[House Hearing, 117 Congress]
[From the U.S. Government Publishing Office]



 
SECURING THE FUTURE: HARNESSING THE POTENTIAL OF EMERGING TECHNOLOGIES 
                    WHILE MITIGATING SECURITY RISKS

=======================================================================

                                HEARING

                               before the

                            SUBCOMMITTEE ON
                     CYBERSECURITY, INFRASTRUCTURE
                       PROTECTION, AND INNOVATION

                                 of the

                     COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED SEVENTEENTH CONGRESS

                             SECOND SESSION

                               __________

                             JUNE 22, 2022

                               __________

                           Serial No. 117-63

                               __________

       Printed for the use of the Committee on Homeland Security
       
       
                                     

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

                                     

        Available via the World Wide Web: http://www.govinfo.gov

                               __________
                               
                               
              U.S. GOVERNMENT PUBLISHING OFFICE 
 48-856 PDF           WASHINGTON : 2022 
                             
                               
                               
                               

                     COMMITTEE ON HOMELAND SECURITY

               Bennie G. Thompson, Mississippi, Chairman
Sheila Jackson Lee, Texas            John Katko, New York
James R. Langevin, Rhode Island      Michael T. McCaul, Texas
Donald M. Payne, Jr., New Jersey     Clay Higgins, Louisiana
J. Luis Correa, California           Michael Guest, Mississippi
Elissa Slotkin, Michigan             Dan Bishop, North Carolina
Emanuel Cleaver, Missouri            Jefferson Van Drew, New Jersey
Al Green, Texas                      Mariannette Miller-Meeks, Iowa
Yvette D. Clarke, New York           Diana Harshbarger, Tennessee
Eric Swalwell, California            Andrew S. Clyde, Georgia
Dina Titus, Nevada                   Carlos A. Gimenez, Florida
Bonnie Watson Coleman, New Jersey    Jake LaTurner, Kansas
Kathleen M. Rice, New York           Peter Meijer, Michigan
Val Butler Demings, Florida          Kat Cammack, Florida
Nanette Diaz Barragan, California    August Pfluger, Texas
Josh Gottheimer, New Jersey          Andrew R. Garbarino, New York
Elaine G. Luria, Virginia            Mayra Flores, Texas
Tom Malinowski, New Jersey
Ritchie Torres, New York
                       Hope Goins, Staff Director
                 Daniel Kroese, Minority Staff Director
                          Natalie Nixon, Clerk
                                 ------                                

     SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND 
                               INNOVATION

                 Yvette D. Clarke, New York, Chairwoman
Sheila Jackson Lee, Texas            Andrew R. Garbarino, New York, 
James R. Langevin, Rhode Island          Ranking Member
Elissa Slotkin, Michigan             Michael Guest, Mississippi
Kathleen M. Rice, New York           Diana Harshbarger, Tennessee
Ritchie Torres, New York             Andrew S. Clyde, Georgia
Bennie G. Thompson, Mississippi (ex  Jake LaTurner, Kansas
    officio)                         John Katko, New York (ex officio)
               Moira Bergin, Subcommittee Staff Director
          Austin Agrella, Minority Subcommittee Staff Director
                    Aaron Greene, Subcommittee Clerk
                    
                            C O N T E N T S

                              ----------                              
                                                                   Page

                               Statements

The Honorable Yvette D. Clarke, a Representative in Congress From 
  the State of New York, and Chairwoman, Subcommittee on 
  Cybersecurity, Infrastructure Protection, and Innovation:
  Oral Statement.................................................     1
  Prepared Statement.............................................     3
The Honorable Andrew R. Garbarino, a Representative in Congress 
  From the State of New York, and Ranking Member, Subcommittee on 
  Cybersecurity, Infrastructure Protection, and Innovation:
  Oral Statement.................................................     3
  Prepared Statement.............................................     4
The Honorable Bennie G. Thompson, a Representative in Congress 
  From the State of Mississippi, and Chairman, Committee on 
  Homeland Security:
  Prepared Statement.............................................     5

                               Witnesses

Mr. Charles W. Robinson, Public Sector Leader, Quantum Computing, 
  IBM:
  Oral Statement.................................................     7
  Prepared Statement.............................................     8
Mr. Andrew Lohn, Ph.D., Senior Fellow, Center for Security and 
  Emerging Technology, Georgetown University:
  Oral Statement.................................................    11
  Prepared Statement.............................................    13
Mr. Ron Green, Executive Vice President and Chief Security 
  Officer, Mastercard International Incorporated:
  Oral Statement.................................................    15
  Prepared Statement.............................................    16
Mr. Rob Strayer, Executive Vice President for Policy, Information 
  Technology Industry Council:
  Oral Statement.................................................    25
  Prepared Statement.............................................    27


SECURING THE FUTURE: HARNESSING THE POTENTIAL OF EMERGING TECHNOLOGIES 
                    WHILE MITIGATING SECURITY RISKS

                              ----------                              


                        Wednesday, June 22, 2022

             U.S. House of Representatives,
                    Committee on Homeland Security,
                            Subcommittee on Cybersecurity, 
                                 Infrastructure Protection,
                                            and Innovation,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 2:31 p.m., in 
room 310, Cannon House Office Building, Hon. Yvette D. Clarke 
[Chairwoman of the subcommittee] presiding.
    Present: Representatives Clarke, Jackson Lee, Slotkin, 
Rice, Torres, Garbarino, and Harshbarger.
    Ms. Clarke. The Subcommittee on Cybersecurity, 
Infrastructure Protection, and Innovation will come to order.
    The subcommittee is meeting today to receive testimony on 
``Securing the Future: Harnessing the Potential of Emerging 
Technologies While Mitigating Security Risks.''
    Without objection, the Chair is authorized to declare the 
committee in recess at any point.
    Good afternoon.
    With each passing day, we see the pace of innovation 
accelerate exponentially. Advances in quantum computing, 
artificial intelligence (AI), 5G, and the internet of things 
present both opportunities and challenges in National security. 
As such, we must constantly reevaluate the threat landscape and 
adapt our defenses accordingly.
    Today, we will explore how to harness the potential of 
these technologies while mitigating the security risks 
associated with them. In doing so, we will discuss how the 
Federal Government and the private sector can better work 
together to anticipate future threats stemming from emerging 
technologies, inform international standards, and protect U.S. 
economic and National security interests.
    Quantum computing, for example, is a transformative, 
sophisticated computing system that can operate at higher 
speeds and process large amounts of data in shorter periods of 
time. The National Academy of Science predicts that this 
technology could improve machine learning, sensor technology, 
electronic warfare capabilities, and communications, among 
other things.
    Our adversaries have also taken note of the potential that 
quantum computing presents. China and other state actors are 
investing in quantum in pursuit of gaining a strategic 
advantage over the United States.
    We expect, for instance, that quantum computers will be 
able to break conventional encryption standards, which could 
expose sensitive information held by the U.S. Government, 
military, and the private sector.
    As the global competition for quantum supremacy continues, 
the United States must not only work to innovate in this space, 
but proactively mitigate against threats posed by adversaries.
    For its part, the Biden administration has provided much-
needed White House leadership on the United States' quantum 
technology strategy. Last month, President Biden signed an 
Executive Order and a National security memorandum to preserve 
the United States' position as the global leader in quantum 
computing.
    Together, these documents chart a course for public-private 
collaboration in the following key areas: Developing and 
deploying quantum-resistant encryption on Federal networks; 
educating non-Federal entities about risks to encryption from 
quantum computing; and promoting U.S. supremacy in this space.
    Turning to AI, there is broad agreement that it has 
security applications that could enable network defenders to 
automate threat detection and prioritize response, spot 
irregular network activity, and better detect new malware.
    At the same time, there is concern that hackers will be 
able to exploit vulnerabilities in AI for nefarious purposes.
    We have already seen advantages in AI fostering conditions 
for the growing speed of deepfakes, which is a class of 
synthetic media that appears to be authentic.
    As deepfake technology becomes more sophisticated, experts 
anticipate that it will be used to further sow political 
tensions, disrupt public confidence in election outcomes, 
violate human rights, and facilitate criminal activity.
    That is why I have introduced the DEEPFAKES Accountability 
Act to implement criminal and civil penalties for malicious 
deepfakes. My legislation also directs DHS to establish a task 
force to better prepare for the National security implications 
of deepfakes.
    Emerging technologies carry with them National security 
implications and should be developed in a manner that protects 
National security.
    This hearing comes at a critical time, as the House and 
Senate are engaged in a conference committee on the America 
COMPETES Act, which passed the House earlier this year. We have 
a historic opportunity to preserve the United States' place as 
a global leader in emerging technologies and chart a course for 
further advancement well into the future.
    As we close in on this urgent need, it is incumbent upon us 
to make sure that economic security and National security are 
part and parcel of how we support innovation.
    I want to thank our witnesses for joining us today, and I 
look forward to our discussion.
    [The statement of Chairwoman Clarke follows:]
                Statement of Chairwoman Yvette D. Clarke
                             June 22, 2022
    With each passing day, we see the pace of innovation accelerate 
exponentially. Advances in quantum computing, artificial intelligence 
(AI), 5G, and the internet of things present both opportunities and 
challenges in National security. As such, we must constantly reevaluate 
the threat landscape and adapt our defenses accordingly.
    Today, we will explore how to harness the potential of these 
technologies while mitigating the security risks associated with them. 
In doing so, we will discuss how the Federal Government and the private 
sector can better work together to anticipate future threats stemming 
from emerging technologies, inform international standards, and protect 
U.S. economic and National security interests.
    Quantum computing, for example, is a transformative sophisticated 
computing system that can operate at higher speeds and process large 
amounts of data in shorter periods of time. The National Academy of 
Science predicts this technology could improve machine learning, sensor 
technology, electronic warfare capabilities, and communications, among 
other things. Our adversaries have also taken note of the potential 
that quantum computing presents.
    China and other State actors are investing in quantum in pursuit of 
gaining a strategic advantage over the United States. We expect, for 
instance, that quantum computers will be able to break conventional 
encryption standards, which could expose sensitive information held by 
the U.S. Government, military, and the private sector. As the global 
competition for quantum supremacy continues, the United States must not 
only work to innovate in this space but proactively mitigate against 
threats posed by adversaries.
    For its part, the Biden administration has provided much-needed 
White House leadership on the United States' quantum technology 
strategy. Last month, President Biden signed an Executive Order and a 
National Security Memorandum to preserve the United States' position as 
the global leader in quantum computing. Together, these documents chart 
a course for public-private collaboration in the following key areas: 
Developing and deploying quantum-resistant encryption on Federal 
networks, educating non-Federal entities about risks to encryption from 
quantum computing, and promoting U.S. supremacy in this space.
    Turning to AI, there is broad agreement that it has security 
applications that could enable network defenders to automate threat 
detection and prioritize response, spot irregular network activity, and 
better detect new malware. At the same time, there is concern that 
hackers will be able to exploit vulnerabilities in AI for nefarious 
purposes. We have already seen advances in AI fostering conditions for 
the growing spread of deepfakes, which is a class of synthetic media 
that appears to be authentic.
    As deepfake technology becomes more sophisticated, experts 
anticipate that it will be used to further sow political tensions, 
disrupt public confidence in election outcomes, violate human rights, 
and facilitate criminal activity. That is why I have introduced the 
DEEPFAKES Accountability Act to implement criminal and civil penalties 
for malicious deepfakes. My legislation also directs DHS to establish a 
task force to better prepare for the National security implications of 
deepfakes. Emerging technologies carry with them National security 
implications and should be developed in a manner that protects National 
security.
    This hearing comes at a critical time, as the House and Senate are 
engaged in a conference committee on the America COMPETES Act, which 
passed the House earlier this year. We have a historic opportunity to 
preserve the United States' place as a global leader in emerging 
technologies and chart a course for further advancements well into the 
future. As we close in on this urgent need, it is incumbent upon us to 
make sure that economic security and National security are part and 
parcel of how we support innovation.

    Ms. Clarke. The Chair now recognizes the Ranking Member of 
the subcommittee, the gentleman from New York, Mr. Garbarino, 
for an opening statement.
    Mr. Garbarino. Thank you, Madam Chair, for holding this 
critical conversation regarding new and emerging technologies 
and their implications for the security and longevity of the 
United States.
    I would like to thank our witnesses for being here today, 
and I look forward to a constructive dialog.
    Cyber incidents are growing increasingly complex, with 
threat vectors and opportunities for attacks rising as quickly 
as new technologies develop.
    With this expanding threat landscape comes both risk and 
opportunity. Given technologies such as quantum computing, 
artificial intelligence, and deepfakes, coupled with potential 
for malicious adversarial nation-states and criminals, this 
topic is timely and important.
    It is paramount that the U.S. Government ensures our cyber 
capabilities and maintains pace with lightning speed evolution 
of technological change. Striking the proper balance between 
security and harnessing technological innovation is critical in 
maintaining an edge against our adversaries and criminal 
entities in ensuring National prosperity.
    As the lead for coordinating Federal civilian 
cybersecurity, CISA will continue to play a vital role securing 
our Federal networks and critically important infrastructure as 
we witness the emergence of new technologies.
    This effort to develop a Federal cloud security strategy to 
define transparent cyber incident reporting requirements and to 
work with Federal partners, such as NIST, to develop network 
and software standards will go a long way in this fight.
    As we prepare for new tech capabilities on the horizon, 
CISA is uniquely equipped to lead the Federal Government on 
cybersecurity measures. I look forward to supporting CISA as it 
adapts and evolves to address the challenges ahead.
    As the Ranking Member of this subcommittee, I have always 
prioritized industry input. I believe that Congress must 
appropriately consult with players such as each of our 
witnesses today to implement practical legislation that will 
successfully play out in the real world.
    Given this, I look forward to hearing from our witnesses on 
their particular emerging technology focus.
    I specifically look forward to hearing from Mr. Rob 
Strayer, executive vice president of policy at the Information 
Industry Council. I trust Mr. Strayer can provide a valuable 
perspective on emerging technologies' resulting cybersecurity 
challenges and opportunities.
    I am also pleased to hear from Mr. Ron Green, here not only 
as chief security officer for Mastercard, but also, 
importantly, as chairman of the U.S. Secret Service Cyber 
Investigation Advisory Board.
    I, again, thank the Chairwoman for holding this important 
hearing today.
    [The statement of Ranking Member Garbarino follows:]
              Statement of Ranking Member Andrew Garbarino
    Thank you, Madam Chair, for holding this critical conversation 
regarding new and emerging technologies, and their implications for the 
security and longevity of the United States. I would like to thank our 
witnesses for being here today. I look forward to a constructive 
dialog.
    Cyber incidents are increasing at a staggering rate, with threat 
vectors and opportunities for attack rising as quickly as new 
technologies are developed. With this expanding threat landscape comes 
both risk and opportunity.
    With technologies such as quantum computing, artificial 
intelligence, and deepfakes, coupled with the potential for malicious 
actors such as adversarial nation-state actors seeking cyber dominance 
and criminal actors seeking financial gain, this topic is timely and 
important.
    It is paramount that the U.S. Government ensures our cyber 
capabilities maintain pace with the lightning speed evolution of 
technological change. Striking the proper balance between security and 
harnessing technological innovation is critical in maintaining an edge 
against our adversaries and criminal entities, ensuring National 
prosperity.
    As the lead for coordinating Federal cybersecurity, CISA will have 
a vast role in securing our Federal networks and critically important 
infrastructure as we witness the emergence of new technologies. Efforts 
like developing a Federal cloud security strategy, ensuring transparent 
cyber incident reporting requirements are well-defined and articulated, 
and working with Federal partners like NIST to develop standards to 
keep our networks and dependencies like software secure will go a long 
way in this fight. CISA is uniquely equipped to lead the Federal 
Government on cybersecurity measures as we prepare for new tech 
capabilities on the horizon. I look forward to CISA continuing to adapt 
and evolve to address the challenges ahead.
    This hearing is an opportunity to learn from industry 
representatives about the evolving nature of cyber threats and 
technological developments which will have significant implications for 
the cyber domain and U.S. interests. I look forward to hearing from our 
witnesses on their particular emerging technology focus.
    I specifically look forward to hearing from Mr. Rob Strayer, the 
executive vice president of policy at the Information Industry Council 
(ITI). I trust Mr. Strayer can provide a valuable perspective on 
emerging technologies and resulting cybersecurity challenges and 
opportunities.
    I am also pleased to see Mr. Ron Green here, as the chief security 
officer for Mastercard but also, importantly, as the chairman of the 
U.S. Secret Service Cyber Investigation Advisory Board.
    I again thank the Chairwoman for holding this important hearing 
today.

