
access track. The CISA Cadet track would mirror the traditional
military academy processes and procedures, ending with a multi-
year commitment to join CISA. This would enable CISA to have a
consistent pipeline of well-trained staff to support CISA's
mission as it continues to broaden in scope. The public-access
track would give anyone the opportunity to enhance skills
through certifications/classes that have been curated, vetted,
and widely accepted within the public and private sector. This
would lower the barrier for entry to a cybersecurity career
while giving people a clear path to demonstrate their
cybersecurity knowledge without the need of a traditional 4-
year degree.
3. Develop Within CISA a Cybersecurity Education Pathway Program.--
Congress should create a cybersecurity education pathway
program within CISA that would help high school and college
students build foundational cyber skills while increasing the
visibility of cybersecurity as a career path and helping to
develop a long-term, sustainable, and scalable talent pipeline.
Addressing the cyber workforce challenge requires not only
filling the roles that are currently open but also taking steps
to address the needs of tomorrow. This pathway would ultimately
unify the many existing educational programs into one
comprehensive development track built on the same
infrastructure as the NCA (explained above). It would give
students the ability to validate their cyber education in a way
that is recognized and accepted by the private sector, making
it simpler for them to begin their careers.
4. Establish a Tour-of-Duty Cyber Force Program Within CISA.--
Congress should establish a tour-of-duty Cyber Force program
within CISA. This program would bridge urgent talent gaps,
enable the members of the cyber workforce to enhance their
skills, and support on-going efforts to deepen public-private
collaboration. Security practitioners would volunteer for a 1-
to 2-year tour of duty before returning to the private sector
and could serve as designated CISA liaisons to facilitate
public-private threat sharing and collaboration during times of
cybersecurity crisis. To further incentivize broad
participation in this program, participating organizations
would receive tax credits or other similar benefits.
5. Expand the Cybersecurity Talent Initiative.--Congress should
appropriate additional funding to expand the Cybersecurity
Talent Initiative, a public-private partnership aimed at
recruiting and training a world-class cybersecurity workforce.
Through the Cybersecurity Talent Initiative, Mastercard and
other private-sector organizations partner with the Federal
Government to cultivate cybersecurity talent for both the
public and private sectors. In this unique program,
participants serve 2 years in the Federal Government. Before
the end of their Federal service, participants are invited to
apply for full-time positions with the program's private-sector
partners. By working for Federal organizations and cutting-edge
private-sector companies, participants develop the skills and
knowledge needed to protect our country's digital
infrastructure and tackle cybersecurity threats.
6. Enhance Global, Sector-Agnostic Intelligence Sharing and
Analysis with the Private Sector and Allied Governments.--
Congress should enhance CISA and the appropriate Federal
agencies' ability to create and participate in global, sector-
agnostic intelligence sharing and analysis work with private-
sector participants and allied governments. Unlocking the
shared ability to analyze incidents, review attack vectors and
spot trends across sectors is key to the continued ability to
defend against cyber attacks. Cyber crime is not constrained by
borders, political jurisdictions, or sectors. Threat actors
attack targets around the world, using information gained along
the way to improve their approach. The Federal Government and
industry have limited intelligence-sharing capabilities that
span the entire threat landscape. The digital ecosystem would
be better equipped to defend itself if participants had
enhanced capabilities to analyze incidents, review attack
vectors, and spot trends across sectors, geographies, and
governments.
7. Promote the Harmonization of International Cybersecurity
Standards, Regulations, and Risk Management Frameworks.--
Congress should adopt industry-led and internationally-accepted
standards, regulations, and risk management frameworks to
support global cybersecurity, digital trade, electronic payment
services, fintech, and emerging technologies. The world is
witnessing record levels of cyber attacks and this is in part
due to the lack of a global consensus to address systemic
cybersecurity challenges. Policy makers should also collaborate
with private-sector leaders that have experience aligning
industry-leading best practices and standards around current
and emerging technology. Having multiple standards,
regulations, and risk management frameworks globally is
unnecessarily complicated and costly to comply with due to the
web of National and regional regulations. Under current
cybersecurity requirements, companies must juggle many
competing laws across jurisdictions. There are also conflicting
definitions of what constitutes a cybersecurity incident and
what should trigger a notification to regulators and consumers.
This impacts interoperability and impedes open systems and
innovation. The global harmonization of cybersecurity
standards, regulations, and risk management frameworks would
benefit industry and governments by lowering risk, reducing
costs, and furthering innovation. Thus, it is critical to
foster partnerships among allied governments and the private
sector that will help shape the standards, regulations, and
risk management frameworks that apply to cybersecurity.
8. Strengthen the Collaboration Between the Critical Infrastructure
Owners and Operators and the Intelligence Community.--Congress
should direct CISA and the appropriate Federal agencies to
strengthen active and collaborative support and engagement
between the intelligence community (IC) and critical
infrastructure owners and operators on cyber threats. Increased
communication between the IC and industry is needed to better
protect critical infrastructure. During an incident, there must
be a continuous, real-time, and bi-directional exchange of
information.
9. Enable Trusted Data Flows and Privacy.--Congress should work
with the international community to remove discriminatory and
protectionist barriers to data flows. In addition, countries
should commit to recognizing the importance of setting
standards on privacy, such as new Trans-Atlantic Data Privacy
Framework, cybersecurity, and development of data governance
frameworks.
Thank you for the opportunity to testify in front of the
subcommittee. Today's topics are critical to the future of our Nation.
The world we're living in today looks very different than it did at the
start of the decade. The pace of change is only increasing and our
shift to a digital-first world is rapid and irreversible. Understanding
the current threat landscape and the impact of emerging disruptive
technologies are essential to our successful shared resilience
planning, ultimately helping us to guard against strategic surprise. I
am happy to answer any questions from the subcommittee.
Ms. Clarke. Thank you, Mr. Green, for your testimony.
Finally, I recognize Mr. Strayer to summarize his statement
for 5 minutes.
STATEMENT OF ROB STRAYER, EXECUTIVE VICE PRESIDENT FOR POLICY,
INFORMATION TECHNOLOGY INDUSTRY COUNCIL
Mr. Strayer. Thank you.
Chairwoman Clarke, Ranking Member Garbarino, the
distinguished Members of the subcommittee, thank you for the
opportunity to testify today. My name is Rob Strayer, and I am
the executive vice president of policy at the Information
Technology Industry Council, or ITI.
ITI represents 80 global leading technology companies
covering the entire digital ecosystem, ranging from hardware
and software producers, to digital services and cybersecurity.
Before joining ITI, I served as the deputy assistant
secretary for international cyber policy at the U.S. State
Department.
U.S. companies have long spearheaded the development of the
most innovative digital technologies. This has produced
tremendous economic growth.
In 2020, the digital economy in the United States added
$2.1 trillion in value. That represents 10.2 percent of U.S.
GDP and it was responsible for more than 7.8 million jobs.
U.S. National security also depends on continued U.S.
technological leadership. The U.S. Government relies on
leading-edge emerging technology for a wide range of
applications, including homeland security.
Today, other nations and their companies are competing to
achieve the next major technological breakthrough. In this very
competitive environment, two overarching principles should
guide U.S. policy on emerging technology.
First, the United States should adopt policies that enhance
the ability of the private sector to increase the pace of
innovation and to develop world-leading emerging technology.