    Ms. Clarke. I thank the Ranking Member.
    Members are also reminded that the subcommittee will 
operate according to the guidelines laid out by the Chairman 
and Ranking Member in their February 3, 2021, colloquy 
regarding remote procedures.
    Additional statements may be submitted for the record.
    [The statement of Chairman Thompson follows:]
                Statement of Chairman Bennie G. Thompson
                             June 22, 2022
    Over the past several years, this country has seen a rapid 
proliferation of new technologies, from artificial intelligence (AI) to 
internet of things (IoT) to quantum computing. As a result of these new 
technologies, our attack surface has grown, and our adversaries have 
developed new tactics designed to directly harm U.S. democratic 
institutions, economic interests, and National security. As these new 
technologies have entered the marketplace, many became so mesmerized by 
their potential for good that we failed to appreciate and plan for the 
security consequences. With an enhanced threat landscape, we are now 
facing more cyber threats from our adversaries than ever before.
    Furthermore, our adversaries are continuing to increase their own 
capabilities to take advantage of the security vulnerabilities within 
these new technologies. The DNI's 2022 Annual Threat Assessment of the 
U.S. intelligence community noted that a growing number of state and 
non-state actors are developing novel approaches to utilize both mature 
and new technologies to directly threaten U.S. National security. We 
are already very aware that this is happening.
    There is a myriad of examples of Russia relying on its cyber and 
influence capabilities to directly threaten emerging technologies in 
the United States, including those that are upholding our democratic 
institutions and critical infrastructure. Additionally, there is 
continuing concern that Russia will employ an array of tools targeting 
various emerging technologies to retaliate against the United States 
for its sanctions in the wake of their unlawful and horrific war with 
Ukraine.
    When it comes to China, we know that they have engaged in 
intelligence gathering and economic espionage. We know they have strong 
hacking capabilities. Chinese hackers were recently able to hack 
poorly-secured IoT devices on the Indo-China border. Additionally, 
China is continuing to invest and grow in the field of quantum 
computing--this is only going to increase in the coming years, which is 
a great concern for the security value of encryption moving forward.
    Furthermore, China's AI Plan for 2030 highlights the government's 
plan to become a leader in AI, which they believe is vital to their 
military and economic position in the world. The Chinese government 
could easily take advantage of their continued work in this field and 
utilize it to directly harm U.S. interests. Notably, there are serious 
questions regarding the influence of the Chinese government in global 
standards-setting bodies related to information and communications 
technology. The unchecked influence of our adversaries in global 
standards-setting bodies would disrupt the security of supply chains 
for decades to come. Moreover, there are many unanswered questions 
regarding Federal Government's role in regulating these technologies to 
promote strong security.
    I appreciate Chairwoman Clarke for holding this hearing today 
because it gives us an opportunity to understand the challenges 
emerging technologies present, how the private sector is proactively 
preparing for those challenges, and the right role for the Federal 
Government. We must prepare ourselves to harness the security benefits 
and economic opportunities that emerging technologies like AI, IoT, and 
quantum computing will yield, while defending ourselves against 
adversaries who would use technology against us. But the Government 
cannot do it alone.
    Achieving our National and economic security goals will depend on 
whether the Federal Government can partner with the private sector, as 
well as State and local partners, to develop policies that will enhance 
investment in emerging technology while also managing the risks 
associated with these technologies. I am eager to hear from our 
witnesses how the Federal Government can ensure both the responsible 
deployment of emerging technologies, as well as managing security 
risks.

    Ms. Clarke. I now welcome our panel of witnesses.
    First, we will hear from Mr. Charles Robinson, who serves 
as the Public Sector Quantum Computer leader for IBM. In this 
role, he is responsible for preparing the National security 
community for the Quantum Computer Age and drove the formation 
of the IBM HBCU Quantum Computer Program. A Navy veteran, Mr. 
Robinson has over 30 years of experience in engineering.
    I would also like to welcome Dr. Andrew Lohn, who is a 
senior fellow to Georgetown University's Center for Security 
and Emerging Technology, CSET, where he works on the Cyber AI 
Project.
    Prior to CSET, he was an information scientist at the RAND 
Corporation, where he led research on cybersecurity and 
artificial intelligence. Dr. Lohn has also worked at Sandia 
National Laboratories, NASA, and Hewlett Packard Labs.
    Next we will hear from Mr. Ron Green, the chief security 
officer at Mastercard. Mr. Green leads a global team that is 
responsible for a wide range of security activities, including 
corporate security, security architecture and engineering, 
business continuity, and emergency management. An Army veteran, 
Mr. Green has nearly three decades of public and private-sector 
experience in network security.
    Then, finally, I look forward to hearing from Mr. Robert 
Strayer, executive vice president of policy at the Information 
Technology Industry Council. There, he leads ITI's effort to 
shape technology policy around the globe to enable innovation 
while supporting public policy objectives.
    Prior to joining ITI, Mr. Strayer served as the deputy 
assistant secretary of state for cyber and international 
communications and information policy at the United States 
State Department.
    Without objection, the witnesses' full statements will be 
inserted into the record.
    I now ask that witnesses summarize their statements for 5 
minutes, beginning with Mr. Robinson.

STATEMENT OF CHARLES W. ROBINSON, PUBLIC SECTOR LEADER, QUANTUM 
                         COMPUTING, IBM

    Mr. Robinson. Thank you, Chairwoman Clarke and Ranking 
Member Garbarino. My name is Charles Robinson, and I am a 
quantum computing public sector leader at IBM. I am honored to 
testify.
    Quantum computing has the potential to shape the future of 
our Nation. My testimony today will explain what quantum 
computing is, its potential, and the recommendations to harness 
its value, while ensuring our National security.
    So what is quantum? Quantum computing is not simply a 
faster way of doing what today's computers do. It is a 
fundamentally different approach.
    Think of it this way. Classical supercomputers explore 
every possible path to a solution. But as the problems and data 
grow exponentially more complex, there simply isn't enough 
computing power to find a solution.
    In contrast, quantum computers double the problem space 
they can analyze with every quantum bit, or qubit. With 
relatively few qubits, quantum computers can solve large, 
complex problems that today's computers cannot.
    Quantum computers can help drug discovery, new materials, 
and many other scientific endeavors. We call this the Quantum 
Advantage. As early adopters, we can lock in economic and 
strategic advantage.
    It is then fair to ask: How can quantum computing affect 
our National security? As we transition into the quantum era, 
government, commerce, education, and health care systems may 
become increasingly vulnerable. Simply put, quantum computers 
pose a challenge for a key part of our digital life: 
Encryption.
    Today's cryptologic algorithms derive their strength from 
the difficulty of solving certain math problems. Quantum 
computers, however, may be able to solve those math problems in 
just hours or minutes instead of millions of years. This is 
where quantum-safe cryptography comes in.
    Let me be clear: While we don't currently have quantum 
computers that can break today's widely-used cryptography, 
encryption that is resistant to quantum computer attacks is 
essential and only a start.
    So how do we get to where we need to go? Policy makers and 
industry need to mitigate against these risks by future-
proofing in the present.
    IBM is acting now. In collaboration with others, our 
researchers are developing cryptographic solutions resistant to 
threats posed by quantum computers. We have identified several 
cryptographic schemes believed to be quantum safe.
    First, we need to accelerate quantum science and the use of 
quantum computing. We urge Congress to meet this challenge by 
passing the final Bipartisan Innovation Act and the QUEST Act 
without delay.
    Second, we should expand and diversify the quantum 
ecosystem.
    Third, we must future-proof our encryption now.
    Finally, fourth, we should encourage responsible 
collaboration with international partners.
    Let me close with this. We don't know exactly when large-
scale quantum computers capable of breaking widely used 
cryptography will be available, but some experts predict 
possibly by the end of the decade.
    That means we must act now to ensure the United States 
reaps the benefits of quantum computing while protecting our 
National security.
    If we were work collaboratively and take the actions that I 
just described, we will be ready and our Nation will be secure.
    Thank you. I welcome your questions.
    [The prepared statement of Mr. Robinson follows:]
               Prepared Statement of Charles W. Robinson
                             June 22, 2022
                              introduction
    Chairwoman Clarke, Ranking Member Garbarino, and distinguished 
Members of the subcommittee, I am honored to appear before you today to 
discuss how to harness the benefits of emerging technologies, 
particularly quantum, while mitigating the potential National security 
consequences before this important subcommittee.
    My name is Charles Robinson, and I am IBM's Quantum Computing 
Public Sector Leader. In addition to serving in corporate America, I've 
had the great privilege and honor to serve in the United States Navy. 
Today, I have the pleasure of supporting the preparation of the 
National Security Community for the Quantum Computer Age.
    Leveraging the power of emerging technology while bolstering our 
National security is an increasingly complex mission which demands 
dynamic solutions and collective actions by industry and Government. 
While these technologies promise to produce immense value to our 
society, new threats related to these disruptive emerging technologies 
create a multitude of challenges to securing and protecting people, the 
Nation, and information. To mitigate these threats, we must understand 
these technologies and take actions today to prepare us for tomorrow.
    My testimony will explain how we can do this effectively through 
collaboration. First, it is important to level set and provide a brief 
explanation of quantum, its importance to society, and its relationship 
to National security. Just as important is understanding what industry, 
academia, and Government can do today to promote quantum resistant 
encryption and strengthen National security tomorrow.
 what is quantum--its importance and relationship to national security
    Quantum computing is not simply a faster way of doing what today's 
computers do--it is a fundamentally different approach that promises to 
solve problems that classical computing cannot realistically solve.
    Quantum computers are not simply more powerful supercomputers. 
Instead of computing with the traditional bit of a 1 or 0, quantum 
computers use quantum bits, or qubits (CUE-bits), that can run 
multidimensional quantum algorithms.
    Think of it this way, a classical supercomputer solves a problem 
sequentially. Supercomputers leverage their many processors to explore 
every possible path to a solution before arriving at an answer. But as 
the problem and data grow more complex, there simply isn't enough 
computing power to solve problems that grow exponentially. For example, 
there are 40,000 different ways to seat 8 people around a table. If you 
add one person, it becomes 362,000. Make it 10 people and the number of 
combinations is more than 3.5 million. Eleven people, almost 40 
million. No existing computer has the working memory to handle all the 
possible combinations as problem sizes grow exponentially large. By 
contrast, a quantum computer can double the size of the problem space 
it can analyze by adding only one qubit.
A. Quantum and its Value
    Quantum algorithms take a new approach to these sorts of complex 
problems--creating multidimensional spaces where the patterns linking 
individual data points emerge. For example, in the case of the protein 
folding problem, where a chain of 100 amino acids could theoretically 
fold into trillions of ways, the optimal pattern is the combination of 
folds requiring the least energy to be viable. Compared to today's 
supercomputers, a quantum computer could find that combination of folds 
faster enabling the prediction of protein structures to address diverse 
use cases from drug discovery to agriculture.
    Through these vastly improved chemical simulations in drug 
discovery and development, quantum computing can help expedite the 
response to future pandemics, on-going health crises, and the 
proliferation of debilitating diseases affecting millions world-wide. 
Today, between 1 and 2 percent of the global energy output goes into 
making ammonia-based fertilizer through the nitrogen fixation process. 
If quantum simulations can find a way to use even a fraction less 
energy in that process, it would have a significant impact. Quantum 
computing holds the promise to help humanity confront these and many 
other important challenges, from solving long-standing questions in 
science to overcoming obstacles in improving industrial efficiency. 
Working in conjunction with classical computers and cloud-based 
architectures, quantum computers could even find answers to problems we 
haven't yet dreamed of. The opportunities for society and the economy 
are potentially limitless.
    The future of this technology is truly exciting--it's likely that 
by the middle of this decade, we'll see applications of quantum 
computing that will solve practical problems faster, cheaper, or with 
more accuracy than classical computers. We call this the Quantum 
Advantage. It is essential the United States rapidly strives to 
leverage this advantage. As early adopters, we will have the 
opportunity to lock in economic and strategic advantages that will be 
enormously difficult to challenge.
B. Quantum and National Security
    As we transition into an era in which quantum computers become more 
ubiquitous, the digital platforms that underpin our Government, 
commerce, education, and health care systems may become increasingly 
vulnerable. This vulnerability to the technological fabric we depend on 
every day puts our National security at risk. However, we can protect 
against this via concurrent development and adoption of quantum-safe 
cryptography.
    Simply put, quantum computers pose a challenge for a key part of 
our digital life: Encryption.
    When you send an email, make an on-line purchase, or make a 
withdrawal from an ATM, cryptography helps keep your data private and 
authenticate your identity.
    Today's cryptographic algorithms derive their strength from the 
difficulty of solving certain math problems using classical computers 
or searching for the right secret key or message.
    Quantum computers, however, work in a fundamentally different way. 
Solving a problem that might take millions of years on a classical 
computer may take hours or minutes on a sufficiently large quantum 
computer, which will have a significant impact on the encryption, 
hashing, and public key algorithms we use today. This is where quantum-
safe cryptography comes in.
    Let me be clear: While we do not currently have quantum computers 
that can break today's widely-used cryptography, we expect significant 
advancements in the coming years, and although we already know how to 
perform encryption that will be resistant to a quantum computer's 
attack, these foundational quantum-safe algorithms should only be 
considered the start.
    Many industry security standards and protocols need to be updated 
with these new algorithms, and advances in quantum computing will need 
to coincide with advances in quantum-safe cryptography to ensure data 
and systems are secured now from these future threats.
    So how do we get there?
 preparing for tomorrow by future-proofing in the present--industry & 
                   government collaboration & policy
    Policy makers and industry need to look to mitigate against these 
risks by future-proofing in the present.
A. Industry Collaborations
    IBM is taking action now. Our researchers are developing practical 
cryptographic solutions that are resistant to the threats posed by 
quantum computers. We have identified a number of cryptographic schemes 
that are believed to be quantum-safe. These include lattice-based 
cryptography, hash trees, multivariate equations, and super-singular 
isogeny elliptic curves.
    The key advantage of such quantum-safe schemes is the absence of an 
exploitable structure in the mathematical problem an attacker needs to 
solve in order to break the encryption. Certain quantum-safe schemes 
(e.g., supersingular isogeny) will protect us against particularly 
patient attackers who store their victims' encrypted messages today 
only to decrypt them with new and more powerful methods in the future. 
Other encryption schemes (e.g., lattice cryptography) can enable game-
changing technologies like Fully Homomorphic Encryption (FHE), in which 
data can be directly computed in encrypted form, stymieing a common 
strategy of attackers to loiter in a victim's computer system until 
sensitive data is decrypted to be used. Existing encryption today can 
only protect data when stored and in transit. This new technique closes 
this vulnerability by keeping data encrypted while it is in use.
    Moreover, development of quantum-safe systems, which are systems 
that leverage the use of both quantum-safe cryptography as well as 
other security mechanisms like secure boot (meaning that bad actors 
cannot inject malware into the boot process to take over the system 
during start-up) is crucial to ensure the security of systems now and 
in the future. IBM has invested in these technologies with its 
development of the industry's first quantum-safe system, the IBM z16.
    To advance these and other innovative new methods for securing data 
in an age of quantum computing, we are collaborating with academic 
institutions--such as the State University of New York at Stony Brook 
and the University of Notre Dame--to advance the science behind these 
techniques.
B. U.S. Government--the critical role of Government
    IBM joins others in industry to work with our Government to 
strengthen our future National security. Key among these activities is 
the work of the National Institute of Standards and Technology (NIST), 
which initiated a Post-Quantum Cryptography Standardization Program to 
identify new algorithms that can resist threats posed by quantum 
computers.
    After 3 rounds of evaluation, NIST identified 7 finalists. It plans 
to select a small number of new quantum-safe algorithms this year and 
implement new quantum-safe standards by 2024. As part of this program, 
IBM Researchers have been involved in the development of 3 quantum-safe 
cryptographic algorithms based on lattice cryptography that are in the 
final round of consideration: CRYSTALS-Kyber, CRYSTALS-Dilithium and 
Falcon.
    More must be done to supplement private industry's engagement in 
standards development and to accelerate investments in, and to promote 
the adoption of, quantum-safe cryptographic schemes that can safeguard 
data now and long into the future.
C. Policy Recommendations
    As I just shared, companies and governments are preparing for a 
quantum computing future and positioning themselves to capture the many 
benefits of this technology. Yet more can and should be done. 
Collaboration among all stakeholders is key to making progress. 
Governments, researchers, academics, and industry must work together on 
policies to accelerate the adoption of new educational curricula, fund 
R&D, future-proof encryption, create new talent pipelines, and more.
    As the U.S. Government considers how best to protect National 
security and prepare for our quantum future, IBM recommends Congress 
consider policies that would:
    Accelerate quantum science and the use of quantum computing--
Significant investments to keep America at the forefront of the quantum 
computing race. Congress should support funding for fundamental 
research in quantum theory, hardware, and software; the rapid 
deployment of advanced, reliable quantum systems; and ``proof of 
concept'' programs for the U.S. Government to purchase commercial-grade 
quantum technologies. Specifically, we urge passage of:
   The Quantum User Expansion for Science and Technology 
        program (QUEST) Act with $30 million of funding to increase 
        access to U.S. quantum computing hardware and quantum computing 
        clouds for research, thereby accelerating U.S. economic 
        development and National security; and
   a final Bipartisan Innovation Act (BIA), including increased 
        funding for the Department of Energy's work as well as Quantum 
        Network Infrastructure and Workforce Development support, which 
        will bolster research in quantum networking and communications.
    Expand and diversify the ecosystem--Support and fund initiatives 
that help build a robust enabling technology ecosystem of industry and 
academia players, as well as a supply chain for the quantum industry. 
This includes promoting education and training to expand the necessary 
workforce to make the industry sustainable as was called for in the 
Presidential Directives to Advance Quantum Technologies. Congress 
should also help to advance and expand existing initiatives such as:
   Reauthorization of the National Quantum Initiative Act for 
        another 5 years to ensure continued support of 
        Multidisciplinary Centers for Quantum Research and Education 
        and National Quantum Information Science Research Centers to 
        accelerate scientific breakthroughs in quantum science and 
        technology;
   Quantum Economic Development Consortium (QED-C) to build up 
        quantum industry supply chains;
   NSF's Q2Work and similar post-secondary studies and high-
        school education; and
   programs promoting greater diversity among this emerging 
        workforce (e.g., IBM's HBCU Quantum Center) to ensure we have a 
        quantum era-ready workforce; and
   open-source research and development projects that enable 
        the creation of platforms such as Qiskit, an open-source 
        software development kit, that provides tools to create and 
        manipulate quantum programs and run them on prototype quantum 
        devices.
    Future-proof encryption now--Accelerate efforts around new quantum-
safe cryptographic methods and prioritize workstreams to establish a 
quantum-safe infrastructure that has cryptographic agility (a flexible 
approach that enables future updates without major changes to the 
existing infrastructure). History has shown broad adoption of new 
cryptography can take more than a decade, thus we must act now. This 
acceleration was also called for in the Presidential Directives, which 
IBM strongly supports. On this, we encourage Congress to:
   Obtain from NIST an update on its Post-Quantum Cryptography 
        Standardization Program and its National Cybersecurity Center 
        of Excellence (NCCoE) plan for the replacement of hardware, 
        software, and services that use public-key algorithms so that 
        information is protected from future attacks;
   accelerate the legislative process to pass the Quantum 
        Computing Cybersecurity Preparedness Act, which prioritizes the 
        migration to post-quantum cryptography; and
   encourage NIST and other relevant agencies to prioritize the 
        engagement with standards development organizations that are 
        updating system-relevant industry standards, including those 
        for critical infrastructure and financial industry, such as: 
        ISO 27001, COBIT, NIST SP 800-53, ANSI/ISA-62443, and standards 
        developed by the Council on Cybersecurity Critical Security 
        Controls.
    Encourage responsible collaboration with international partners--
Leverage existing global engagements and create new ones as needed to 
review and ensure military and commercial trade agreements are 
addressing post quantum cryptography. Further, Congress should:
   Encourage the Department of State, through its new Bureau of 
        Cyberspace and Digital Policy, and the Department of Defense to 
        find new ways to work collaboratively with our allies and 
        partners to promote quantum innovation and accelerate the 
        adoption of quantum-safe encryption; and,
   support the tailoring of export controls to keep sensitive 
        technologies out of the hands of nefarious actors given the 
        sensitive nature of quantum R&D and that its technological 
        components present possible dual-use concerns.
                               conclusion
    We don't know exactly when a large-scale quantum computer capable 
of breaking public key cryptographic algorithms will be available, but 
some experts predict this could be possible by the end of the decade. 
While we have some time to implement policies that counter developing 
threats and develop quantum-safe solutions, these years go fast, so we 
must act now to ensure the United States reaps the benefits of quantum 
computing while protecting our National security.
    Moving to new cryptography is complex and will require significant 
time and investment. As a starting point, we urge Congress to meet this 
challenge by passing a final BIA without delay and accelerating the 
legislative process on QUEST and the Quantum Computing Cybersecurity 
Preparedness Act.
    If we continuing to work collaboratively and take the actions I 
just described, we will be better prepared, and our Nation will be more 
secure for it.
    Thank you.

    Ms. Clarke. Thank you, Mr. Robinson.
    I now recognize Dr. Lohn to summarize his statement for 5 
minutes.

  STATEMENT OF ANDREW LOHN, PH.D., SENIOR FELLOW, CENTER FOR 
    SECURITY AND EMERGING TECHNOLOGY, GEORGETOWN UNIVERSITY

    Mr. Lohn. Chairwoman Clarke, Ranking Member Garbarino, and 
Members of the subcommittee, thank you for the opportunity to 
testify today. I am Andrew Lohn, senior fellow in the CyberAI 
Project at the Center for Security and Emerging Technology at 
Georgetown University. It is an honor to be here.
    During the next few minutes, I would like to discuss a few 
of the ways that artificial intelligence intersects with 
cybersecurity.
    To start, it is worth being clear about what makes these 
two related topics different. Cybersecurity is about protecting 
the digital world from miscreants, and AI is just one part of 
the that digital world.
    What distinguishes AI capabilities from more traditional 
technology is when they perform tasks that until recently 
required a human, such as a ``smart'' refrigerator that sees 
what is on its shelves and suggests a recipe or an AI-assisted 
computer that helps drive a car.
    The distinction between cyber and AI does get murky 
sometimes. For one, some of the most promising AI systems can 
help protect digital systems. That has been true for many years 
in the fight to detect spam or phishing emails, and the 
capabilities continue to improve to keep pace with attackers.
    Another area where AI has shown promise is in detecting 
attackers once they are in the network, which is known as 
intrusion detection.
    Hackers often try to act like normal users or write their 
malware to blend in with normal software, but there are usually 
subtle differences that AI can detect to weed them out.
    This too requires a continual stream of new advances to 
keep up with attackers who are constantly adapting.
    At the same time, AI systems are digital, too, so they need 
their own cybersecurity protection.
    While AI-enabled systems have similar vulnerabilities to 
other types of software, they also have their own unique 
vulnerabilities.
    They learn to recognize patterns in data, such as which 
aspects of an image represent a dog, or which streams of data 
between two computers are benign and which are malicious. But a 
clever attacker can change that image or the data stream to 
fool the AI.
    There are also ways to trick the AI into revealing data 
that is meant to remain private.
    Further, the systems are vulnerable throughout their design 
process. AI is usually assembled from publicly-available 
components, like data, programming libraries, and other AI 
models, that can all be potentially compromised.
    Now, while AI needs cybersecurity protections, it can also 
be a means to create new cybersecurity problems. In rare cases, 
AI might be used to create disruptions in the digital world, 
such as by finding security holes or by helping disguise a 
digital intrusion.
    But I would like to highlight how AI threatens to move 
beyond the digital world to disrupt our society.
    AI is able to create images and videos of fake people or of 
real people doing or saying things they never said or did. 
These deepfakes receive a lot of attention, deservedly so. But 
AI's ability to write text is equally concerning and gets less 
attention.
    Several of the most powerful AI systems today are dedicated 
to writing text, and they are convincing enough to shift 
people's stance on important National security topics.
    CSET's report, ``Truth, Lies, and Automation,'' illustrated 
this point. We used one such system to write tweet-length 
messages that either supported or opposed sanctions on China 
and that either supported or opposed withdrawal from 
Afghanistan.
    In a controlled environment, we showed volunteers a sample 
of five of these messages and measured whether it shifted their 
opinions. Comparing the group that read the pro-withdrawal 
messages to the group that saw the anti-withdrawal messages, 
they were 50 percent more likely to want to remove troops and 
30 percent less likely to want to maintain troop levels.
    The Chinese sanction topic was even more dramatic. In the 
control group that didn't read any messages, just over half 
favored sanctions. After reading the five messages, though, 
that flipped. Almost half the population came to oppose 
sanctions, twice as many as in the control group.
    Although we do not know how long-lasting the effect might 
be, this technique likely appeals to foreign powers who might 
want to shape our views and control our collective actions.
    When we did this study last year, these text generators 
were carefully guarded proprietary technologies. But now 
comparable systems are freely available. They are likely within 
reach of all dedicated nations and even many technologically-
sophisticated individuals.
    In conclusion, AI systems come with risks, but can also 
pave the way for economic and scientific breakthroughs. Access 
to these tools should be supported, perhaps through initiatives 
like the National AI Research Resource.
    But we should also monitor which countries are acquiring 
them and for which purposes. We should try to harden our 
population against future malicious uses while promoting 
trustworthy sources and media literacy, while discouraging the 
spread of disinformation.
    At the same time, we need to be careful not to deflate the 
value of all information. Pairing these societal-level defenses 
with efforts to understand the vulnerabilities of AI systems 
and the ways AI can boost cybersecurity will go a long way 
toward securing the Nation.
    [The prepared statement of Mr. Lohn follows:]
                   Prepared Statement of Andrew Lohn
                             June 22, 2022
    Chairwoman Clarke, Ranking Member Garbarino, and Members of the 
subcommittee, thank you for the opportunity to testify today. I am 
Andrew Lohn, senior fellow in the Cyber AI Project of the Center for 
Security and Emerging Technology at Georgetown University. It is an 
honor to be here. During the next few minutes, I would like to discuss 
a few of the ways that artificial intelligence intersects with 
cybersecurity.
    To start, it is worth being clear about what makes these two 
related topics different. Cybersecurity is about protecting the digital 
world from miscreants, and AI is just one part of that digital world. 
What distinguishes AI capabilities from more traditional technology is 
when they perform tasks that until recently required a human--such as a 
``smart'' refrigerator that sees what's on its shelves and suggests a 
recipe, or an AI-assisted computer that helps drive a car.
                          ai for cybersecurity
    The distinction between cyber and AI does get murky sometimes. For 
one, some of the most promising AI systems can help protect digital 
systems. That has been true for many years in the fight to detect spam 
or phishing emails--and the capabilities continue to improve to keep 
pace with attackers.
    Another area where AI has shown promise is in detecting attackers 
once they're in the network, which is known as intrusion detection. 
Hackers often try to act like normal users and write their malware to 
blend in with normal software, but there are usually subtle differences 
that AI can detect to weed them out. This too requires a continual 
stream of new advances to keep up with attackers who are constantly 
adapting.
                         ai needs cybersecurity
    At the same time, AI systems are digital too, so they need their 
own cybersecurity protections. While AI-enabled systems have similar 
vulnerabilities to other types of software, they also have their own 
unique vulnerabilities. They learn to recognize patterns in data, such 
as which aspects of an image represent a dog, or which streams of data 
between two computers are benign and which are malicious. But a clever 
attacker can change the image or the data stream to fool the AI. There 
are also ways to trick the AI into revealing data that is meant to 
remain private. Further, the systems are vulnerable throughout the 
design process. AI is usually assembled from publicly-available 
components like data, programming libraries, and other AI models that 
can all potentially be compromised.
                       ai subverts cybersecurity
    While AI needs cybersecurity protections, it can also be a means to 
create new cybersecurity problems. In rare cases, AI might be used to 
create disruptions in the digital world such as by finding security 
holes or by helping disguise a digital intrusion. But I'd like to 
highlight how AI threatens to move beyond the digital world to disrupt 
our society. AI is able to create images and videos of fake people, or 
of real people doing or saying things they never said or did. These 
deepfakes receive a lot of attention, deservedly so, but AI's ability 
to write text is equally concerning and gets less attention.
    Several of the most powerful AI systems today are dedicated to 
writing text, and they are convincing enough to shift people's stance 
on important National security topics. CSET's report ``Truth, Lies, and 
Automation'' illustrated this point: We used one such system to write 
tweet-length messages that either supported or opposed sanctions on 
China, and that either supported or opposed withdrawal from 
Afghanistan. In a controlled environment, we then showed volunteers a 
sample of five messages each and measured whether it shifted their 
opinions.
    Comparing the group that read pro-withdrawal messages to the group 
that saw anti-withdrawal messages, they were 50 percent more likely to 
want to remove troops and 30 percent less likely to want to maintain 
troop levels. The Chinese sanctions topic was even more dramatic. In 
the control group that didn't read any messages, just over half favored 
sanctions. After reading the five messages though, that flipped. Almost 
half the population came to oppose sanctions, twice as many as in the 
control group.
    Although we do not know how long-lasting the effect might be, this 
technique likely appeals to foreign powers who might want to shape our 
views and control our collective actions. When we did this study last 
year, these text generators were carefully-guarded proprietary 
technologies, but now comparable systems are freely available. They are 
likely within reach of all dedicated nations and even many 
technologically sophisticated individuals.
                               conclusion
    In conclusion, AI systems come with risks but can also pave the way 
for economic and scientific breakthroughs. Access to these tools should 
be supported, perhaps through initiatives like the National AI Research 
Resource, but we should also monitor which countries are acquiring them 
and for which purposes. We should try to harden our population against 
future malicious uses by promoting trustworthy sources and media 
literacy while discouraging the spread of disinformation. At the same 
time, we need to be careful not to deflate the value of all 
information. Pairing these societal-level defenses with efforts to 
understand the vulnerabilities of AI systems and the ways AI can boost 
cybersecurity will go a long way toward securing the Nation.

    Ms. Clarke. Thank you very much, Dr. Lohn, for your 
testimony.
    I now recognize Mr. Green to summarize his statement for 5 
minutes.