The second principle is that the United States should
design security policies related to emerging technology that
are risk-based and proportionate. Unduly burdensome and
restrictive security requirements will undermine the ability to
innovate and to keep pace with global technological
competition.
Over the years, the adoption of dynamic cybersecurity risk-
management practices has produced tremendous capability
improvements for the protection of all digital technologies,
including emerging tech, and improved their resilience.
The fifth generation of wireless technology, or 5G, will
enable billions of new devices to be connected to the internet.
An increasingly connected world will also increase security
risks, including for critical infrastructure in sectors like
transportation, energy, advanced manufacturing, and health
care.
The good news is that 5G networks and standards are being
designed with security in mind from the outset, and 5G networks
will include the latest security enhancements.
5G-related security policies should be risk-based and
promote the procurement of equipment from trusted suppliers
that adhere where possible to industry-driven, consensus-based
international standards.
One important international effort occurred in 2019 when 32
countries and the private sector participated in a conference
in the Czech Republic to create a foundation for effective 5G
security risk management. That resulted in the publication of a
document known as the Prague 5G Security Proposals.
The National Institute of Standards and Technology and CISA
also have developed risk-based 5G security assessment tools and
mitigation measures.
The billions of devices comprising the internet of things
create immense opportunities for our society, but it also
increases the attack surface area for malicious cyber actors
seeking to exploit them.
IoT devices need to be secure and resilient. NIST, with
stakeholder input, has developed guidance to IoT device
manufacturers and IoT labeling for consumers. Congress should
support continued public-private cooperation on IoT security.
The mass amounts of data made available by 5G networks and
IoT devices will further innovations in artificial
intelligence. NIST is also at the forefront of developing a
voluntary AI risk-management framework. Organizations will be
able to use this to mitigate security risks and other
challenges associated with AI applications.
In my remaining time I would like to summarize three of the
recommendations in my written testimony.
First, Congress should finalize negotiations on the
Bipartisan Innovation Act. Both the House and the Senate in
their respective bills would reinvigorate Federal research and
development in key technological areas, including
cybersecurity.
These bills also embrace bold new investments to production
design of semiconductors and for the secure deployment of 5G
network hardware and software that utilizes radio access
network open architecture.
Second, Congress should encourage CISA to leverage the IT
Sector Coordinating Council, which brings together the U.S.
Government and private-sector stakeholders to better understand
the scope of threats related to emerging technologies.
Of note, the IT Sector Coordinating Council has launched an
Emerging Technologies Working Group. It is aimed at helping
CISA better understand cybersecurity threats and
vulnerabilities related to emerging technologies.
Third, Congress should continue to fund and support NIST's
work on artificial intelligence, IoT security, and 5G security.
NIST also is undertaking helpful work on post-quantum
cryptography by seeking to standardize quantum-resistant
cryptographic algorithms.
Thank you again. I look forward to your questions.
[The prepared statement of Mr. Strayer follows:]
Prepared Statement of Rob Strayer
June 22, 2022
Chairwoman Clarke, Ranking Member Garbarino, and distinguished
Members of the subcommittee, thank you for the opportunity to testify
today. My name is Rob Strayer and I'm the executive vice president of
policy at the Information Technology Industry Council (ITI).\1\ I lead
ITI's global policy team, driving ITI's strategy and advocacy efforts
to shape technology policy around the globe to enable secure
innovation, competition, and economic growth, while supporting
governments' efforts to achieve their public policy objectives. ITI is
the premier advocate and thought leader in the United States and around
the world for the information and communications technology (ICT)
industry. We represent leading companies from across the ICT sector,
including hardware, software, digital services, semiconductor, network
equipment, cybersecurity, internet companies, and other organizations
using data and technology to evolve their businesses.\2\
---------------------------------------------------------------------------
\1\ The Information Technology Industry Council (ITI) is the
premier global advocate for technology, representing the world's most
innovative companies. Founded in 1916, ITI is an international trade
association with a team of professionals on four continents. We promote
public policies and industry standards that advance competition and
innovation world-wide. Our diverse membership and expert staff provide
policy makers the broadest perspective and thought leadership from
technology, hardware, software, services, manufacturing, and related
industries. Visit https://www.itic.org/ to learn more.
\2\ See ITI membership list at: https://www.itic.org/about/
membership/iti-members.
---------------------------------------------------------------------------
Prior to joining ITI, I served as the deputy assistant secretary
for cyber and international communications and information policy at
the U.S. State Department. In that role, I led dozens of bilateral and
multilateral dialogs with foreign governments on digital economy
regulatory and cybersecurity issues. In 2018, I was the U.S. ambassador
for the U.S. delegation to the International Telecommunication Union
(ITU) Plenipotentiary Conference in Dubai, United Arab Emirates. Before
joining the State Department, I was the general counsel for the U.S.
Senate Foreign Relations Committee.
Companies in the United States have long spearheaded the
development of the most innovative and cutting-edge technologies. These
technologies have produced tremendous growth for the United States and
transformed the global economy. In 2020, the digital economy in the
United States accounted for $2.14 trillion of value added (translating
to 10.2 percent of U.S. GDP), $1 trillion of compensation, and 7.8
million jobs.
U.S. National security depends on continued U.S. technological
leadership. This leadership drives innovation, job creation, and
economic growth domestically and makes the United States more resilient
and secure as we continue to set the pace for innovation. Remaining at
the cutting edge of developing and commercializing technologies will
ensure they are available to the private sector and the Government for
a wide range of applications, including homeland security.
Today, other nations and their companies are competing to find the
next major technological advancement. In some cases, competitor nations
and their national-champion companies go to great lengths to innovate
and achieve a market advantage.
Two overarching principles should guide U.S. policy on emerging
technology. The United States should adopt policies that enhance the
ability of the private sector and academic institutions to increase the
pace of innovation to out-compete rivals and develop globally-leading
emerging technology. With this global competition in mind, the United
States should design security policies related to emerging technology
that are risk-based and proportionate. Unduly burdensome and
restrictive security requirements will undermine the ability to
innovate and compete in global markets, as well as keep pace with the
evolution of technological capabilities.
In general, the private sector has a strong market-based incentive
to protect technology from compromise and misuse, as that is the
expectation of business users and consumers. The adoption of dynamic
cybersecurity risk management practices and establishment of voluntary,
industry-led, consensus-based cybersecurity standards have yielded
tremendous capability enhancements for the protection of all digital
technologies, including emerging technology, and improved their
resilience. While these principles could be applied to any foundational
and emerging technology, below are the technology sector's views about
how they should be applied to securing 5G, artificial intelligence
(AI), and the internet of things (IOT).
securing 5g
Security is fundamental to successfully deploying and using 5G. The
future will be filled with exciting new applications and services that
will run on top of 5G, but an increasingly connected world will also
increase security risks, ranging from an accelerating and evolving
cybersecurity threat landscape to concerns regarding sophisticated
adversaries exploiting ICT supply chain vulnerabilities. Given this
increased interconnectedness, emerging threats can pose a danger to the
5G ecosystem more widely--for example, critical infrastructure and
services like energy, manufacturing, and utilities--if not adequately
planned for and managed. The good news is that 5G networks and
standards are being designed with security in mind from the outset, and
5G networks will include several security enhancements that will enable
business and government enterprises to confidently deploy new
applications and IoT services to harness the full value of 5G.
While investments in 5G infrastructure and the accompanying digital
transformation are well under way, consumers, businesses, and
governments should prioritize security during the implementation and
seek to leverage the security enhancements available for the first time
in 5G. Industry around the world is actively working to secure mobile
networks, including 5G. This includes investing time and resources into
developing cybersecurity technologies and services to secure 5G
networks and the applications and services running over them, helping
to educate business leaders on the importance of cybersecurity
investments, sharing operational threat information on threats
traversing mobile networks so that relevant parties can take action,
and participating in the development of relevant global 5G security
standards and reference documents. Industry and government are also
collaborating via public-private partnerships to ensure that we arrive
at the desired policy outcome of more secure 5G networks, including
operational partnerships to share information on threats to 5G, and
partnerships to further supply chain risk management best practices and
solutions. No one organization in the private or public sectors can see
all supply chain or cybersecurity threats, so it is imperative that
both sides work together to fully understand and assess the full range
of potential security threats in order to develop and implement
appropriate mitigations.
ITI and its member companies have spent significant time
considering how best to efficiently deploy the next generation of
wireless technology while simultaneously ensuring that such technology
is secure and have developed a set of 5G Policy Principles intended to
help guide policy makers as they consider how to approach this set of
issues.\3\ Below, we offer specific suggestions based upon that work.
---------------------------------------------------------------------------
\3\ ITI 5G Policy Principles and 5G Essentials for Global Policy
Makers, https://www.itic.org/policy/ITI_5G_Full_Report.pdf.
---------------------------------------------------------------------------
5G-related security policies should be risk-based. Any policy
intended to address challenges related to 5G security, should be risk-
based, evidence-based, adaptable, and fit-for-purpose--i.e., such
policies should address concrete, identifiable security risks.
Governments should undertake or promote risk assessments to gain fuller
visibility into the threat landscape, including the supply chain
ecosystem and which risks can be mitigated and which ones cannot.
Policies should promote the procurement of equipment from trusted
suppliers that adhere to industry-driven, consensus-based international
standards, consider geopolitical implications of manufacturing
locations, localization and sourcing requirements, and encourage
diverse supply chains to help manage risk. In some cases, the level of
risk may justify government spending to support the replacement of
untrustworthy ICT infrastructure. In formulating any policy related to
5G security, we recommend that policy makers leverage the Prague 5G
Security Proposals,\4\ which were developed at a conference where more
than 30 countries participated, to understand relevant risk assessment
criteria and to further effective cybersecurity risk management.
---------------------------------------------------------------------------
\4\ https://www.vlada.cz/en/media-centrum/aktualne/prague-5g-
security-conference-announced-series-of-recommendations-the-prague-
proposals-173422/.
---------------------------------------------------------------------------
Additionally, 5G security policies should seek to manage the full
range of security risks to mobile network infrastructures,
applications, and services, including devices and data. For instance,
automated and distributed threats such as botnets will likely be a more
pervasive issue in the context of 5G network deployment, and emerging
technology may provide innovative cybersecurity solutions to adequately
mitigate such threats, including through the use of AI and other
automated tools.
Finally, government and industry must share responsibility and
collaborate. Government and industry share the goals of mitigating
cybersecurity threats to network infrastructures, preventing cyber
attacks, and reducing the impact of cyber crime. As in all areas of
cybersecurity, achieving these goals is a collective effort. Public-
private partnerships should be leveraged to ensure that both industry
and government arrive at the desired policy outcome of more secure 5G
networks. Industry has developed a multitude of security best practices
that can be referenced or built upon, and any new best practices should
be developed in conjunction with industry. Operational partnerships are
key as well, particularly regarding sharing information on threats to
5G. No one organization in the private or public sectors can see all
cyber threats, and industry often does not have access to Classified or
Sensitive government cyber threat intelligence. It is imperative that
both sides work together to fully understand and assess potential
threats.
securing artificial intelligence
As innovation in Artificial Intelligence (AI) continues and the
technology itself evolves, it is important for policy makers to
consider how to harness the benefits of AI while simultaneously
addressing societal or other challenges that may emerge. For example,
malicious actors can use adversarial AI to cause machine learning
models to misinterpret inputs into the system and behave in a way that
is favorable to the attacker. To produce the unexpected behavior,
attackers create ``adversarial examples'' that often resemble normal
inputs, but instead are meticulously optimized to break the model's
performance. Malicious attackers may also attempt to influence a
system's outputs by polluting the training data on which a model or
system is trained--also known as data poisoning. Such pollution of the
data can result in faulty outputs or outcomes. As such, it is important
that businesses and the U.S. Government also invest in cybersecurity
directed at countering adversarial AI. At the same time, adversarial AI
represents an incremental threat compared to traditional cyber attacks,
so it is important that governments do not place an outsized focus on
countering it.
Furthermore, data poisoning--or when a malicious actor pollutes a
system's training data--can be viewed as a more pronounced form of data
drift, which happens when AI systems are trained on bad data. Data
drift is not due to a malicious actor attempting to manipulate the
system, but can be due to a variety of factors, like changing the input
data, a change in environment, errors in data collection, and others.
In order to mitigate risks associated with the use of AI systems,
we encourage public and private-sector stakeholders to incorporate AI
systems into threat modeling and security risk management. This should
include encouraging organizations to ensure that AI applications and
related systems are in scope for organizational security program
monitoring and testing and that the risk management implications of AI
systems as a potential attack surface are considered. We are
particularly supportive of on-going the collaborative work being
undertaken by the U.S. National Institute of Standards and Technology
(NIST) to develop a voluntary AI Risk Management Framework, which
organizations will be able to leverage to mitigate security and other
risks that may be associated with particular uses of the technology.
We also encourage policy makers to support the use of strong,
globally accepted and deployed cryptography and other security
standards that enable trust and interoperability in AI systems. The
tech sector incorporates strong security features into our products and
services to advance trust, including AI systems. Policy makers should
promote policies that support using published algorithms as the default
cryptography approach as they have the greatest trust among global
stakeholders, and limit access to encryption keys.
Although there are new risks that may be introduced with AI
technology, we also want to emphasize that AI and machine learning can
be leveraged to improve cybersecurity. Indeed, defensive cybersecurity
technology should embrace machine learning and AI as part of the on-
going battle between attackers and defenders. The threat landscape
constantly evolves, with cyber attacks that are complex, automated, and
constantly changing. Attackers continually improve their sophisticated
and highly automated methods, moving throughout networks to evade
detection. The cybersecurity industry is innovating in response: Making
breakthroughs in machine learning and AI to detect and block the most
sophisticated malware, network intrusions, phishing attempts, and many
more threats. Other examples include using AI to identify unknown IoT
devices as well as suspicious device behavior, to uncover suspicious
Domain Name System (DNS) activity, and to stop incoming threats.
Because of this, we encourage the U.S. Government to develop
policies that support the use of AI for cybersecurity purposes.