  STATEMENT OF RON GREEN, EXECUTIVE VICE PRESIDENT AND CHIEF 
    SECURITY OFFICER, MASTERCARD INTERNATIONAL INCORPORATED

    Mr. Green. Chairwoman Clarke, Ranking Member Garbarino, 
Members of the subcommittee, it is an honor to testify today. 
My name is Ron Green, and I am the Mastercard chief security 
officer.
    Every day we enable commerce in a safe and secure way and 
we help connect buyers and sellers. We enable many types of 
ways to pay: Account to account, card, installments, and even 
crypto.
    As important, we use insights from the transactions that 
cross our networks to help people, businesses, and governments 
make better decisions. That informs an approach to security 
organized around five layers--prevent, identify, detect, 
experience, and network--each layer featuring cutting-edge 
solutions that work together at every stage or transaction.
    In a few minutes I will cover two areas: How we are seeing 
the threat landscape evolve and how public and private sectors 
can prepare for the challenges ahead.
    Part of my job is threat forecasting, or threatcasting. My 
team anticipates how risks might evolve due to technology and 
world events.
    We are often looking 10 years ahead. This may seem like 
purely speculative work, but we are actually developing an 
informed, textured picture of the future.
    It starts with the analysis of 110 billion payment 
transactions that we process around the globe each year. Add to 
that the analysis of billions of other points from partners 
across business, academia, and government.
    We talk to futurists who specialize in AI and quantum 
computing. We consult experts at the U.S. Treasury and CISA on 
fraud and financial crimes. That helps us identify emerging and 
intersecting trends.
    We are anticipating how they might threaten businesses like 
ours, institutions like Congress, and free societies like the 
United States. Some of these trends this subcommittee is 
familiar with, like misinformation. Others are more nuanced.
    Remote work provides an enormous cybersecurity challenge. 
It is far harder to safeguard a work force operating from 
thousands of homes versus a few office buildings.
    There is a growing complexity to what needs protecting. 
Many critical parts of the supply chain are increasingly 
subcontracted out to a few third-party vendors that companies 
and cities often have little relationship with these vendors. 
They don't know who they are influenced by or if they are 
hardened against bad actors. They don't know who else shares 
these vendor relationships. So these vendors can be weak 
points, unlocked back doors through which bad actors can enter.
    This is the story of the attack on SolarWinds, a vendor 
that provided software to so many. It was an unlocked back door 
that let hackers in everywhere. The risk of this kind of attack 
is only growing.
    Another key trend is the changing nature of criminal 
operations themselves. Not long ago, hackers were like pirates. 
They were committing crimes of their own personal accord for 
their own profit. Now cyber crime is increasingly provided as a 
service by black hat mercenaries. We are seeing more and more 
foreign adversaries do just that.
    How do we prepare for a world where everything is harder to 
defend and easier to attack? It is a collective action problem 
not unlike climate change or the pandemic.
    Ultimately, our digital world is too interconnected and 
threats are too fast-changing for any one organization to 
counter them alone. We need far more coordination between the 
public and private sectors, and I think that can take action in 
a few concrete forms.
    First, Congress should help CISA build a National cyber 
training center. Planning for an attack is crucial, but those 
plans are ultimately worthless without practice. It is the same 
way that battle plans would be of little use without real world 
war games and live fire exercises. That is why the Army has the 
National Training Center at Fort Irwin. We need a similar 
facility for cybersecurity.
    Second is enhancing the intelligence sharing. Cyber crime 
is not constrained by borders or sectors. The appropriate 
Federal agencies have the authority to facilitate global, 
cross-sector, agnostic intelligence sharing with the private-
sector participants and allied governments. Our defenses will 
be better equipped with coordinated ability to analyze 
incidents, review attack vectors, and spot trends.
    Members of the subcommittee, these are just a few ideas out 
of what I hope is a much larger pool. I am hopeful that we can 
discover even more solutions today.
    Thank you. I am happy to answer any questions.
    [The prepared statement of Mr. Green follows:]
                    Prepared Statement of Ron Green
                             June 22, 2022
    Good afternoon, Chairwoman Clarke, Ranking Member Garbarino, and 
Members of the subcommittee. My name is Ron Green, and I am executive 
vice president and chief security officer of Mastercard. In this role, 
I am responsible for the cybersecurity of our network and operations as 
well as the physical security of Mastercard and its assets.
    In addition to my role with Mastercard, I serve in several 
positions with government and industry groups coordinating private-
sector awareness of and responses to cyber threats.
   I am chair of the Financial Services Sector Coordinating 
        Council (FSSCC).\1\
---------------------------------------------------------------------------
    \1\ The FSSCC was established in 2002 by financial institutions to 
work collaboratively with key government agencies while coordinating 
critical infrastructure and homeland security activities within the 
financial services industry. The FSSCC is an industry-led non-profit 
organization and its mission is to bring together members from 
financial services, trade associations, and other industry leaders to 
assist the sector's response to natural disasters, threats from 
terrorists, and cybersecurity issues of all types. The FSSCC partners 
with the public sector on policy issues to enhance the security and 
resiliency of the U.S. financial system. The U.S. Department of 
Homeland Security recognizes the FSSCC as a member of the Critical 
Infrastructure Partnership Advisory Council on behalf of the banking 
and finance sector.
---------------------------------------------------------------------------
   I am chairman of the U.S. Secret Service Cyber Investigation 
        Advisory Board (CIAB).\2\
---------------------------------------------------------------------------
    \2\ Established in September 2020, the CIAB is an investigations-
focused Federal advisory committee, dedicated to providing outside 
strategic guidance to shape the Secret Service's investigative efforts 
in cyber crime and cyber-enabled fraud. As chair, I head the 16 member 
CIAB, composed of senior executives and experts from industry, 
government, and academia. The goal of the CIAB is to provide outside 
strategic direction to the Secret Service's investigative mission. This 
includes helping the Secret Service identify the latest cyber crime, 
technology, and policy trends, providing guidance as the agency looks 
to modernize their training, partnerships, and investigative 
priorities. All CIAB members are appointed by the Department of 
Homeland Security secretary through the Secret Service director. 
Members serve in a volunteer capacity for 2 years with an opportunity 
to renew their membership for up to 3 years. The CIAB meets twice a 
year, unless requested by the Secret Service director.
---------------------------------------------------------------------------
   I am vice chair of the Cybersecurity and Infrastructure 
        Security Agency (CISA) Cybersecurity Advisory Committee (CSAC) 
        and subcommittee chair for the Transforming Cyber Workforce 
        study.\3\
---------------------------------------------------------------------------
    \3\ The CISA Cybersecurity Advisory Committee is a 22-member 
committee that operates as a board of industry and State, local, and 
Tribal government leaders who advise the CISA director on policies and 
programs related to CISA's cybersecurity mission.
---------------------------------------------------------------------------
   I am also a member of the Aspen Cybersecurity Group.\4\
---------------------------------------------------------------------------
    \4\ The Aspen Institute gathers diverse, nonpartisan thought 
leaders, creatives, scholars, and members of the public to address some 
of the world's most complex problems. But the goal of these convenings 
is to have an impact beyond the conference room. They are designed to 
provoke, further, and improve actions taken in the real world.
---------------------------------------------------------------------------
    I am here today to discuss the security implications of emerging 
technologies, actions that Mastercard takes to forecast and mitigate 
cyber threats against these emerging technologies, efforts Mastercard 
participates in to enhance collaboration with industry and Government 
partners to promote cybersecurity and resiliency, and recommendations 
for Congress to further secure and enhance the resiliency of the 
digital ecosystem from future cyber threats. Many of the topics that I 
will discuss today are part of Mastercard's resiliency planning--things 
that Mastercard needs to comprehend to be ready to guard against 
strategic surprises and are practices we encourage to be adopted more 
widely by both public and private-sector actors at home and abroad.
                        background on mastercard
    Mastercard is a technology company in the global payments industry 
that connects consumers, financial institutions, merchants, 
governments, digital partners, businesses, and other organizations 
world-wide, enabling them to use electronic payments instead of cash 
and checks. We make payments easier and more efficient by providing a 
range of payment services using our family of well-known brands, 
including Mastercard, Maestro, and Cirrus. We are a multi-rail 
network (debit, credit, prepaid, and real-time payments) that offers 
customers one partner for their domestic and international payment 
needs.
    Our payment solutions offer customers choice and flexibility to 
ensure security for the global payments system. Mastercard seamlessly 
processes more than 110 billion payments annually. With more than 2.9 
billion cards issued through our family of brands globally, Mastercard 
serves consumers and businesses in more than 200 countries and 
territories.
    Through our global payments network built over decades, which we 
refer to as our core, we ``switch'' (i.e., authorize, clear, and 
settle) payment transactions and deliver products and services. We also 
supply payment capabilities that include automated clearing house 
transactions (both batch and real-time account-based payments). 
Moreover, we provide integrated value-add cyber and intelligence 
products and solutions, information analytics and other security 
consulting services.
    As a global organization with a far-reaching network, we are 
responsible for securing our organization, protecting our sector and 
helping to protect the trust and confidence that people have in the 
broader global ecosystem. We safeguard consumer data, protect points of 
connection, and take a forward-looking approach toward mitigating risks 
facing the digital world today and those it will encounter tomorrow.
the state of cybersecurity today and the high-stakes losses from cyber 
                                attacks
    The world in which we are living today looks different than it did 
just a few years ago. Technology is continuing to evolve. It is 
connecting the disconnected and making our lives more convenient. The 
world was already rapidly moving toward a digital-first way of life, 
which has only been accelerated by the COVID-19 pandemic. How people 
shop, pay, and interact is changing. Consider the following:
   In 2020, 2.5 quintillion bytes of data were generated per 
        day by people and their devices.\5\
---------------------------------------------------------------------------
    \5\ Jacquelyn Bulao, Techjury, How Much Data is Created Every Day 
in 2022? (Jun. 3, 2022) (citing Domo), available at: https://
techjury.net/blog/how-much-data-is-created-every-day/#gref.
---------------------------------------------------------------------------
   As of January 2021, there were 4.66 billion active internet 
        users around the world, which is close to 60 percent of the 
        world's population.\6\
---------------------------------------------------------------------------
    \6\ Id (citing Statista).
---------------------------------------------------------------------------
   It is estimated that digital commerce transaction values 
        will total $18 trillion by 2024.\7\
---------------------------------------------------------------------------
    \7\ Juniper Research, Digital Commerce Key Trends Sectors and 
Forecasts 2016-2020.
---------------------------------------------------------------------------
   By 2024, 50 percent of the world is expected to be using 
        digital wallets \8\
---------------------------------------------------------------------------
    \8\ Juniper Research, Digital Wallets--Deep Dive Strategy & 
Competition 2019-2024.
---------------------------------------------------------------------------
    But as interactions go digital, criminals follow. Supercharged 
attacks are becoming more common, indiscriminate, and sophisticated. 
National infrastructure, health care research, and government services 
are all being targeted.
    The cost of global cyber crime is projected to reach $10.5 trillion 
annually by 2025. But the consequences for businesses go beyond the 
immediate financial loss. There is potential damage to users' trust. 
With so many connections, it is more important than ever for all of us 
to maintain trust throughout the digital ecosystem.
    The constantly growing interconnected spider web of digital devices 
and services means that the problem is only going to grow. Tapping into 
all the digital economy has to offer results in creating more data--
therefore, more to protect. Organizations or individual actors can no 
longer invest in cybersecurity systems that only offer protection for 
their own operations. The public and private sector must invest in the 
right foundations and guardrails that create a long-term, sustainable 
shield around the whole supply chain.
                mastercard leads on security and privacy
    Mastercard secures trust in the modern digital economy. Consumers 
and businesses are expanding their on-line interactions beyond cards 
and payments, significantly increasing information exposure risks and 
creating more potential vulnerabilities for cyber criminals to exploit. 
As such, Mastercard is investing in innovative technologies to secure 
digital interactions more comprehensively. We rolled out chip card 
technology across the United States and have committed to phasing out 
the magnetic stripes on newly-issued cards. We are now tokenizing 
transactions, shifting away from static data that can easily be stolen 
or replicated and replacing it with dynamic data. All this is supported 
through our use of real-time analytics to detect fraudulent activity 
every time you use your card. In recent years, we have also introduced 
security technologies such as Mastercard Safety Net, Mastercard 
Identity Check, our Mastercard Biometric Card, and ID Theft Protection. 
These innovations, which come at a significant cost, produce real 
results. For example, our SafetyNet technology stopped real-time fraud 
attacks and prevented more than $10 billion in potential fraud in 2021 
alone.
    Mastercard's cybersecurity efforts are evolving with the ecosystem. 
We are focused on building security for all other types of 
transactions--enabling consumers and businesses to benefit from years 
of learning and development entrenched in our network security 
solutions. As an example, we must ensure the validity of a website 
within the cyber realm so that a payment in the digital payments space 
can go through intelligent decision making. By expanding to new types 
of transactions, we are focused on growing existing security for 
customers, consumers, and businesses--not only to keep them safe but 
also as a means of making their digital lives easier. Another objective 
is to ensure the stability of the system itself by reducing systemic 
risk.
    Many aspects of the digital world are intertwined and dependent on 
one another. In undertaking these steps, we hope to build trust from 
participants in the system. This is not a responsibility that we take 
lightly. We take a multi-layered, principled approach to cybersecurity 
that enables us to work extensively with emerging technologies while 
using cutting-edge tactics to comprehend threats and guard against 
strategic surprise.
    Privacy is central to securing trust in the modern digital economy, 
but there is a major trust deficit in how organizations and governments 
collect, use, and share people's data. At Mastercard, we embrace a 
strong, individual-first view of Privacy and Data.
    We have instilled a Privacy By Design culture and mindset in our 
people. This looks like keeping privacy in mind from ideation through 
development and delivery of a product. There are multiple layers of 
privacy and security safeguards embedded into the design of our 
innovations to protect people's data--including through tokenization, 
encryption, and anonymization. We only collect the information we need 
to get the job done. Moreover, we have extended GDPR's high standards 
and privacy rights to all individuals around the world.
    Further emphasizing our commitment to the responsible use of data, 
we have established data responsibility principles establishing our 
vision of how data should be managed. When it comes to your data, 
you're at the center. You own it. You control it. You should benefit 
from the use of it, and we protect it. While we use data to help 
businesses, governments, the public sector and individuals better 
understand the world around them through identifying trends and 
insights, we anonymize and aggregate it to maintain our privacy and 
security standards. We also leverage these trends and insights for 
social good, helping us to advance financial inclusion and global 
humanitarian efforts.
                             threatcasting
    I would like to discuss one particular tactic that has become an 
important part of our resilience planning and ability to anticipate 
future threat trends, Threatcasting. There are several Government 
entities, including the U.S. Army and the U.S. Secret Service, that 
also leverage the Threatcasting process. I would encourage both public 
and private entities to also adopt Threatcasting as part of their own 
resiliency planning.
    Threatcasting is threat forecasting. Traditionally, organizations 
think about their outlook on a 1-, 3-, or 5-year horizon. With 
Threatcasting, Mastercard looks beyond those horizons, and we challenge 
ourselves to think 10 years ahead. This approach offers us a process to 
combine a wide range of inputs and exercises to imagine a broad range 
of future threats. It also gives us a systemic way to look backwards 
from these imagined future dates to understand the steps needed to 
disrupt, mitigate, and recover from future threats.
    To bring this to life, we partnered with noted futurist Brian David 
Johnson. We gathered a group of global, public-private sector subject-
matter experts that represent a wide variety of cultural, sociological, 
economic, and scientific fields. Like business planning, Threatcasting 
is something Mastercard does annually. This gives us a chance to build 
on our relationships, our thinking and our ideas year after year. It is 
important to highlight that we are not thinking about only one singular 
Future with a ``capital F.'' We are thinking about multiple futures 
involving different types of people across the world, and we repeat 
this thought process multiple times. Then we can step back and ask: 
``What do we need to as an organization, as a nation, and as an 
industry to prepare for those futures?''
    We have used Threatcasting to forecast potential futures involving 
emerging and disruptive technologies like quantum, IoT, and artificial 
intelligence (AI). Threatcasting helps us understand these technologies 
and the overlap between them. In the next decade, the adoption of 
emerging technologies will expose greater vulnerabilities that will 
allow criminals, nation-states, corporations, organizations, and 
individuals to capture data (physical, digital, biological) and whole 
identities to commit fraud. Opportunities for fraud will increase and 
the motivation to commit this type of crime will grow. Beyond financial 
gain, the perpetrators will have political and ideological goals, co-
opting criminals, proxy attackers, and unsuspecting combatants as 
allies.
    Some of the highlights at the intersection of fraud, cyber attacks, 
and emerging technology from past Threatcasting exercises include:
   The New Criminals.--In this future, criminals use emerging 
        autonomous technologies like AI, IoT, smart cities and cloud 
        computing to evolve their tactics resulting in the development 
        of a cyber crime economy to monetize these advances.
   Hiding in the Complexity.--In this future, criminals will 
        use the expanding technological landscape to commit traditional 
        fraud by hiding in the complexity and scale of the technology, 
        business, and financial ecosystems. Think about it as ``Old 
        Fraud in New Ways.''
   New Motivations.--In this future, bad actors will use 
        traditional fraud and broader criminal activities for 
        nontraditional effects, attacking beyond financial systems to 
        adjacent infrastructure. The logic of these attacks will be 
        orthogonal to traditional attacks with expanded goals to 
        destabilize, distract, disrupt, influence and just to prove it 
        is possible. Think of this future as ``New Fraud in Old Ways.''
   Pandemic Problems.--When the COVID-19 pandemic took hold of 
        the globe, we convened a special session to Threatcast from a 
        pandemic perspective to specifically look at effects on 
        Mastercard's business operations. In 10 days, we were able to 
        deploy teams to address potential vulnerabilities identified 
        using this method.
    Threatcasting is not something we have kept to ourselves at 
Mastercard. It can be a truly global exercise because we are invested 
in building a global digital ecosystem that is secure and connected. We 
have partnered with others across the financial sector to collaborate 
on Threatcasting. In my role as chair of the FSSCC, I worked to combine 
the results from Mastercard's Threatcasting process with additional 
insights drawn from members across the financial services sector to 
further develop a comprehensive view of the threat landscape. Through 
these partnerships, we can provide a more complete picture of what we 
expect lies ahead. Mastercard has also shared our Threatcasting process 
with the G-7 Cyber Experts Group, a group of cybersecurity experts from 
G-7 nations that meets regularly to facilitate progress on major 
international debates and reports their findings to G-7 ministers and 
Governors.\9\
---------------------------------------------------------------------------
    \8\ See https://www.cyberseek.org/heatmap.html.
---------------------------------------------------------------------------
                      the current threat landscape
    I would like to highlight for the subcommittee some of the key 
future threats that we see, which require public and private-sector 
action to mitigate future losses. Using the insights gained from our 
Threatcasting process as well as through our partnership engagements, 
there are six key topic areas I would like to discuss.
    1. Global Ground Systems to Space-Based Asset Attacks.--In the next 
        decade, the expansion of Financial and Communications Critical 
        Infrastructure (FIN/COM CI) from global ground systems to 
        satellites will generate a unique set of future conditions that 
        will multiply the scope, scale, and speed of attacks, taking 
        advantage of rising privatization and militarization as well as 
        undermining situational awareness of the operating environment. 
        The attack surface will no longer be ``Earth'' global, they 
        will be ``universe'' global. A new set of evolving future 
        threats will rise from these conditions, taking advantage of 
        threat multipliers with rapid cascading effects and advancing 
        FIN/COM CI as a minimum viable target for nation-states. These 
        FIN/COM CI consumer-centered attacks will have a destabilizing 
        chain reaction across systems and markets, leaving attribution 
        nearly impossible and retaliation an unlikely option. The 
        actors in the primary threat futures were the usual suspects: 
        Criminals, lone wolves, and state-sponsored attacks. However, 
        we determined that the goal of their threats will not be for 
        financial gain. Instead, the aim of their attacks will be to 
        destabilize industries, consumers, and governments via loss of 
        confidence and trust to the advantage of criminals, businesses, 
        and geopolitical actors. In some consumer-centric cases, the 
        goal may even be to incite civil and business chaos.
    2. Mis-, Dis-, Mal-information to Cause Instability.--Mis-, dis-, 
        and mal-information (MDM) is a rapidly emerging tactic for 
        threat actors. Together, these three areas make up what CISA 
        defines as ``information activities.'' MDM campaigns promote 
        geopolitical instability, which amplifies destabilizing events. 
        Large-scale destabilizations like fuel, energy, food, or water 
        shortages can lead to financial fear and cause consumer panic. 
        Overall, MDM campaigns have the potential to radicalize people, 
        ultimately driving an increase in global geopolitical tensions 
        while heightening the risk of insider threat and undermining 
        trust. Building trust with stakeholders takes time, but it will 
        help to build resiliency. However, resiliency efforts at all 
        levels cannot be successful if people lack trust in the digital 
        ecosystem, and MDM campaigns actively work to undermine that. 
        From a technological standpoint, this can take different forms: 
        (i) Enhancing trust framework, inclusive of the hardware and 
        software that is used; and (ii) implementing solutions like 
        digital identity and zero trust frameworks that use methods to 
        authenticate and verify that people are who they claim to be.
    3. Workforce Shortages.--There are three workforce-related threats 
        that I would like to highlight:
     First and foremost, there are not enough cybersecurity 
            professionals. Currently, there are just under 715,000 open 
            cybersecurity jobs within the United States, and this gap 
            is rapidly increasing.\10\ For reference, in May 2021, 
            there were approximately 465,000 cybersecurity job 
            openings.\11\ Strong cybersecurity professionals require a 
            mix of soft and technical skills, which makes cyber 
            recruitment unique and more difficult. In my work as vice 
            chair of CSAC, I lead the subcommittee focused on 
            ``Transforming the Cyber Workforce.'' That subcommittee is 
            in the process of finalizing and voting on a series of 
            recommendations that we believe will help begin to address 
            this problem.
---------------------------------------------------------------------------
    \10\ See https://www.cyberseek.org/heatmap.html.
    \11\ Kristopher J. Brooks, CBS News Moneywatch, U.S. has almost 
500,000 job openings in cybersecurity (May 21, 2021) (citing Cyber 
Seek), available at: https://www.cbsnews.com/news/cybersecurity-job-
openings-united-states/.
---------------------------------------------------------------------------
     Second, we need to think through--and work to mitigate--
            risks that come with our new normal of distributed 
            workforces. The COVID-19 pandemic drove an adoption of 
            hybrid work that is here to stay. It may look slightly 
            different in various companies and cultures, but at the end 
            of the day, the workforce has proven that this is a viable 
            operating model. While it brings some positives, it also 
            presents a real challenge from a security perspective. 
            Managing a distributed workforce means needing more complex 
            solutions and enabling access to more things that exist 
            outside of an organization's security perimeter. The more 
            points of connection that live beyond that perimeter, the 
            greater the security risks. In a distributed workforce, the 
            attack surface is greater.
     Third, within the current workforce, corporate 
            organizations are seeing a rise in Insider Threat. Insider 
            Threat is a malicious threat to an organization that comes 
            from the people with access to privileged or protected 
            information. It takes two primary forms: Intentional and 
            unintentional. Intentional Insider Threat is when someone 
            knowingly, for a variety of motivations, misuses their own 
            access to the organization's confidential information or 
            trade secrets or its customers' data to deliberately share 
            them on an unauthorized basis outside of the organization. 
            Unintentional Insider Threat has the same result, but the 
            employee is fooled through naivete or lack of conscious 
            attention into falling for social engineering, phishing, or 
            other similar tactics. Thus, the unauthorized access does 
            not arise from the same motivations.
    4. Cyber Crime for Hire.--As the ``cyber criminal workforce'' 
        evolves, so do its tactics. We are in the midst of a rapid 
        expansion of cyber crime as a service. As such, participation 
        in cyber crime does not require any technical competency. In 
        fact, the barrier to entry is low. The target can be identified 
        and a simple email sent with nefarious content. Through cyber 
        crime-as-a-service offerings, it is now possible to purchase 
        turnkey criminal solutions, pay for cyber crime to be conducted 
        on one's behalf, or enlist cyber criminals to use the 
        technology, tactics, and procedures that allow the exploitation 
        of vulnerabilities in a system that have been disclosed but not 
        yet fixed, known in the industry as ``zero-day 
        vulnerabilities.'' In addition to these external services, 
        insider access to organizations can be bought for nefarious use 
        and ransomware gangs continue to offer ransomware as a service. 
        This growth of ``cyber crime for hire'' underscores the 
        importance of cyber hygiene, the practices and procedures that 
        are regularly performed to maintain the security of users, 
        devices, networks, and data. Good cyber hygiene can help 
        mitigate the increased risk that has resulted from this 
        outsourcing of cyber crime.
    5. Coordination Between Threat Actors and Foreign Governments.--The 
        intersection between the worlds of cyber criminals and nation-
        state operators will continue to grow. Whether deliberate or 
        not, cyber crime is becoming a shared exercise between 
        criminals and rogue nations. These lines, while once relatively 
        clear, have become blurred. The world has seen increased 
        geopolitical tensions give rise to more malicious cyber 
        activity. Complicating this is the fact that threat actors are 
        both acting independently and at the behest of nation-states. 
        Attribution, while difficult before, is now nearly impossible. 
        It has become incredibly challenging to discern when hackers 
        are acting on their own interest or when they are carrying out 
        an attack on behalf of nation-states.
    6. Supply Chain Threats.--There are three supply chain-related 
        threats that I would like to highlight for you today:
     COVID-19 has created an immature microcosm of small 
            businesses that established themselves due to economic need 
            and to meet a changing customer commercial demand for goods 
            and services. Such businesses were set up quickly and at 
            low cost, which meant cybersecurity was often not top of 
            mind. We are seeing small businesses that don't understand 
            cyber threats and lack an understanding of the basic 
            mitigations. As a result, they are falling victim to 
            preying criminals who are aware of their naivete and 
            immaturity.
     Separately, it has also become essential for organizations 
            to be mindful of whom they are doing business with and 
            where they are doing business. Consider the recent PAX 
            point-of-sale terminals incident, for example. That 
            situation demonstrates the importance of knowing the source 
            of software as well as the location of data storage.
     Organizations are also increasingly relying on the supply 
            services of others, including small businesses, to make 
            their businesses function (e.g. hosting providers, 
            marketeers, digital cooling systems, or distributors). 
            These are services that require connectivity to their 
            digital network but don't have control of the network. 
            These 3rd, 4th, and Nth party services within the supply 
            chain create a weakness that is readily exploited and can 
            create mass digital casualties globally through this one 
            business/vulnerability. This is a particularly acute risk 
            for municipalities in the United States. A recent RiskRecon 
            report on the state of cybersecurity in the 271 largest 
            U.S. cities revealed that 110 of the 271 cities may have 
            security gaps present in their systems that could 
            potentially result in data compromise.\12\ This concept 
            highlights the importance of understanding where our 
            critical nodes and concentration risks are when it comes to 
            National critical infrastructure. The SolarWinds supply 
            chain compromise demonstrates the potential devastation 
            that can come with the exploitation of critical nodes.
---------------------------------------------------------------------------
    \12\ Riskrecon, Report: The state of cybersecurity in U.S. cities 
(February 2022), available at: https://www.riskrecon.com/report-the-
state-of-cybersecurity-in-us-cities.
---------------------------------------------------------------------------
    7. The Rise of Nationalism Fuels Divisions in the Global Digital 
        Ecosystem.--Cross-border payments play a critical role in the 
        global economy. Each step of a transaction--from capturing, to 
        processing, to authorizing a payment--relies on data, making 
        the free flow of data a critical prerequisite for a functioning 
        international payments ecosystem. Unfortunately, data 
        localization policies around the world have more than doubled 
        in 4 years. In 2017, 35 countries had implemented 67 such 
        barriers. Now, 62 countries have imposed 144 restrictions--and 
        dozens more are under consideration. These restrictions 
        introduce a new level of complexity to the ecosystem and how 
        organizations work to secure it. They require more data centers 
        in more places, reducing efficiency and driving up costs as 
        organizations work to maintain regulatory compliance. Data 
        localization also fragments cybersecurity, broadening the 
        attack surface for bad actors, limiting the scope of what 
        organizations can see, and making threat analysis and detection 
        much more complex. Global digital standards that are yet to be 
        written are an issue of cybersecurity. Every time we ignore a 
        country that promotes on-soil requirements, the ecosystem 
        becomes more fragmented and the ability of like-minded 
        governments to ensure effective cybersecurity is weakened.
           mastercard's partnerships to bolster cybersecurity
    Mastercard engages in partnerships with governments, academia, and 
the private sector from around the world to secure the entire global 
digital ecosystem from threats. Threats come from all parts of the 
world and are often not isolated to a region. Opportunities exist for 
the industry to work closely with government partners both domestically 
and internationally. The cyber threat requires like-minded 
organizations and governments to work together as one unit and use our 
shared expertise to defend ourselves in the future. It requires the use 
of creative, bold, and broadly beneficial ideas. Mastercard supports 
the sharing of intelligence and best practices across the public and 
private sectors around the world to drive detection, response, and 
interoperability of cyber defense practices.
    I would like to express our company's appreciation in the United 
States for the role that CISA has played in leading the effort in 
collaborating with the private sector to enhance the security, 
resiliency, and reliability of the Nation's cybersecurity and 
communications infrastructure.
    The financial services sector also appreciates the role that the 
U.S. Treasury plays as our Sector Risk Management Agency (SRMA). 
Treasury supports our sector to ensure that CISA receives accurate, 
comprehensive information about current sector operations and any 
potential incidents.
    Treasury coordinates with the sector and CISA to identify sector 
risks and then assesses and mitigates them by conducting regular 
exercises to test preparedness and emergency planning.
    Additionally, Mastercard participates in domestic and international 
cybersecurity exercises such as the North Atlantic Treaty 
Organization's Locked Shields and CISA's Cyber Storm. We are active 
contributors in the Financial Services Information Sharing and Analysis 
Center (FS-ISAC) and participate in sector-specific and multi-sector 
cyber defense exercises and information-sharing efforts. Mastercard 
also organizes and hosts its own cyber defense exercises for the 
financial services sector and the broader tri-sector community 
(including the financial services, energy, and telecommunications 
sectors). To provide a snapshot of some of our global cybersecurity 
partnerships, we:
   Engage with the European Cyber Resilience Board, European 
        Cyber Crime and Fraud Investigators, Europol, INTERPOL, 
        National Cybersecurity Authority and the National Cyber 
        Security Center to share cyber threat intelligence and build a 
        more secure digital ecosystem with partner communities.
   Co-lead the Financial Services Cyber Collaboration Center 
        (FSCCC) in the United Kingdom with daily meetings with our 
        partners to identify systemic risks to the financial sector.
   Partner with the National Cyber Forensics and Training 
        Alliance (NCFTA) to collaborate and combat cyber crime and 
        fraud.
   Collaborate with the Dubai International Finance Center to 
        strengthen the cybersecurity of more than 3,000-plus financial 
        institutions in the region.
   Support the Global Cyber Alliance, Cyber Readiness 
        Institute, National Cyber Security Alliance, and Small Business 
        Development Centers (SBDC) to equip small and mid-size 
        businesses with free cybersecurity tool kits, education, and 
        training.
   Strengthen workforce development, education, and training 
        through our work with the National Institute of Standards and 
        Technology (NIST) and the National Initiative for Cybersecurity 
        Education (NICE) community to ensure our workforce is prepared 
        for today's threats, as well as those threats we will face in 
        the future.
    Mastercard has centers of cyber innovation around the world:
   The Intelligence & Cyber Centre of Excellence is in 
        Vancouver, Canada. The Centre was created in partnership with 
        the Government of Canada through its Strategic Innovation Fund, 
        with an additional $510 million investment by Mastercard. 
        Opened in 2022, the Centre is leading innovation in cyber and 
        intelligence, AI, and the IoT. Research from the Centre is 
        already enhancing Mastercard solutions, and combining the 
        Centre's biometric security algorithms with existing cyber 
        capabilities is creating new approaches to enhance on-line 
        security.
   In partnership with EnelX and the Government of Israel, 
        Mastercard opened the FinSec Innovation Lab in Beer-Sheva, 
        Israel in 2021 to advance innovations in Israel in financial 
        technology and cybersecurity for the payments and energy 
        ecosystem globally. The Lab partners with Israeli startup 
        companies to test and develop products and solutions, with a 
        particular focus on cybersecurity and digital security, among 
        other fields.
   Mastercard established a European Cyber Resilience Centre in 
        Waterloo, Belgium in 2020. The Centre drives collaboration 
        between both public and private sectors as well as regulatory 
        bodies to further support enterprise resilience in the region. 
        The Centre highlights Mastercard's on-going commitment to 
        addressing threats faced by the European payments ecosystem, 
        including financial institutions and fintechs. The facility 
        serves as a single cybersecurity hub for the region, bringing 
        together a diverse pool of talent from across Mastercard's 
        global community. The Centre works with various cyber 
        intelligence centres, industry groups, law enforcement 
        agencies, and central banks across Europe and helps drive 
        better prevention and mitigation practices against 
        international cyber crime and wider security threats.
   Mastercard established a Fusion Center in St. Louis, Mo. The 
        Fusion Center leads and synchronizes Mastercard global 
        resources to anticipate, identify, and mitigate fraud and cyber 
        and physical security threats or events requiring a joint 
        response in order to protect Mastercard and contribute to the 
        financial ecosystem's security.
   Mastercard established a DigiSec Lab in England to 
        proactively test threats to all forms of digital payments in 
        coordination with government security agencies and leading 
        academics. This team deconstructs technology and identifies 
        opportunities to strengthen it and continue to protect 
        consumers, merchants, and financial institutions from fraud. 
        The team also works in close partnership with other groups to 
        deliver a multi-layered approach to address security risks and 
        concerns in digital payments.
   Mastercard operates tech hubs in Sydney, Australia; St. 
        Louis, Mo.; New York City; Arlington, Va.; Dublin, Ireland; and 
        in Pune and Vadodara, India.
                         policy recommendations
    I would like to offer some cybersecurity policy recommendations for 
Congress that would strengthen the U.S. and global resilience against 
cyber threats given current trends in emerging technologies:
    1. Establish a National Cybersecurity Training Center Within 
        CISA.--Congress should establish a National Cybersecurity 
        Training Center (NCTC) within CISA, which would enable CISA and 
        all critical infrastructure sectors to regularly coordinate and 
        conduct live-fire cyber training sessions that give critical 
        infrastructure owners and operators the chance to further 
        partner with the government, their sector, and cross-sector in 
        putting their cyber defense and resiliency plans into action. 
        Response plans and mitigation strategies are foundational to 
        any organization's cyber posture, but those plans are 
        meaningless if critical infrastructure owners and operators 
        have never executed them in real time under real circumstances. 
        Right now, the opportunities for most organizations to 
        undertake these tests as well as for cyber defenders to train 
        so they are skilled against world-class and nation-state 
        opposition forces are limited. But Congress can make these 
        opportunities more widely available. The NCTC would be modeled 
        after the U.S. Army's National Training Center, a large, live-
        fire and maneuver training area at Fort Irwin, Calif.
    2. Create a National Cyber Academy.--Congress should establish the 
        National Cyber Academy (NCA), which would be mostly virtual but 
        also a physical educational institution based on the current 
        model for U.S. military academies. It could help build a strong 
        cyber talent pipeline for both the public and private sectors. 
        As discussed earlier, there are not enough cybersecurity 
        professionals to fill all currently open roles, and this gap is 
        only poised to grow over the next several years in both the 
        public and private sectors. To help close this gap, I would 
        propose the establishment of the NCA to help build a strong 
        cyber talent pipeline based on common education and skill-based 
        requirements. To address the needs of both the public and 
        private sectors, the NCA would have two tracks: A traditional 
        military academy-style CISA Cadet track and an open public-
        access track. The CISA Cadet track would mirror the traditional 
        military academy processes and procedures, ending with a multi-
        year commitment to join CISA. This would enable CISA to have a 
        consistent pipeline of well-trained staff to support CISA's 
        mission as it continues to broaden in scope. The public-access 
        track would give anyone the opportunity to enhance skills 
        through certifications/classes that have been curated, vetted, 
        and widely accepted within the public and private sector. This 
        would lower the barrier for entry to a cybersecurity career 
        while giving people a clear path to demonstrate their 
        cybersecurity knowledge without the need of a traditional 4-
        year degree.
    3. Develop Within CISA a Cybersecurity Education Pathway Program.--
        Congress should create a cybersecurity education pathway 
        program within CISA that would help high school and college 
        students build foundational cyber skills while increasing the 
        visibility of cybersecurity as a career path and helping to 
        develop a long-term, sustainable, and scalable talent pipeline. 
        Addressing the cyber workforce challenge requires not only 
        filling the roles that are currently open but also taking steps 
        to address the needs of tomorrow. This pathway would ultimately 
        unify the many existing educational programs into one 
        comprehensive development track built on the same 
        infrastructure as the NCA (explained above). It would give 
        students the ability to validate their cyber education in a way 
        that is recognized and accepted by the private sector, making 
        it simpler for them to begin their careers.
    4. Establish a Tour-of-Duty Cyber Force Program Within CISA.--
        Congress should establish a tour-of-duty Cyber Force program 
        within CISA. This program would bridge urgent talent gaps, 
        enable the members of the cyber workforce to enhance their 
        skills, and support on-going efforts to deepen public-private 
        collaboration. Security practitioners would volunteer for a 1- 
        to 2-year tour of duty before returning to the private sector 
        and could serve as designated CISA liaisons to facilitate 
        public-private threat sharing and collaboration during times of 
        cybersecurity crisis. To further incentivize broad 
        participation in this program, participating organizations 
        would receive tax credits or other similar benefits.
    5. Expand the Cybersecurity Talent Initiative.--Congress should 
        appropriate additional funding to expand the Cybersecurity 
        Talent Initiative, a public-private partnership aimed at 
        recruiting and training a world-class cybersecurity workforce. 
        Through the Cybersecurity Talent Initiative, Mastercard and 
        other private-sector organizations partner with the Federal 
        Government to cultivate cybersecurity talent for both the 
        public and private sectors. In this unique program, 
        participants serve 2 years in the Federal Government. Before 
        the end of their Federal service, participants are invited to 
        apply for full-time positions with the program's private-sector 
        partners. By working for Federal organizations and cutting-edge 
        private-sector companies, participants develop the skills and 
        knowledge needed to protect our country's digital 
        infrastructure and tackle cybersecurity threats.
    6. Enhance Global, Sector-Agnostic Intelligence Sharing and 
        Analysis with the Private Sector and Allied Governments.--
        Congress should enhance CISA and the appropriate Federal 
        agencies' ability to create and participate in global, sector-
        agnostic intelligence sharing and analysis work with private-
        sector participants and allied governments. Unlocking the 
        shared ability to analyze incidents, review attack vectors and 
        spot trends across sectors is key to the continued ability to 
        defend against cyber attacks. Cyber crime is not constrained by 
        borders, political jurisdictions, or sectors. Threat actors 
        attack targets around the world, using information gained along 
        the way to improve their approach. The Federal Government and 
        industry have limited intelligence-sharing capabilities that 
        span the entire threat landscape. The digital ecosystem would 
        be better equipped to defend itself if participants had 
        enhanced capabilities to analyze incidents, review attack 
        vectors, and spot trends across sectors, geographies, and 
        governments.
    7. Promote the Harmonization of International Cybersecurity 
        Standards, Regulations, and Risk Management Frameworks.--
        Congress should adopt industry-led and internationally-accepted 
        standards, regulations, and risk management frameworks to 
        support global cybersecurity, digital trade, electronic payment 
        services, fintech, and emerging technologies. The world is 
        witnessing record levels of cyber attacks and this is in part 
        due to the lack of a global consensus to address systemic 
        cybersecurity challenges. Policy makers should also collaborate 
        with private-sector leaders that have experience aligning 
        industry-leading best practices and standards around current 
        and emerging technology. Having multiple standards, 
        regulations, and risk management frameworks globally is 
        unnecessarily complicated and costly to comply with due to the 
        web of National and regional regulations. Under current 
        cybersecurity requirements, companies must juggle many 
        competing laws across jurisdictions. There are also conflicting 
        definitions of what constitutes a cybersecurity incident and 
        what should trigger a notification to regulators and consumers. 
        This impacts interoperability and impedes open systems and 
        innovation. The global harmonization of cybersecurity 
        standards, regulations, and risk management frameworks would 
        benefit industry and governments by lowering risk, reducing 
        costs, and furthering innovation. Thus, it is critical to 
        foster partnerships among allied governments and the private 
        sector that will help shape the standards, regulations, and 
        risk management frameworks that apply to cybersecurity.
    8. Strengthen the Collaboration Between the Critical Infrastructure 
        Owners and Operators and the Intelligence Community.--Congress 
        should direct CISA and the appropriate Federal agencies to 
        strengthen active and collaborative support and engagement 
        between the intelligence community (IC) and critical 
        infrastructure owners and operators on cyber threats. Increased 
        communication between the IC and industry is needed to better 
        protect critical infrastructure. During an incident, there must 
        be a continuous, real-time, and bi-directional exchange of 
        information.
    9. Enable Trusted Data Flows and Privacy.--Congress should work 
        with the international community to remove discriminatory and 
        protectionist barriers to data flows. In addition, countries 
        should commit to recognizing the importance of setting 
        standards on privacy, such as new Trans-Atlantic Data Privacy 
        Framework, cybersecurity, and development of data governance 
        frameworks.
    Thank you for the opportunity to testify in front of the 
subcommittee. Today's topics are critical to the future of our Nation. 
The world we're living in today looks very different than it did at the 
start of the decade. The pace of change is only increasing and our 
shift to a digital-first world is rapid and irreversible. Understanding 
the current threat landscape and the impact of emerging disruptive 
technologies are essential to our successful shared resilience 
planning, ultimately helping us to guard against strategic surprise. I 
am happy to answer any questions from the subcommittee.