Cybersecurity tools and capabilities should incorporate AI to keep pace
with the evolving threat landscape, including attackers who are
constantly improving their highly automated methods to penetrate
organizations and evade detection. Defensive cybersecurity technology
can use machine learning and AI to more effectively address today's
automated, complex, and constantly evolving cyber attacks. When
combined with cloud, AI can help to scale cyber efforts through smart
automation and continuous learning that drives self-healing systems. To
support and enable the use of AI for cybersecurity purposes, policy
makers must carefully shape (or reaffirm) any policies related to
privacy to affirmatively allow the use of personal information, such as
IP addresses, to identify malicious activity.
securing the internet of things
The growth of network-connected devices, systems, and services
comprising the internet of things (IoT) creates immense opportunities
and benefits for our society. To reap the benefits of connected devices
and to minimize the potentially significant risks posed by malicious
actors seeking to exploit them, these devices need to be secure and
resilient. Unfortunately, as the number of connected people,
businesses, and devices grows, so does the potential for malicious
attacks. Today, the destructive potential of cyber attacks, can
increase exponentially when such attacks leverage massive quantities of
connected IoT devices. As risks to the global digital ecosystem,
including IoT, continue to grow, so does our need to restore trust and
confidence in connected devices and the IoT and larger ecosystems to
advance not only security but economic growth and innovation. To help
policy makers and stakeholders better ensure the security of the IoT
ecosystem, ITI developed a set of IoT Security Policy Principles, which
we encourage Congress and policy makers more broadly to use as a
guide.\5\ Below are several suggestions relevant to the issues being
discussed today.
---------------------------------------------------------------------------
\5\ ITI IOT Security Policy Principles, https://www.itic.org/
policy/ITIIoTSecurityPolicyPrinciples.pdf.
---------------------------------------------------------------------------
It is imperative that all stakeholders collaborate to take a
thoughtful, holistic approach to securing the various parts of networks
and complex ecosystems that make up the IoT, and not only focus on the
device. An inclusive process must focus on end-to-end security,
including security-by-design techniques and secure development life
cycles. As global concerns regarding IoT security--including concerns
about sophisticated automated and distributed threats such as botnets
that exploit insecure IoT devices--have continued to grow, policy
makers have disproportionately focused on IoT product security without
addressing the broader issues related to securing the IoT ecosystem.
Many policy proposals have only targeted individual components of the
ecosystem, rather than focusing on ecosystem security as a whole. For
instance, some policies propose that internet service providers (ISPs)
should simply shut down all botnets, or that manufacturers of billions
of devices should make them universally secure. Such overly simplistic
solutions fail to address the fundamental need to secure the ecosystem.
Regardless of which security measures are taken at the device, network,
or software level, if these components of the ecosystem are addressed
in isolation, efforts will ultimately fail. Taking a holistic view is
therefore a superior approach.
While ecosystem-wide security is important, industry-driven
consensus around baselines and standards is essential for IoT devices.
Developing a common set of best practices and secure capabilities that
are broadly applicable across all IoT devices with varying levels of
complexity and are driven by market demand will help to improve all new
IoT devices' cybersecurity. Building broad industry consensus around an
IoT security baseline will also facilitate more effective government-
industry collaboration on this issue, helping to drive interoperable
IoT security policies world-wide. In addition, establishing a core
baseline will promote globally interoperable standards and advance
innovation world-wide to improve IoT security. Governments should
continue to encourage open and international security standards to
maintain the long-term viability of the IoT and to foster solutions
that are interoperable and reusable across a variety of use case
deployments, vendors, sectors, and geographies.
To fully realize the benefits offered by IoT, governments should
promote policies that help break down barriers to connecting devices
and correlating data while protecting privacy and security. Government
bodies should examine the technologies underlying the IoT and assess
where current authority, oversight, and regulation already exist and
avoid siloed, sector-specific regulatory approaches. Policy makers and
regulators should reinforce private-public cooperation on IoT issues to
help identify cybersecurity solutions and better coordinate the many
IoT security-related policy efforts currently in progress across the
U.S. Government and globally. In the United States, the National
Institute of Science and Technology's (NIST) on-going commitment to
industry outreach in developing an IoT security framework provides an
excellent example of such cooperation.
The U.S. Government should promote global harmonization of any
mandatory IoT requirements published by individual States, sector-
specific agencies, or countries in order to prevent unhelpfully
fragment the global IoT security landscape. Such fragmentation would
ultimately limit the growth of a secure IoT by reducing the
efficiencies of scale in development, manufacturing, support, training,
assessment, and identification of secure IoT products. It will also
make it more difficult for industry to comply with such divergent
requirements, hampering global business and trade. The long-term
security and resilience of the internet and communications ecosystem
requires a global and holistic approach involving the adoption of
baseline security practices by stakeholders in many different
countries, industries, and segments of the ecosystem.
To combat an increasingly divergent policy environment, policy
makers should prioritize global harmonization and regulatory
cooperation to support a voluntary, industry-driven consensus around
core baseline capabilities for IoT security that are grounded in global
standards. Finally, stakeholders and consumers must understand that
connecting IoT devices or equipment to the internet is a long-term
commitment, not a one-time design and manufacturing cost. IoT security
demands dynamic, flexible market-driven solutions that are nimble and
adaptable to evolving cyber threats, including those specific to the
proliferation of IoT devices, rather than regulatory compliance
mechanisms that differ by local or national jurisdiction.
cybersecurity
As this subcommittee has recognized, cybersecurity is one
particular type of security issue impacting all digital technologies,
and it is certainly vital for the security of emerging technologies.
For ITI members, facilitating the protection of our customers
(including governments, businesses, and consumers), securing and
protecting the privacy of individuals' data, and making our
intellectual property, technology, and innovation available to our
customers to enable them to improve their businesses are core drivers
for our companies. Consequently, ITI has been a leading voice in
advocating effective approaches to cybersecurity, both domestically and
globally. Cybersecurity is rightly a priority for governments and our
industry, and we share a common goal of improving cybersecurity.
As both producers and users of cybersecurity products and services,
our members have extensive experience working with governments around
the world on cybersecurity policy. In the technology industry, as well
as banking, energy, and other global sectors, when discussing any
cybersecurity policy, it is important to consider our connectedness,
which is truly global and borderless.
The NIST Cyber Security Framework (CSF) has provided immense value
to users, within critical infrastructure, and beyond. ITI has been
engaged in NIST's CSF efforts for the better part of a decade, working
to provide constructive input and shape the Framework to make it as
useful as possible. The CSF has been a highly useful tool for
cybersecurity risk management, offering a baseline approach for
organizations seeking to institute such a process. Indeed, to the
extent the goal of the Framework was to provide a common language for
organizations, it has certainly achieved that, proving useful for
communicating about cyber risk both within and between organizations.
This is one of the major benefits of using the Framework. Mapping to
consensus standards and control sets helps to provide a common,
international understanding of the intention of the categories and
subcategories, and the Implementation Tiers provide a reference point
for organizations to evolve their ability to cybersecurity programs.
The CSF has also provided for a risk-based, flexible approach, allowing
organizations to develop a cyber risk management program that is
appropriate for their level of risk and desired outcomes.
Even though the original target audience for the CSF was critical
infrastructure owners and operators, it is now widely adopted, and
companies and institutions developing and commercializing emerging
technologies can certainly employ the CSF for their cybersecurity--some
of which may be part of critical infrastructure supply chains. Small-
and medium-sized businesses and institutions, however, may face
resource constraints or have a lack of personnel with the skills and/or
knowledge needed to digest, understand, and apply the Framework. This
is an area worth further inquiry.
recommendations
(1) Congress should finalize negotiations on the Bipartisan
Innovation Act. Both the House and Senate in their respective bills
have embraced bold new investments in foundational technologies that
are critical for American competitiveness, including $52 billion to
incentivize American production and design of semiconductors and $1.5
billion for the Public Wireless Supply Chain Innovation Fund to support
the deployment of 5G and next-generation network hardware and software
utilizing radio access network open architecture. Both chambers' bills
also reinvigorate Federal research & development in key technology
areas, including cybersecurity specifically. This legislation is
urgently needed to strengthen our national innovation ecosystem and
translate new research into commercialized technology, which when
coupled with the bills' investments in manufacturing will result in
high-tech jobs and new firms in communities across the country.
(2) Congress should use its oversight authorities to help
coordinate and streamline Federal policy making efforts to address
cybersecurity and emerging technologies. ITI supported the recently-
passed, Cyber Incident Reporting legislation, and appreciated the
collaborative approach this committee took to developing the bill and
its regulations. Since the beginning of the current Congress on January
3, 2021, there has been a plethora of bills on cybersecurity and
emerging technologies. We encourage this subcommittee and other
relevant committees to focus on the driving power of Congressional
oversight to help Federal agencies successfully and completely
implement these new requirements and various lines of effort.
(3) Congress should encourage CISA to leverage the IT Sector
Coordinating Council (IT SCC) to better understand the scope of threats
related to emerging technologies. The Information Technology Sector
Coordinating Council (IT SCC) serves as the principal entity for
coordinating with CISA and the government generally on a wide range of
critical infrastructure protection and cybersecurity activities and
issues. The IT SCC brings together companies, associations, and other
key IT sector participants, to work collaboratively with the Department
of Homeland Security and CISA, as well as other government agencies and
partners. Through this collaboration, the IT SCC works to facilitate a
secure, resilient, and protected global information infrastructure. Of
note, the IT SCC has launched an Emerging Technologies Working Group,
aimed at helping CISA better understand cybersecurity threats and
vulnerabilities related to emerging technologies, including those that
may stem from AI, 5G, and quantum information sciences. The IT SCC
recently published a set of AI Policy Principles, based upon ITI's
Global AI Policy Recommendations, which offer guidance to policy makers
around how to best leverage this emerging technology to counter
threats. Congress should encourage CISA to continue to leverage the IT
SCC, and the Emerging Technologies working group, to understand how it
should appropriately scope its work to address potential threats to
critical infrastructure moving forward.
(4) Beyond CISA and the IT SCC, Congress should encourage robust
and continuous cooperation between the U.S. Government and industry.
Policy makers and companies each have important and distinct roles to
play in addressing technology-related National security risks. The U.S.
Government has information that companies do not have about National
security threats. Companies have information that governments do not
have about their network operations and how they detect, manage, and
defend against risks to data, systems, networks, and supply chains.
Both policy makers and industry should communicate regularly and
robustly about relevant risks (consistent with limitations relating to
Classified information and business confidentiality), including through
opportunities for industry input in regulatory rule-making processes,
public-private task forces and other collaborative mechanisms, and
informal relationships between policy makers and companies.
(5) Avoid overbroad regulatory approaches, which may not serve to
mitigate security risk, and which could instead hamper innovation. As
the U.S. Government is considering how to best harness emerging
technologies while simultaneously mitigating security risks, we urge it
to carefully evaluate the costs and benefits of any regulatory approach
before adopting it. Indeed, many of these technologies are nascent, and
overbroad, ill-scoped approaches may serve to hinder innovation without
demonstrably improving cybersecurity. As such, any approach should be
appropriately targeted, proportionate, and tied to discrete security
(or other) risks. We elaborate on this suggestion in our Principles for
Improved Policymaking and Enhanced Cooperation on National Security,
Technology, and Trade.\6\
---------------------------------------------------------------------------
\6\ ITI's Principles for Improved Policymaking and Enhanced
Cooperation on National Security, Technology, and Trade, available
here: https://www.itic.org/policy/us-national-security-policymaking.
---------------------------------------------------------------------------
(6) Congress should continue to fund and support NIST work on
Artificial Intelligence, IOT security, 5G security, post-quantum
encryption, and other emerging technologies. As referenced in our
testimony above, NIST is undertaking work in many areas that will be
vital to harnessing emerging technologies while also ensuring that
risks are appropriately managed. Indeed, NIST is developing a framework
to better manage risks to individuals, organizations, and society that
may be posed by specific uses of AI. It is also undertaking work to
cultivate trust in AI technologies, including by conducting fundamental
and applied AI research, as well as establishing benchmarks and
developing metrics to help evaluate AI technologies. NIST is also
undertaking helpful work on post-quantum cryptography and is seeking to
standardize quantum-resistant public-key cryptographic algorithms,
which will be important if large-scale quantum computers are built as
they can break traditional public-key cryptography systems currently in
use. We therefore encourage continued support of these NIST efforts.
Aside from NIST, private-sector-led standardization activities, such as
in the International Standardization Organization--International
Electrotechnical Commission Joint Technical Committee-1, are also
focused on AI risk management and interoperability of quantum-resistant
cryptography.
(7) Continue to implement the recommendations stemming from the
National Security Commission on Artificial Intelligence (NSCAI). The
NSCAI report offers a plethora of recommendations for the U.S.
Government to advance trustworthy AI in different domains. Particularly
useful in this context are those recommendations pertaining to
countering adversarial AI, as well as those related to establishing
confidence in AI systems. We encourage the U.S. Government to continue
to make progress on implementing these recommendations in order to
enable innovation and protect against malicious uses of the technology.
conclusion
Future United States economic and National security depends on
continued leadership in emerging technologies. It is possible for the
U.S. Government to ensure that those technologies are secure, while
continuing to promote leading-edge innovation. A track record exists
involving AI, 5G, and IOT security of using risk-based frameworks to
address potential vulnerabilities, with significant involvement of NIST
in those efforts. The active collaboration among the Government,
especially NIST and CISA, the private sector, and other stakeholders is
essential for the evolution of frameworks that will protect and enhance
emerging technologies. As new digital technologies emerge, malicious
actors will seek to compromise them, so new frameworks will need to be
developed to address those challenges.
Ms. Clarke. Thank you, Mr. Strayer.
I thank all of our witnesses for their testimony today.
I will remind the subcommittee that we will each have 5
minutes to question the panel.
I now recognize myself for questions.
As quantum-resistant cryptography becomes available, it is
important that both the government and technology companies be
prepared to implement it into their existing systems.
Mr. Robinson, what steps have you seen the Federal
Government and/or private sector take to prepare themselves for
this transition? What more should both be doing going forward?
Mr. Robinson. Thank you, Congresswoman Clarke.
So the Government has done quite a bit. They have taken a
first step. They have established the NIST NCCoE post-quantum
cryptography opportunity to coalesce industry and Government
together.
They have also been on a journey to create the post-quantum
cryptographic algorithms. As soon as they come out, more could
be done around collaboration with industry, with government,
and international and academic partners.
Ms. Clarke. Thank you.
For years, I have been extremely concerned by the potential
harms posed by deepfakes where AI-enabled synthetic images or
recordings appear to be authentic, making it difficult for
viewers to distinguish between reality and disinformation.
To address this challenge, I have introduced the DEEPFAKES
Accountability Act to implement criminal and civil penalties
for malicious deepfakes, while directing DHS to establish a
task force to prepare for the National security implications of
deepfakes.