    Ms. Clarke. Thank you, Mr. Green, for your testimony.
    Finally, I recognize Mr. Strayer to summarize his statement 
for 5 minutes.

STATEMENT OF ROB STRAYER, EXECUTIVE VICE PRESIDENT FOR POLICY, 
            INFORMATION TECHNOLOGY INDUSTRY COUNCIL

    Mr. Strayer. Thank you.
    Chairwoman Clarke, Ranking Member Garbarino, the 
distinguished Members of the subcommittee, thank you for the 
opportunity to testify today. My name is Rob Strayer, and I am 
the executive vice president of policy at the Information 
Technology Industry Council, or ITI.
    ITI represents 80 global leading technology companies 
covering the entire digital ecosystem, ranging from hardware 
and software producers, to digital services and cybersecurity.
    Before joining ITI, I served as the deputy assistant 
secretary for international cyber policy at the U.S. State 
Department.
    U.S. companies have long spearheaded the development of the 
most innovative digital technologies. This has produced 
tremendous economic growth.
    In 2020, the digital economy in the United States added 
$2.1 trillion in value. That represents 10.2 percent of U.S. 
GDP and it was responsible for more than 7.8 million jobs.
    U.S. National security also depends on continued U.S. 
technological leadership. The U.S. Government relies on 
leading-edge emerging technology for a wide range of 
applications, including homeland security.
    Today, other nations and their companies are competing to 
achieve the next major technological breakthrough. In this very 
competitive environment, two overarching principles should 
guide U.S. policy on emerging technology.
    First, the United States should adopt policies that enhance 
the ability of the private sector to increase the pace of 
innovation and to develop world-leading emerging technology.
    The second principle is that the United States should 
design security policies related to emerging technology that 
are risk-based and proportionate. Unduly burdensome and 
restrictive security requirements will undermine the ability to 
innovate and to keep pace with global technological 
competition.
    Over the years, the adoption of dynamic cybersecurity risk-
management practices has produced tremendous capability 
improvements for the protection of all digital technologies, 
including emerging tech, and improved their resilience.
    The fifth generation of wireless technology, or 5G, will 
enable billions of new devices to be connected to the internet. 
An increasingly connected world will also increase security 
risks, including for critical infrastructure in sectors like 
transportation, energy, advanced manufacturing, and health 
care.
    The good news is that 5G networks and standards are being 
designed with security in mind from the outset, and 5G networks 
will include the latest security enhancements.
    5G-related security policies should be risk-based and 
promote the procurement of equipment from trusted suppliers 
that adhere where possible to industry-driven, consensus-based 
international standards.
    One important international effort occurred in 2019 when 32 
countries and the private sector participated in a conference 
in the Czech Republic to create a foundation for effective 5G 
security risk management. That resulted in the publication of a 
document known as the Prague 5G Security Proposals.
    The National Institute of Standards and Technology and CISA 
also have developed risk-based 5G security assessment tools and 
mitigation measures.
    The billions of devices comprising the internet of things 
create immense opportunities for our society, but it also 
increases the attack surface area for malicious cyber actors 
seeking to exploit them.
    IoT devices need to be secure and resilient. NIST, with 
stakeholder input, has developed guidance to IoT device 
manufacturers and IoT labeling for consumers. Congress should 
support continued public-private cooperation on IoT security.
    The mass amounts of data made available by 5G networks and 
IoT devices will further innovations in artificial 
intelligence. NIST is also at the forefront of developing a 
voluntary AI risk-management framework. Organizations will be 
able to use this to mitigate security risks and other 
challenges associated with AI applications.
    In my remaining time I would like to summarize three of the 
recommendations in my written testimony.
    First, Congress should finalize negotiations on the 
Bipartisan Innovation Act. Both the House and the Senate in 
their respective bills would reinvigorate Federal research and 
development in key technological areas, including 
cybersecurity.
    These bills also embrace bold new investments to production 
design of semiconductors and for the secure deployment of 5G 
network hardware and software that utilizes radio access 
network open architecture.
    Second, Congress should encourage CISA to leverage the IT 
Sector Coordinating Council, which brings together the U.S. 
Government and private-sector stakeholders to better understand 
the scope of threats related to emerging technologies.
    Of note, the IT Sector Coordinating Council has launched an 
Emerging Technologies Working Group. It is aimed at helping 
CISA better understand cybersecurity threats and 
vulnerabilities related to emerging technologies.
    Third, Congress should continue to fund and support NIST's 
work on artificial intelligence, IoT security, and 5G security. 
NIST also is undertaking helpful work on post-quantum 
cryptography by seeking to standardize quantum-resistant 
cryptographic algorithms.
    Thank you again. I look forward to your questions.
    [The prepared statement of Mr. Strayer follows:]
                   Prepared Statement of Rob Strayer
                             June 22, 2022
    Chairwoman Clarke, Ranking Member Garbarino, and distinguished 
Members of the subcommittee, thank you for the opportunity to testify 
today. My name is Rob Strayer and I'm the executive vice president of 
policy at the Information Technology Industry Council (ITI).\1\ I lead 
ITI's global policy team, driving ITI's strategy and advocacy efforts 
to shape technology policy around the globe to enable secure 
innovation, competition, and economic growth, while supporting 
governments' efforts to achieve their public policy objectives. ITI is 
the premier advocate and thought leader in the United States and around 
the world for the information and communications technology (ICT) 
industry. We represent leading companies from across the ICT sector, 
including hardware, software, digital services, semiconductor, network 
equipment, cybersecurity, internet companies, and other organizations 
using data and technology to evolve their businesses.\2\
---------------------------------------------------------------------------
    \1\ The Information Technology Industry Council (ITI) is the 
premier global advocate for technology, representing the world's most 
innovative companies. Founded in 1916, ITI is an international trade 
association with a team of professionals on four continents. We promote 
public policies and industry standards that advance competition and 
innovation world-wide. Our diverse membership and expert staff provide 
policy makers the broadest perspective and thought leadership from 
technology, hardware, software, services, manufacturing, and related 
industries. Visit https://www.itic.org/ to learn more.
    \2\ See ITI membership list at: https://www.itic.org/about/
membership/iti-members.
---------------------------------------------------------------------------
    Prior to joining ITI, I served as the deputy assistant secretary 
for cyber and international communications and information policy at 
the U.S. State Department. In that role, I led dozens of bilateral and 
multilateral dialogs with foreign governments on digital economy 
regulatory and cybersecurity issues. In 2018, I was the U.S. ambassador 
for the U.S. delegation to the International Telecommunication Union 
(ITU) Plenipotentiary Conference in Dubai, United Arab Emirates. Before 
joining the State Department, I was the general counsel for the U.S. 
Senate Foreign Relations Committee.
    Companies in the United States have long spearheaded the 
development of the most innovative and cutting-edge technologies. These 
technologies have produced tremendous growth for the United States and 
transformed the global economy. In 2020, the digital economy in the 
United States accounted for $2.14 trillion of value added (translating 
to 10.2 percent of U.S. GDP), $1 trillion of compensation, and 7.8 
million jobs.
    U.S. National security depends on continued U.S. technological 
leadership. This leadership drives innovation, job creation, and 
economic growth domestically and makes the United States more resilient 
and secure as we continue to set the pace for innovation. Remaining at 
the cutting edge of developing and commercializing technologies will 
ensure they are available to the private sector and the Government for 
a wide range of applications, including homeland security.
    Today, other nations and their companies are competing to find the 
next major technological advancement. In some cases, competitor nations 
and their national-champion companies go to great lengths to innovate 
and achieve a market advantage.
    Two overarching principles should guide U.S. policy on emerging 
technology. The United States should adopt policies that enhance the 
ability of the private sector and academic institutions to increase the 
pace of innovation to out-compete rivals and develop globally-leading 
emerging technology. With this global competition in mind, the United 
States should design security policies related to emerging technology 
that are risk-based and proportionate. Unduly burdensome and 
restrictive security requirements will undermine the ability to 
innovate and compete in global markets, as well as keep pace with the 
evolution of technological capabilities.
    In general, the private sector has a strong market-based incentive 
to protect technology from compromise and misuse, as that is the 
expectation of business users and consumers. The adoption of dynamic 
cybersecurity risk management practices and establishment of voluntary, 
industry-led, consensus-based cybersecurity standards have yielded 
tremendous capability enhancements for the protection of all digital 
technologies, including emerging technology, and improved their 
resilience. While these principles could be applied to any foundational 
and emerging technology, below are the technology sector's views about 
how they should be applied to securing 5G, artificial intelligence 
(AI), and the internet of things (IOT).
                              securing 5g
    Security is fundamental to successfully deploying and using 5G. The 
future will be filled with exciting new applications and services that 
will run on top of 5G, but an increasingly connected world will also 
increase security risks, ranging from an accelerating and evolving 
cybersecurity threat landscape to concerns regarding sophisticated 
adversaries exploiting ICT supply chain vulnerabilities. Given this 
increased interconnectedness, emerging threats can pose a danger to the 
5G ecosystem more widely--for example, critical infrastructure and 
services like energy, manufacturing, and utilities--if not adequately 
planned for and managed. The good news is that 5G networks and 
standards are being designed with security in mind from the outset, and 
5G networks will include several security enhancements that will enable 
business and government enterprises to confidently deploy new 
applications and IoT services to harness the full value of 5G.
    While investments in 5G infrastructure and the accompanying digital 
transformation are well under way, consumers, businesses, and 
governments should prioritize security during the implementation and 
seek to leverage the security enhancements available for the first time 
in 5G. Industry around the world is actively working to secure mobile 
networks, including 5G. This includes investing time and resources into 
developing cybersecurity technologies and services to secure 5G 
networks and the applications and services running over them, helping 
to educate business leaders on the importance of cybersecurity 
investments, sharing operational threat information on threats 
traversing mobile networks so that relevant parties can take action, 
and participating in the development of relevant global 5G security 
standards and reference documents. Industry and government are also 
collaborating via public-private partnerships to ensure that we arrive 
at the desired policy outcome of more secure 5G networks, including 
operational partnerships to share information on threats to 5G, and 
partnerships to further supply chain risk management best practices and 
solutions. No one organization in the private or public sectors can see 
all supply chain or cybersecurity threats, so it is imperative that 
both sides work together to fully understand and assess the full range 
of potential security threats in order to develop and implement 
appropriate mitigations.
    ITI and its member companies have spent significant time 
considering how best to efficiently deploy the next generation of 
wireless technology while simultaneously ensuring that such technology 
is secure and have developed a set of 5G Policy Principles intended to 
help guide policy makers as they consider how to approach this set of 
issues.\3\ Below, we offer specific suggestions based upon that work.
---------------------------------------------------------------------------
    \3\ ITI 5G Policy Principles and 5G Essentials for Global Policy 
Makers, https://www.itic.org/policy/ITI_5G_Full_Report.pdf.
---------------------------------------------------------------------------
    5G-related security policies should be risk-based. Any policy 
intended to address challenges related to 5G security, should be risk-
based, evidence-based, adaptable, and fit-for-purpose--i.e., such 
policies should address concrete, identifiable security risks. 
Governments should undertake or promote risk assessments to gain fuller 
visibility into the threat landscape, including the supply chain 
ecosystem and which risks can be mitigated and which ones cannot. 
Policies should promote the procurement of equipment from trusted 
suppliers that adhere to industry-driven, consensus-based international 
standards, consider geopolitical implications of manufacturing 
locations, localization and sourcing requirements, and encourage 
diverse supply chains to help manage risk. In some cases, the level of 
risk may justify government spending to support the replacement of 
untrustworthy ICT infrastructure. In formulating any policy related to 
5G security, we recommend that policy makers leverage the Prague 5G 
Security Proposals,\4\ which were developed at a conference where more 
than 30 countries participated, to understand relevant risk assessment 
criteria and to further effective cybersecurity risk management.
---------------------------------------------------------------------------
    \4\ https://www.vlada.cz/en/media-centrum/aktualne/prague-5g-
security-conference-announced-series-of-recommendations-the-prague-
proposals-173422/.
---------------------------------------------------------------------------
    Additionally, 5G security policies should seek to manage the full 
range of security risks to mobile network infrastructures, 
applications, and services, including devices and data. For instance, 
automated and distributed threats such as botnets will likely be a more 
pervasive issue in the context of 5G network deployment, and emerging 
technology may provide innovative cybersecurity solutions to adequately 
mitigate such threats, including through the use of AI and other 
automated tools.
    Finally, government and industry must share responsibility and 
collaborate. Government and industry share the goals of mitigating 
cybersecurity threats to network infrastructures, preventing cyber 
attacks, and reducing the impact of cyber crime. As in all areas of 
cybersecurity, achieving these goals is a collective effort. Public-
private partnerships should be leveraged to ensure that both industry 
and government arrive at the desired policy outcome of more secure 5G 
networks. Industry has developed a multitude of security best practices 
that can be referenced or built upon, and any new best practices should 
be developed in conjunction with industry. Operational partnerships are 
key as well, particularly regarding sharing information on threats to 
5G. No one organization in the private or public sectors can see all 
cyber threats, and industry often does not have access to Classified or 
Sensitive government cyber threat intelligence. It is imperative that 
both sides work together to fully understand and assess potential 
threats.
                    securing artificial intelligence
    As innovation in Artificial Intelligence (AI) continues and the 
technology itself evolves, it is important for policy makers to 
consider how to harness the benefits of AI while simultaneously 
addressing societal or other challenges that may emerge. For example, 
malicious actors can use adversarial AI to cause machine learning 
models to misinterpret inputs into the system and behave in a way that 
is favorable to the attacker. To produce the unexpected behavior, 
attackers create ``adversarial examples'' that often resemble normal 
inputs, but instead are meticulously optimized to break the model's 
performance. Malicious attackers may also attempt to influence a 
system's outputs by polluting the training data on which a model or 
system is trained--also known as data poisoning. Such pollution of the 
data can result in faulty outputs or outcomes. As such, it is important 
that businesses and the U.S. Government also invest in cybersecurity 
directed at countering adversarial AI. At the same time, adversarial AI 
represents an incremental threat compared to traditional cyber attacks, 
so it is important that governments do not place an outsized focus on 
countering it.
    Furthermore, data poisoning--or when a malicious actor pollutes a 
system's training data--can be viewed as a more pronounced form of data 
drift, which happens when AI systems are trained on bad data. Data 
drift is not due to a malicious actor attempting to manipulate the 
system, but can be due to a variety of factors, like changing the input 
data, a change in environment, errors in data collection, and others.
    In order to mitigate risks associated with the use of AI systems, 
we encourage public and private-sector stakeholders to incorporate AI 
systems into threat modeling and security risk management. This should 
include encouraging organizations to ensure that AI applications and 
related systems are in scope for organizational security program 
monitoring and testing and that the risk management implications of AI 
systems as a potential attack surface are considered. We are 
particularly supportive of on-going the collaborative work being 
undertaken by the U.S. National Institute of Standards and Technology 
(NIST) to develop a voluntary AI Risk Management Framework, which 
organizations will be able to leverage to mitigate security and other 
risks that may be associated with particular uses of the technology.
    We also encourage policy makers to support the use of strong, 
globally accepted and deployed cryptography and other security 
standards that enable trust and interoperability in AI systems. The 
tech sector incorporates strong security features into our products and 