Dr. Lohn, to what extent do you assess that deepfake
technology already creates National security risks? What should
the Government and the private sector do today to reduce the
security risk from deepfakes going forward?
Mr. Lohn. I would like to thank you for your proposed
legislation. It is a dire need. I think that deepfakes are a
very pressing threat.
What is out there today is already at a level that I think
it poses a real threat. You can go to a website and just click
a button, it will pop up a face for you, and then you click
reload, it will give you a different face. You don't have to
have any technological sophistication to use them, which opens
up the aperture to a wide range of people.
I think that increasing knowledge of these threats is
important. But I think that what we need do is make sure that
we do it in a way that prioritizes reliable sources.
There is a risk also in pushing too hard in publicizing
these attacks and then everybody thinks that anything they see
that they don't like is a deepfake. So we have to manage that
balance.
Ms. Clarke. Mr. Strayer, in the absence of additional
regulation, what are your member companies doing today to
ensure their technology is not being used to facilitate harmful
deepfakes?
Mr. Strayer. Thank for that question.
Each of our member companies that is involved in the
publication of content on-line has their own internal policies
for preventing inauthentic use of their platforms. So they have
those policies.
What is really important for us is to look out globally--we
recognize the internet is global in nature--that we have a
harmonized set of regulations and best practices so that when
companies want to do business, not just in the United States,
but in Europe and other markets, that they are facing similar
types of requirements on them. So it is really important that
those be harmonized.
We very much look forward to working with you on your bill
in the future.
Ms. Clarke. Thank you.
A recurring theme in cybersecurity is the shortage of
trained cybersecurity professionals. In particular, we must
ensure we are preparing today for the cybersecurity skills we
will need in future years to address emerging technologies.
Mr. Green, your testimony lays out several recommendations
for CISA to expand its role in supporting the cybersecurity
work force. Can you elaborate on what the Federal Government
can do to support the skills necessary for emerging threats by
quantum and AI?
Mr. Robinson. Yes. Thank you, Chairwoman.
A couple things that come to mind are the opportunity to
create a cyber academy, one that is not like a brick-and-mortar
academy, but one that will allow future Federal employees and
pretty much anyone within the United States the opportunity to
take virtual classes on things that they can learn about
quantum computing and how to do that securely.
I think other programs where the Federal Government can
help students that are interested in cybersecurity and
cybersecurity of quantum, take that into the government or into
private industry.
Ms. Clarke. I thank you.
I now recognize the Ranking Member of the subcommittee, the
gentleman from New York, Mr. Garbarino, for his questions.
Mr. Garbarino. Thank you, Chairwoman.
I just want to follow up on something that the Chairwoman
just asked.
Mr. Green, you did talk about a National cyber academy. I
was going to ask if you felt it should be the need if there
would be a brick-and-mortar academy similar to, like, the Naval
Academy or West Point that we have now. So you think this could
be done? You think we can train the work force with an on-line
platform only?
Mr. Green. I actually think you can make a hybrid
environment. I think a brick-and-mortar just like the
academies, having gone through one, I think it is very contrary
to cyber. But if you have one that is more virtual, think of
like an app store for classes, some design to deliver you a
Federal employee that is dedicated to CISA and will take on the
cybersecurity mission.
But then it is also available to just the United States
public, and people can take courses like those for that CISA
cadet or classes aligned to what CISA believes. Those people
could actually enter the work force.
We have 700,000 open cybersecurity roles now. I think there
is a tremendous opportunity to just leverage something like
that to help get more talent into the field.
Mr. Garbarino. All right. Thank you. We have to do
something, because it is just going to--more and more jobs. I
think it is one of the top 20 fastest-growing occupations, is
cybersecurity jobs. So I think we have to do something.
You briefly talked about a multi-year commitment to join
CISA. What would that entail? What are you thinking about?
Mr. Green. So this is where I see it being like one of the
existing military academies. You take the certified or
qualified CISA training or degree program. Upon completion,
rather than paying back in currency, you are paying back in
time. Just like with the academies where you graduate and you
have a 5-year commitment, you graduate from the CISA virtual
academy and you are committed to 4 or 5 years in order to pay
off that debt or to complete your service for that degree.
Mr. Garbarino. So pretty much if somebody would commit to
going to work for CISA for 4 or 5 years, they could attend and
get a degree covered and the cost would be covered by the
Government. But also, your idea of this academy, regular
citizens could take and they could pay for each course that
they take?
Mr. Green. Yes. Companies could actually pay for that as
well. As part of their employment H.R. packages, there is
continuing education or education programs. You, too, could
take some of the same certifying classes that a CISA
cybersecurity professional would take and you could protect
Mastercard.
Mr. Garbarino. I appreciate it. I wasn't going to go too
much into it, but your testimony really got the wheels turning
in my head.
Mr. Strayer, you talked a lot about in your testimony, you
discussed what we are doing with 5G and the technology is real.
It is just growing at an amazing clip. But what do you see as
the--so technologies keep growing, which is great--but what do
you see as the biggest emerging technological threat to the
United States as our National security or how our economic
interests?
Mr. Strayer. Because of the very competitive nature and the
way that technology is iterative and there is always another
cycle of competition on that technology, we don't want the
United States to ever fall behind where it doesn't have access
to the best technology.
So I can't define exactly which of these many emerging
technology types that we have discussed today is the one that I
am most worried about.
But they all have potential for the United States to fall
behind if there is not sufficient investment in just what you
were talking about, the human capital, as well as setting the
right regulatory environment that allows those companies to
keep growing and innovating. That includes not just companies,
but academic institutions and others.
So it is any of these. They all are going to be very
relevant to the future.
Mr. Garbarino. So what we should try not to do here in
Congress is do something that would stop innovation and
overregulate?
Mr. Strayer. Exactly. I think the way to go about it is to
be incremental in the way that the Cyber Incident Reporting Act
did. It says let's get the data, let's think more about that,
and then not be too prescriptive.
So the incremental approach to see how industry is already
gelling around certain risk-based standards is working, and
then figure out where those gaps are and apply risk-based
analysis about whether it is worth regulating further, if it is
actually needed to be done.
Mr. Garbarino. I appreciate your answer.
I am running out of time. So I yield back. Thank you,
Chairwoman.
Ms. Clarke. I thank the Ranking Member.
The Chair will now recognize other Members for questions
they may wish to ask our witnesses. In accordance with the
guidelines laid out by the Chairman and Ranking Member in their
February 3rd colloquy, I will recognize members in order of
seniority, alternating between Majority and Minority. Members
are also reminded to unmute themselves when recognized for
questioning.
The Chair recognizes for 5 minutes the gentlewoman from
Texas, Ms. Sheila Jackson Lee.
Ms. Jackson Lee. Thank you so very much, Madam Chair. I
really do appreciate this hearing and also the experts that
have discussed the issue of technology.
Let me ask this question really as quickly as I can to all
of the witnesses, and starting with Mr. Robinson.
We know that the U.S. policy framework for securing
critical infrastructure, I think it is called the Presidential
Policy Directive 21, PPD-21, has been at the status quo level
for a very long time.
The first question I want to ask is, from your perspective,
with the new technology, what is the most severe security
threat you perceive that we have that would be impacting
Americans in the private sector in particular, but also public?
How do we modernize this Presidential policy directive?
Starting with Mr. Robinson.
Mr. Robinson. Thank you, Congresswoman Jackson Lee, for the
great question.
Our critical infrastructure needs to be protected.
Essentially, NIST has post-quantum cryptography algorithms that
have been under evaluation for some time, and we need those
algorithms today so we can start remediation of our critical
infrastructure, the banking industry and the telecommunications
industry, all industries which underpin our economic and our
communication systems.
We essentially need to secure our internet, which is the
pipes that run our economy.
Essentially, having cryptography that is what I would call
cryptography that is unsecure is like having the pipe. It is
pervasive and we need to change our pipe.
Ms. Jackson Lee. Very good.
Mr. Green, I will go with you next and then Mr. Lohn.
Mr. Green, the greatest threat? Can we modernize our
Presidential order?
Mr. Green. Congresswoman, one of the greatest threats that
I think that is out there is the ``unintended insider,'' which
is people that you can fool into doing things that would
compromise your company or leave a vulnerability open to you.
So the more that we can educate or help inform everyday
Americans about some of the basic security requirements or
hygiene, I think that is still a huge opportunity that will
help the individual American, but also the companies that they
are a part of.
When it comes to updating the Presidential directive, I
don't have that consideration for you now, but I am happy to
come back with a more fulsome answer for you.
Ms. Jackson Lee. That would be very good. Thank you so very
much.
I am trying to get to another question.
Mr. Lohn, I believe?
Mr. Lohn. Yes. Then I will go very quickly.
I think that there are two to be very concerned about.
One is about the largest impact is about critical
infrastructure. There are adversary nations with intent and
capability to--well, with capability and not yet intent to
disrupt our infrastructure, like the pipelines or electricity
grid. If that intent were to come around, that would be very
bad.
Where they do have intent and capability is in espionage
and in misinformation, and we are seeing those daily.
Ms. Jackson Lee. We are seeing them quite frequently.
Mr. Strayer.
As I do that, I hope that I will have enough time to ask
the question almost as if we were in an emergency condition and
some incident happened around the Nation. The question would be
whether the U.S. Government is able to triage support to the
Nation's most vital regionally or nationally significant assets
if there was a crisis.
Mr. Strayer, you may want to take the greatest threat and
whether we are able to meet that threat, whether we could
triage. Maybe I will have time for somebody else to answer that
as well.
Mr. Strayer. Yes, thank you for that question.
The Department of Homeland Security, especially CISA, has
matured its capabilities over time. So I think we are in a much
better position to do that kind of triage than we were, say, a
decade ago, but there still remains work to be done there.
Ms. Jackson Lee. Anyone else want to take that? Are we
ready to be able to respond to a crisis from the Government's
perspective from what you have seen or what you know? We know
CISA has done great work.
Mr. Green. So I think CISA has done a great deal of work. I
think they are working on an effort to help get to National
prioritization of assets. That will require a lot more
continued work and focus. The opportunity is there. It is just
work that has to be done and must be done.
Ms. Jackson Lee. Great.
Anyone else? Seconds on the clock. OK.
Let me thank you very much for this hearing and also for
the insight of the witnesses. I know that we will be
collaboratively working together.
Thank you. I yield back.
Ms. Clarke. The gentlelady yields back.
The Chair now recognizes for 5 minutes the gentlewoman from
Tennessee, Mrs. Harshbarger, for 5 minutes.
Mrs. Harshbarger. Thank you, Chairwoman and Ranking Member.
Thank you for the witnesses for being here today.
With the quantum and with the cybersecurity issues we face,
when you find out the Government has been hacked in so many
ways and it takes the private sector to tell us, that is a
problem in my eyes.
I want to start with Mr. Robinson.
You talked about basically by the end of the decade we
could do some quantum busting. We know that China is ahead of
us in AI. I mean, where is China's progress? Where are they at
with this quantum busting? Do you have any idea, sir?
Mr. Robinson. Bottom line up front, conventional wisdom is
10 years. I am in a position only to discuss how we see where
the time line lies. I would have to defer to others on what
other nation-states are doing.
I can say that there is significant investment and we need
to invest equally.
Mrs. Harshbarger. Yes. I totally agree.
Mr. Green, I have a question for you. Since Mastercard is
used all over the world basically, what is the relationship
between data privacy and cybersecurity in your eyes?
I want to know your thoughts on cyber insurance, too, for a
lot of companies and how that affects things. Is it good, bad,
or indifferent? Does it give us a sense of false security? If
you will elaborate a little bit on that.
Mr. Green. Sure. Cybersecurity and privacy should be hand-
in-hand. I mean, they are at Mastercard. Our belief on privacy
is a person should know and be able to control the information
that we or any organization has, and we use those principles as
we do our work around the globe.
When it comes to insurance, I think there is an opportunity
to do a lot of good there. I think the cyber insurance
industry, it has matured a lot along the way, but I think there
is still an opportunity for it to get better about knowing and
understanding the security maturity of an organization that is
acquiring the insurance.
That will help to drive better behavior, because the more
that you can demonstrate the proper level of maturity, the
lower your rates should be and the more coverage you should
get.
So there is an opportunity there. I don't think it is where
we need it to be just yet.
Mrs. Harshbarger. Absolutely.
Going back to the National cyber training center, I think
that has been thrown around and discussed by different
colleagues as far as like an academy or what have you.
You are telling me that we are down 700,000, we have
openings for 700,000 cybersecurity roles basically. I had heard
that it was close to a million.
That is unbelievable, that we would have that many
openings. But it is all about the training aspects, and we need
to address that in so many ways.
There are so many questions that I have. It is just how do
we stay ahead of these, just like the deepfakes, the writing of
text?
How does anybody--anybody can answer this--how do we stay
ahead of that? How do we know the information we are getting is
not going to change our opinion or even here in Congress affect
how we legislate basically?
I think--I can't remember which one was talking about the
deepfakes. Who has access to this and who is doing this
basically?
Mr. Lohn. Thank you. I believe that that was me.
With deepfakes technology you can create images. Anybody
can do it. It is not that hard do. To do video is harder, but
individuals can do it.
The text until recently was only a couple of technology
giant companies. But in the last couple months some highly
effective models have been released. So anybody has access to
that as well. So we need to be aware of the threat that is
coming and existing.
Now, people having the ability to use these things and
having them actually use them are different things. We haven't
seen too much that is really clear that they are being used
maliciously. So that is promising.
We are also starting to be more aware of them in more cases
public discussion is raising. So we also want to just watch the
sources, certain places.
The big advantage of deepfakes and tech generation is that
you can make lots of it, but you can only distribute lots if
people are allowed to distribute lots of them. So you can
monitor in that sense, too.
Mrs. Harshbarger. I appreciate your being here.
I will yield back. Thank you.
Ms. Clarke. The gentlelady yields back.
The Chair now recognizes for 5 minutes the gentlewoman from
New York, Miss Rice.
Miss Rice. Thank you so much, Madam Chairwoman.
Stony Brook University on Long Island, of which I represent
a piece, is one of the foremost academic institutions
developing innovative quantum technologies and building our
understanding of how to apply them to real-world uses, like
superdense coding and quantum encryption.
In fact, one of Stony Brook's quantum communication
networks passes right through my home town of Garden City.
Stony Brook is a member of the Quantum Economic Development
Consortium, or the QED-C, which aims to foster and grow the
U.S. quantum industry with Federal support. It also came about
pursuant to legislation that was passed by this House in 2018.