services to advance trust, including AI systems. Policy makers should 
promote policies that support using published algorithms as the default 
cryptography approach as they have the greatest trust among global 
stakeholders, and limit access to encryption keys.
    Although there are new risks that may be introduced with AI 
technology, we also want to emphasize that AI and machine learning can 
be leveraged to improve cybersecurity. Indeed, defensive cybersecurity 
technology should embrace machine learning and AI as part of the on-
going battle between attackers and defenders. The threat landscape 
constantly evolves, with cyber attacks that are complex, automated, and 
constantly changing. Attackers continually improve their sophisticated 
and highly automated methods, moving throughout networks to evade 
detection. The cybersecurity industry is innovating in response: Making 
breakthroughs in machine learning and AI to detect and block the most 
sophisticated malware, network intrusions, phishing attempts, and many 
more threats. Other examples include using AI to identify unknown IoT 
devices as well as suspicious device behavior, to uncover suspicious 
Domain Name System (DNS) activity, and to stop incoming threats.
    Because of this, we encourage the U.S. Government to develop 
policies that support the use of AI for cybersecurity purposes. 
Cybersecurity tools and capabilities should incorporate AI to keep pace 
with the evolving threat landscape, including attackers who are 
constantly improving their highly automated methods to penetrate 
organizations and evade detection. Defensive cybersecurity technology 
can use machine learning and AI to more effectively address today's 
automated, complex, and constantly evolving cyber attacks. When 
combined with cloud, AI can help to scale cyber efforts through smart 
automation and continuous learning that drives self-healing systems. To 
support and enable the use of AI for cybersecurity purposes, policy 
makers must carefully shape (or reaffirm) any policies related to 
privacy to affirmatively allow the use of personal information, such as 
IP addresses, to identify malicious activity.
                    securing the internet of things
    The growth of network-connected devices, systems, and services 
comprising the internet of things (IoT) creates immense opportunities 
and benefits for our society. To reap the benefits of connected devices 
and to minimize the potentially significant risks posed by malicious 
actors seeking to exploit them, these devices need to be secure and 
resilient. Unfortunately, as the number of connected people, 
businesses, and devices grows, so does the potential for malicious 
attacks. Today, the destructive potential of cyber attacks, can 
increase exponentially when such attacks leverage massive quantities of 
connected IoT devices. As risks to the global digital ecosystem, 
including IoT, continue to grow, so does our need to restore trust and 
confidence in connected devices and the IoT and larger ecosystems to 
advance not only security but economic growth and innovation. To help 
policy makers and stakeholders better ensure the security of the IoT 
ecosystem, ITI developed a set of IoT Security Policy Principles, which 
we encourage Congress and policy makers more broadly to use as a 
guide.\5\ Below are several suggestions relevant to the issues being 
discussed today.
---------------------------------------------------------------------------
    \5\ ITI IOT Security Policy Principles, https://www.itic.org/
policy/ITIIoTSecurityPolicyPrinciples.pdf.
---------------------------------------------------------------------------
    It is imperative that all stakeholders collaborate to take a 
thoughtful, holistic approach to securing the various parts of networks 
and complex ecosystems that make up the IoT, and not only focus on the 
device. An inclusive process must focus on end-to-end security, 
including security-by-design techniques and secure development life 
cycles. As global concerns regarding IoT security--including concerns 
about sophisticated automated and distributed threats such as botnets 
that exploit insecure IoT devices--have continued to grow, policy 
makers have disproportionately focused on IoT product security without 
addressing the broader issues related to securing the IoT ecosystem. 
Many policy proposals have only targeted individual components of the 
ecosystem, rather than focusing on ecosystem security as a whole. For 
instance, some policies propose that internet service providers (ISPs) 
should simply shut down all botnets, or that manufacturers of billions 
of devices should make them universally secure. Such overly simplistic 
solutions fail to address the fundamental need to secure the ecosystem. 
Regardless of which security measures are taken at the device, network, 
or software level, if these components of the ecosystem are addressed 
in isolation, efforts will ultimately fail. Taking a holistic view is 
therefore a superior approach.
    While ecosystem-wide security is important, industry-driven 
consensus around baselines and standards is essential for IoT devices. 
Developing a common set of best practices and secure capabilities that 
are broadly applicable across all IoT devices with varying levels of 
complexity and are driven by market demand will help to improve all new 
IoT devices' cybersecurity. Building broad industry consensus around an 
IoT security baseline will also facilitate more effective government-
industry collaboration on this issue, helping to drive interoperable 
IoT security policies world-wide. In addition, establishing a core 
baseline will promote globally interoperable standards and advance 
innovation world-wide to improve IoT security. Governments should 
continue to encourage open and international security standards to 
maintain the long-term viability of the IoT and to foster solutions 
that are interoperable and reusable across a variety of use case 
deployments, vendors, sectors, and geographies.
    To fully realize the benefits offered by IoT, governments should 
promote policies that help break down barriers to connecting devices 
and correlating data while protecting privacy and security. Government 
bodies should examine the technologies underlying the IoT and assess 
where current authority, oversight, and regulation already exist and 
avoid siloed, sector-specific regulatory approaches. Policy makers and 
regulators should reinforce private-public cooperation on IoT issues to 
help identify cybersecurity solutions and better coordinate the many 
IoT security-related policy efforts currently in progress across the 
U.S. Government and globally. In the United States, the National 
Institute of Science and Technology's (NIST) on-going commitment to 
industry outreach in developing an IoT security framework provides an 
excellent example of such cooperation.
    The U.S. Government should promote global harmonization of any 
mandatory IoT requirements published by individual States, sector-
specific agencies, or countries in order to prevent unhelpfully 
fragment the global IoT security landscape. Such fragmentation would 
ultimately limit the growth of a secure IoT by reducing the 
efficiencies of scale in development, manufacturing, support, training, 
assessment, and identification of secure IoT products. It will also 
make it more difficult for industry to comply with such divergent 
requirements, hampering global business and trade. The long-term 
security and resilience of the internet and communications ecosystem 
requires a global and holistic approach involving the adoption of 
baseline security practices by stakeholders in many different 
countries, industries, and segments of the ecosystem.
    To combat an increasingly divergent policy environment, policy 
makers should prioritize global harmonization and regulatory 
cooperation to support a voluntary, industry-driven consensus around 
core baseline capabilities for IoT security that are grounded in global 
standards. Finally, stakeholders and consumers must understand that 
connecting IoT devices or equipment to the internet is a long-term 
commitment, not a one-time design and manufacturing cost. IoT security 
demands dynamic, flexible market-driven solutions that are nimble and 
adaptable to evolving cyber threats, including those specific to the 
proliferation of IoT devices, rather than regulatory compliance 
mechanisms that differ by local or national jurisdiction.
                             cybersecurity
    As this subcommittee has recognized, cybersecurity is one 
particular type of security issue impacting all digital technologies, 
and it is certainly vital for the security of emerging technologies. 
For ITI members, facilitating the protection of our customers 
(including governments, businesses, and consumers), securing and 
protecting the privacy of individuals' data, and making our 
intellectual property, technology, and innovation available to our 
customers to enable them to improve their businesses are core drivers 
for our companies. Consequently, ITI has been a leading voice in 
advocating effective approaches to cybersecurity, both domestically and 
globally. Cybersecurity is rightly a priority for governments and our 
industry, and we share a common goal of improving cybersecurity.
    As both producers and users of cybersecurity products and services, 
our members have extensive experience working with governments around 
the world on cybersecurity policy. In the technology industry, as well 
as banking, energy, and other global sectors, when discussing any 
cybersecurity policy, it is important to consider our connectedness, 
which is truly global and borderless.
    The NIST Cyber Security Framework (CSF) has provided immense value 
to users, within critical infrastructure, and beyond. ITI has been 
engaged in NIST's CSF efforts for the better part of a decade, working 
to provide constructive input and shape the Framework to make it as 
useful as possible. The CSF has been a highly useful tool for 
cybersecurity risk management, offering a baseline approach for 
organizations seeking to institute such a process. Indeed, to the 
extent the goal of the Framework was to provide a common language for 
organizations, it has certainly achieved that, proving useful for 
communicating about cyber risk both within and between organizations. 
This is one of the major benefits of using the Framework. Mapping to 
consensus standards and control sets helps to provide a common, 
international understanding of the intention of the categories and 
subcategories, and the Implementation Tiers provide a reference point 
for organizations to evolve their ability to cybersecurity programs. 
The CSF has also provided for a risk-based, flexible approach, allowing 
organizations to develop a cyber risk management program that is 
appropriate for their level of risk and desired outcomes.
    Even though the original target audience for the CSF was critical 
infrastructure owners and operators, it is now widely adopted, and 
companies and institutions developing and commercializing emerging 
technologies can certainly employ the CSF for their cybersecurity--some 
of which may be part of critical infrastructure supply chains. Small- 
and medium-sized businesses and institutions, however, may face 
resource constraints or have a lack of personnel with the skills and/or 
knowledge needed to digest, understand, and apply the Framework. This 
is an area worth further inquiry.
                            recommendations
    (1) Congress should finalize negotiations on the Bipartisan 
Innovation Act. Both the House and Senate in their respective bills 
have embraced bold new investments in foundational technologies that 
are critical for American competitiveness, including $52 billion to 
incentivize American production and design of semiconductors and $1.5 
billion for the Public Wireless Supply Chain Innovation Fund to support 
the deployment of 5G and next-generation network hardware and software 
utilizing radio access network open architecture. Both chambers' bills 
also reinvigorate Federal research & development in key technology 
areas, including cybersecurity specifically. This legislation is 
urgently needed to strengthen our national innovation ecosystem and 
translate new research into commercialized technology, which when 
coupled with the bills' investments in manufacturing will result in 
high-tech jobs and new firms in communities across the country.
    (2) Congress should use its oversight authorities to help 
coordinate and streamline Federal policy making efforts to address 
cybersecurity and emerging technologies. ITI supported the recently-
passed, Cyber Incident Reporting legislation, and appreciated the 
collaborative approach this committee took to developing the bill and 
its regulations. Since the beginning of the current Congress on January 
3, 2021, there has been a plethora of bills on cybersecurity and 
emerging technologies. We encourage this subcommittee and other 
relevant committees to focus on the driving power of Congressional 
oversight to help Federal agencies successfully and completely 
implement these new requirements and various lines of effort.
    (3) Congress should encourage CISA to leverage the IT Sector 
Coordinating Council (IT SCC) to better understand the scope of threats 
related to emerging technologies. The Information Technology Sector 
Coordinating Council (IT SCC) serves as the principal entity for 
coordinating with CISA and the government generally on a wide range of 
critical infrastructure protection and cybersecurity activities and 
issues. The IT SCC brings together companies, associations, and other 
key IT sector participants, to work collaboratively with the Department 
of Homeland Security and CISA, as well as other government agencies and 
partners. Through this collaboration, the IT SCC works to facilitate a 
secure, resilient, and protected global information infrastructure. Of 
note, the IT SCC has launched an Emerging Technologies Working Group, 
aimed at helping CISA better understand cybersecurity threats and 
vulnerabilities related to emerging technologies, including those that 
may stem from AI, 5G, and quantum information sciences. The IT SCC 
recently published a set of AI Policy Principles, based upon ITI's 
Global AI Policy Recommendations, which offer guidance to policy makers 
around how to best leverage this emerging technology to counter 
threats. Congress should encourage CISA to continue to leverage the IT 
SCC, and the Emerging Technologies working group, to understand how it 
should appropriately scope its work to address potential threats to 
critical infrastructure moving forward.
    (4) Beyond CISA and the IT SCC, Congress should encourage robust 
and continuous cooperation between the U.S. Government and industry. 
Policy makers and companies each have important and distinct roles to 
play in addressing technology-related National security risks. The U.S. 
Government has information that companies do not have about National 
security threats. Companies have information that governments do not 
have about their network operations and how they detect, manage, and 
defend against risks to data, systems, networks, and supply chains. 
Both policy makers and industry should communicate regularly and 
robustly about relevant risks (consistent with limitations relating to 
Classified information and business confidentiality), including through 
opportunities for industry input in regulatory rule-making processes, 
public-private task forces and other collaborative mechanisms, and 
informal relationships between policy makers and companies.
    (5) Avoid overbroad regulatory approaches, which may not serve to 
mitigate security risk, and which could instead hamper innovation. As 
the U.S. Government is considering how to best harness emerging 
technologies while simultaneously mitigating security risks, we urge it 
to carefully evaluate the costs and benefits of any regulatory approach 
before adopting it. Indeed, many of these technologies are nascent, and 
overbroad, ill-scoped approaches may serve to hinder innovation without 
demonstrably improving cybersecurity. As such, any approach should be 
appropriately targeted, proportionate, and tied to discrete security 
(or other) risks. We elaborate on this suggestion in our Principles for 
Improved Policymaking and Enhanced Cooperation on National Security, 
Technology, and Trade.\6\
---------------------------------------------------------------------------
    \6\ ITI's Principles for Improved Policymaking and Enhanced 
Cooperation on National Security, Technology, and Trade, available 
here: https://www.itic.org/policy/us-national-security-policymaking.
---------------------------------------------------------------------------
    (6) Congress should continue to fund and support NIST work on 
Artificial Intelligence, IOT security, 5G security, post-quantum 
encryption, and other emerging technologies. As referenced in our 
testimony above, NIST is undertaking work in many areas that will be 
vital to harnessing emerging technologies while also ensuring that 
risks are appropriately managed. Indeed, NIST is developing a framework 
to better manage risks to individuals, organizations, and society that 
may be posed by specific uses of AI. It is also undertaking work to 
cultivate trust in AI technologies, including by conducting fundamental 
and applied AI research, as well as establishing benchmarks and 
developing metrics to help evaluate AI technologies. NIST is also 
undertaking helpful work on post-quantum cryptography and is seeking to 
standardize quantum-resistant public-key cryptographic algorithms, 
which will be important if large-scale quantum computers are built as 
they can break traditional public-key cryptography systems currently in 
use. We therefore encourage continued support of these NIST efforts. 
Aside from NIST, private-sector-led standardization activities, such as 
in the International Standardization Organization--International 
Electrotechnical Commission Joint Technical Committee-1, are also 
focused on AI risk management and interoperability of quantum-resistant 
cryptography.
    (7) Continue to implement the recommendations stemming from the 
National Security Commission on Artificial Intelligence (NSCAI). The 
NSCAI report offers a plethora of recommendations for the U.S. 
Government to advance trustworthy AI in different domains. Particularly 
useful in this context are those recommendations pertaining to 
countering adversarial AI, as well as those related to establishing 
confidence in AI systems. We encourage the U.S. Government to continue 
to make progress on implementing these recommendations in order to 
enable innovation and protect against malicious uses of the technology.
                               conclusion
    Future United States economic and National security depends on 
continued leadership in emerging technologies. It is possible for the 
U.S. Government to ensure that those technologies are secure, while 
continuing to promote leading-edge innovation. A track record exists 
involving AI, 5G, and IOT security of using risk-based frameworks to 
address potential vulnerabilities, with significant involvement of NIST 
in those efforts. The active collaboration among the Government, 
especially NIST and CISA, the private sector, and other stakeholders is 
essential for the evolution of frameworks that will protect and enhance 
emerging technologies. As new digital technologies emerge, malicious 
actors will seek to compromise them, so new frameworks will need to be 
developed to address those challenges.