Mr. Robinson, you have emphasized the important role
academia and research institutions like Stony Brook will play
in conducting fundamental quantum research and migrating our
world to quantum computing networks. Some of our most important
work is already coming out of Government-backed collaborative
projects like QED-C.
How can Congress and Federal agencies continue to support
initiatives like QED-C and further develop a robust and nimble
quantum research ecosystem? Are there particular programs or
initiatives that have been especially successful so far?
Mr. Robinson. Thank you, Congresswoman Rice. Thank you for
the continued support of QED-C.
I am currently the Quantum Economic Development Consortium
Workforce chairman, and there are many efforts under QED-C that
are on-going that are providing bridges to universities
throughout our Nation, to include Stony Brook.
Stony Brook, in partnership with Brookhaven National
Laboratory, participates in the IBM Quantum Network. Through
this network, IBM hosts developer boot camps, hackathons,
hands-on training, open-source IBM Quantum Experience, which is
our cloud service.
We also support Brookhaven's National Quantum Initiative
DOE Center, and Stony Brook is a part of that. QED-C is heavily
involved with collaboration, not only in the United States, but
also with our allies and partners. So continued funding of NIST
to support QED-C is imperative in my view.
There is a diversity and inclusion program at QED-C, which
I am a part of, as a team. There is an emerging technology
group.
So we are very thankful of the Quantum Economic Development
Consortium for the collaboration work that they do, and we
encourage you to continue to fund them.
Mrs. Harshbarger. OK. That is good to hear.
Mr. Green, in your role at Mastercard and as chair of the
Financial Services Sector Coordinating Council, you lead
Mastercard's own threatcasting work and are tasked with
synthesizing your insights with those drawn from your industry
peers.
How can CISA and the Federal Government better incorporate
threatcasting and forward-looking perspectives as we develop
quantum technology?
How can we better coordinate with our global allies,
because this has to be a global effort with our allies as we
work to predict and understand these potential threats to our
National and economic security?
Mr. Green. Thank you, Congresswoman Rice.
The threatcasting is a framework that helps people think
though what possible futures are. I think CISA is actually
well-positioned to connect to subject-matter experts. The power
of threatcasting is you have to be able to access subject-
matter experts in order to answer the pertinent question that
you are trying to address. So having the current relationships
with the wide array of folks that they have now.
Then it will work globally as well. I just came back from
Dublin where we did our second half of the year threatcasting.
We used teams, even government officials from the local Irish
government and also from the European Union, as a part our
subject-matter expert base.
Then the power of the threatcasting is also in you predict
the future and then you do a backcast that figures out, when a
future is happening, what kind of protective steps or measures
you can implement to deflect or stop that bad future from
becoming true.
Miss Rice. Thank you so much to all the witnesses.
I yield back the balance of my time, Madam Chairwoman.
Ms. Clarke. I thank the gentlelady.
The Chair now recognizes for 5 minutes the gentleman from
New York, Mr. Torres.
Mr. Torres. Thank you, Madam Chair.
Thinking about emerging technologies has me feeling like we
are destined to live in a dystopia of undetectable deepfakes
and disinformation.
Are there or will there be deepfakes that are so seemingly
real as to evade detection by even our best experts with our
best tools of analysis, Doctor?
Mr. Lohn. Yes. I think the short answer is yes. But we
should keep working to advance our detections ability. But we
might need to shed some of our effort from just detecting what
is a deepfake to its provenance, how did it come to be, and
that might be a better long-term solution.
Mr. Torres. In the wake of SolarWinds, the Federal
Government has prioritized harnessing the power of AI to create
endpoint detect and response systems that can detect anomalous
behavior on a network.
Is there presently AI technology that could have prevented
SolarWinds' intrusion or could have detected it earlier?
Mr. Lohn. Not that I am aware of, no. I would have to look
into the details of that specific attack. But it is very
difficult--yes, not that I am aware of.
Mr. Torres. OK.
Mr. Robinson, I am going to follow up. You have been asked
about quantum computing.
Is the Federal Government acting swiftly enough to develop
a quantum-resistant cryptography?
Mr. Robinson. We are thankful for the National Quantum
Initiative investment by the Federal Government. But the answer
as far as post-quantum cryptography, we need those NIST
algorithms today. We need those NIST post-quantum cryptographic
algorithms to start to do remediation.
On the quantum computing side, there is a lot of work force
development that needs to occur. The average person still
doesn't really understand what quantum computing is. So the
Government can do more to effect that.
Mr. Torres. China will ultimately develop the capacity to
launch cryptographic attacks from a quantum computer, attacks
capable of breaking traditional encryption.
Are you confident that we are going to develop quantum-
resistant cryptography before then?
Mr. Robinson. Yes, I am confident. NIST took the approach
of having multiple algorithms, and there is new technology for
cryptographic agility that will give us an ability to swap that
in and out.
The challenge is, is that we won't know when that occurs.
So we have to be prepared now.
Mr. Torres. To what extent--are we lagging behind China
when it comes to investing in quantum computing? Are you
confident that the COMPETES Act in the House and the USICA in
the Senate are sufficient to close the gap?
Mr. Robinson. I am not in a position at this time to have
confidence that we will make it. But I do know this: We must
pass the USICA Act if we want to be able to thwart the threat.
The USICA Act and the Innovation Act are critical.
Mr. Torres. Mr. Green, just to follow up on a question that
Congress Member Rice asked about threatcasting.
How would that apply to preparing for the future security
risk of 6G, which is set to be rolled out or projected to be
rolled out by 2030? Would that be an example of threatcasting
at work?
Mr. Green. Yes. I would say that is a perfect opportunity
to leverage threatcasting. It would require us to pull in the
subject-matter experts around 6G communications.
You would want policy experts, different business experts
that would be affected by it. Then you give them the
opportunity to think of the worst-case scenarios that could
manifest themselves related to the implementation of the new
technologies.
Then you do the backcast. Again, the backcast from the
possible future is the most important part because you can put
in flags.
In backcasting you develop flags so that as a future is
unfolding, if it is unfolding on the planned 10 years, you will
see the flags manifest themselves along the way to the 10
years. So you will know if it is going to be a 5-year future or
a 15-year future.
Then the reactive leverage you put in place gives you
potential solutions to drive on if a future is starting to come
true.
Mr. Torres. Then I will try to quickly squeeze in a
question.
What efforts are being undertaken to ensure that the
encryption of blockchain is quantum resistant? I will leave it
at that.
Mr. Robinson. Thank you, Congressman Torres.
So the same cryptographic algorithms that NIST is working
on can be applied in that space. Essentially they are KEMs and
digital signatures, which could be applied to blockchain. As I
mentioned, it underpins our banking, our telco industry, and
essentially affects our economy.
This is furthermore a reason why NIST should have
continuous funding for NCCoE and the program to coalesce the
Government, as well as industry, around post-quantum
cryptography.
Ms. Clarke. The gentleman yields back.
I want to thank the witnesses for their valuable testimony
and the Members for your outstanding questions today.
The Members of the subcommittee may have additional
questions for the witnesses, and we ask that you respond
expeditiously in writing to those questions.
The Chair reminds Members that the subcommittee record will
remain open for 10 business days.
Without objection, the subcommittee stands adjourned.
[Whereupon, at 3:37 p.m., the subcommittee was adjourned.]