    Ms. Clarke. Thank you, Mr. Strayer.
    I thank all of our witnesses for their testimony today.
    I will remind the subcommittee that we will each have 5 
minutes to question the panel.
    I now recognize myself for questions.
    As quantum-resistant cryptography becomes available, it is 
important that both the government and technology companies be 
prepared to implement it into their existing systems.
    Mr. Robinson, what steps have you seen the Federal 
Government and/or private sector take to prepare themselves for 
this transition? What more should both be doing going forward?
    Mr. Robinson. Thank you, Congresswoman Clarke.
    So the Government has done quite a bit. They have taken a 
first step. They have established the NIST NCCoE post-quantum 
cryptography opportunity to coalesce industry and Government 
together.
    They have also been on a journey to create the post-quantum 
cryptographic algorithms. As soon as they come out, more could 
be done around collaboration with industry, with government, 
and international and academic partners.
    Ms. Clarke. Thank you.
    For years, I have been extremely concerned by the potential 
harms posed by deepfakes where AI-enabled synthetic images or 
recordings appear to be authentic, making it difficult for 
viewers to distinguish between reality and disinformation.
    To address this challenge, I have introduced the DEEPFAKES 
Accountability Act to implement criminal and civil penalties 
for malicious deepfakes, while directing DHS to establish a 
task force to prepare for the National security implications of 
deepfakes.
    Dr. Lohn, to what extent do you assess that deepfake 
technology already creates National security risks? What should 
the Government and the private sector do today to reduce the 
security risk from deepfakes going forward?
    Mr. Lohn. I would like to thank you for your proposed 
legislation. It is a dire need. I think that deepfakes are a 
very pressing threat.
    What is out there today is already at a level that I think 
it poses a real threat. You can go to a website and just click 
a button, it will pop up a face for you, and then you click 
reload, it will give you a different face. You don't have to 
have any technological sophistication to use them, which opens 
up the aperture to a wide range of people.
    I think that increasing knowledge of these threats is 
important. But I think that what we need do is make sure that 
we do it in a way that prioritizes reliable sources.
    There is a risk also in pushing too hard in publicizing 
these attacks and then everybody thinks that anything they see 
that they don't like is a deepfake. So we have to manage that 
balance.
    Ms. Clarke. Mr. Strayer, in the absence of additional 
regulation, what are your member companies doing today to 
ensure their technology is not being used to facilitate harmful 
deepfakes?
    Mr. Strayer. Thank for that question.
    Each of our member companies that is involved in the 
publication of content on-line has their own internal policies 
for preventing inauthentic use of their platforms. So they have 
those policies.
    What is really important for us is to look out globally--we 
recognize the internet is global in nature--that we have a 
harmonized set of regulations and best practices so that when 
companies want to do business, not just in the United States, 
but in Europe and other markets, that they are facing similar 
types of requirements on them. So it is really important that 
those be harmonized.
    We very much look forward to working with you on your bill 
in the future.
    Ms. Clarke. Thank you.
    A recurring theme in cybersecurity is the shortage of 
trained cybersecurity professionals. In particular, we must 
ensure we are preparing today for the cybersecurity skills we 
will need in future years to address emerging technologies.
    Mr. Green, your testimony lays out several recommendations 
for CISA to expand its role in supporting the cybersecurity 
work force. Can you elaborate on what the Federal Government 
can do to support the skills necessary for emerging threats by 
quantum and AI?
    Mr. Robinson. Yes. Thank you, Chairwoman.
    A couple things that come to mind are the opportunity to 
create a cyber academy, one that is not like a brick-and-mortar 
academy, but one that will allow future Federal employees and 
pretty much anyone within the United States the opportunity to 
take virtual classes on things that they can learn about 
quantum computing and how to do that securely.
    I think other programs where the Federal Government can 
help students that are interested in cybersecurity and 
cybersecurity of quantum, take that into the government or into 
private industry.
    Ms. Clarke. I thank you.
    I now recognize the Ranking Member of the subcommittee, the 
gentleman from New York, Mr. Garbarino, for his questions.
    Mr. Garbarino. Thank you, Chairwoman.
    I just want to follow up on something that the Chairwoman 
just asked.
    Mr. Green, you did talk about a National cyber academy. I 
was going to ask if you felt it should be the need if there 
would be a brick-and-mortar academy similar to, like, the Naval 
Academy or West Point that we have now. So you think this could 
be done? You think we can train the work force with an on-line 
platform only?
    Mr. Green. I actually think you can make a hybrid 
environment. I think a brick-and-mortar just like the 
academies, having gone through one, I think it is very contrary 
to cyber. But if you have one that is more virtual, think of 
like an app store for classes, some design to deliver you a 
Federal employee that is dedicated to CISA and will take on the 
cybersecurity mission.
    But then it is also available to just the United States 
public, and people can take courses like those for that CISA 
cadet or classes aligned to what CISA believes. Those people 
could actually enter the work force.
    We have 700,000 open cybersecurity roles now. I think there 
is a tremendous opportunity to just leverage something like 
that to help get more talent into the field.
    Mr. Garbarino. All right. Thank you. We have to do 
something, because it is just going to--more and more jobs. I 
think it is one of the top 20 fastest-growing occupations, is 
cybersecurity jobs. So I think we have to do something.
    You briefly talked about a multi-year commitment to join 
CISA. What would that entail? What are you thinking about?
    Mr. Green. So this is where I see it being like one of the 
existing military academies. You take the certified or 
qualified CISA training or degree program. Upon completion, 
rather than paying back in currency, you are paying back in 
time. Just like with the academies where you graduate and you 
have a 5-year commitment, you graduate from the CISA virtual 
academy and you are committed to 4 or 5 years in order to pay 
off that debt or to complete your service for that degree.
    Mr. Garbarino. So pretty much if somebody would commit to 
going to work for CISA for 4 or 5 years, they could attend and 
get a degree covered and the cost would be covered by the 
Government. But also, your idea of this academy, regular 
citizens could take and they could pay for each course that 
they take?
    Mr. Green. Yes. Companies could actually pay for that as 
well. As part of their employment H.R. packages, there is 
continuing education or education programs. You, too, could 
take some of the same certifying classes that a CISA 
cybersecurity professional would take and you could protect 
Mastercard.
    Mr. Garbarino. I appreciate it. I wasn't going to go too 
much into it, but your testimony really got the wheels turning 
in my head.
    Mr. Strayer, you talked a lot about in your testimony, you 
discussed what we are doing with 5G and the technology is real. 
It is just growing at an amazing clip. But what do you see as 
the--so technologies keep growing, which is great--but what do 
you see as the biggest emerging technological threat to the 
United States as our National security or how our economic 
interests?
    Mr. Strayer. Because of the very competitive nature and the 
way that technology is iterative and there is always another 
cycle of competition on that technology, we don't want the 
United States to ever fall behind where it doesn't have access 
to the best technology.
    So I can't define exactly which of these many emerging 
technology types that we have discussed today is the one that I 
am most worried about.
    But they all have potential for the United States to fall 
behind if there is not sufficient investment in just what you 
were talking about, the human capital, as well as setting the 
right regulatory environment that allows those companies to 
keep growing and innovating. That includes not just companies, 
but academic institutions and others.
    So it is any of these. They all are going to be very 
relevant to the future.
    Mr. Garbarino. So what we should try not to do here in 
Congress is do something that would stop innovation and 
overregulate?
    Mr. Strayer. Exactly. I think the way to go about it is to 
be incremental in the way that the Cyber Incident Reporting Act 
did. It says let's get the data, let's think more about that, 
and then not be too prescriptive.
    So the incremental approach to see how industry is already 
gelling around certain risk-based standards is working, and 
then figure out where those gaps are and apply risk-based 
analysis about whether it is worth regulating further, if it is 
actually needed to be done.
    Mr. Garbarino. I appreciate your answer.
    I am running out of time. So I yield back. Thank you, 
Chairwoman.
    Ms. Clarke. I thank the Ranking Member.
    The Chair will now recognize other Members for questions 
they may wish to ask our witnesses. In accordance with the 
guidelines laid out by the Chairman and Ranking Member in their 
February 3rd colloquy, I will recognize members in order of 
seniority, alternating between Majority and Minority. Members 
are also reminded to unmute themselves when recognized for 
questioning.
    The Chair recognizes for 5 minutes the gentlewoman from 
Texas, Ms. Sheila Jackson Lee.
    Ms. Jackson Lee. Thank you so very much, Madam Chair. I 
really do appreciate this hearing and also the experts that 
have discussed the issue of technology.
    Let me ask this question really as quickly as I can to all 
of the witnesses, and starting with Mr. Robinson.
    We know that the U.S. policy framework for securing 
critical infrastructure, I think it is called the Presidential 
Policy Directive 21, PPD-21, has been at the status quo level 
for a very long time.
    The first question I want to ask is, from your perspective, 
with the new technology, what is the most severe security 
threat you perceive that we have that would be impacting 
Americans in the private sector in particular, but also public? 
How do we modernize this Presidential policy directive?
    Starting with Mr. Robinson.
    Mr. Robinson. Thank you, Congresswoman Jackson Lee, for the 
great question.
    Our critical infrastructure needs to be protected. 
Essentially, NIST has post-quantum cryptography algorithms that 
have been under evaluation for some time, and we need those 
algorithms today so we can start remediation of our critical 
infrastructure, the banking industry and the telecommunications 
industry, all industries which underpin our economic and our 
communication systems.
    We essentially need to secure our internet, which is the 
pipes that run our economy.
    Essentially, having cryptography that is what I would call 
cryptography that is unsecure is like having the pipe. It is 
pervasive and we need to change our pipe.
    Ms. Jackson Lee. Very good.
    Mr. Green, I will go with you next and then Mr. Lohn.
    Mr. Green, the greatest threat? Can we modernize our 
Presidential order?
    Mr. Green. Congresswoman, one of the greatest threats that 
I think that is out there is the ``unintended insider,'' which 
is people that you can fool into doing things that would 
compromise your company or leave a vulnerability open to you.
    So the more that we can educate or help inform everyday 
Americans about some of the basic security requirements or 
hygiene, I think that is still a huge opportunity that will 
help the individual American, but also the companies that they 
are a part of.
    When it comes to updating the Presidential directive, I 
don't have that consideration for you now, but I am happy to 
come back with a more fulsome answer for you.
    Ms. Jackson Lee. That would be very good. Thank you so very 
much.
    I am trying to get to another question.
    Mr. Lohn, I believe?
    Mr. Lohn. Yes. Then I will go very quickly.
    I think that there are two to be very concerned about.
    One is about the largest impact is about critical 
infrastructure. There are adversary nations with intent and 
capability to--well, with capability and not yet intent to 
disrupt our infrastructure, like the pipelines or electricity 
grid. If that intent were to come around, that would be very 
bad.
    Where they do have intent and capability is in espionage 
and in misinformation, and we are seeing those daily.
    Ms. Jackson Lee. We are seeing them quite frequently.
    Mr. Strayer.
    As I do that, I hope that I will have enough time to ask 
the question almost as if we were in an emergency condition and 
some incident happened around the Nation. The question would be 
whether the U.S. Government is able to triage support to the 
Nation's most vital regionally or nationally significant assets 
if there was a crisis.
    Mr. Strayer, you may want to take the greatest threat and 
whether we are able to meet that threat, whether we could 
triage. Maybe I will have time for somebody else to answer that 
as well.
    Mr. Strayer. Yes, thank you for that question.
    The Department of Homeland Security, especially CISA, has 
matured its capabilities over time. So I think we are in a much 
better position to do that kind of triage than we were, say, a 
decade ago, but there still remains work to be done there.
    Ms. Jackson Lee. Anyone else want to take that? Are we 
ready to be able to respond to a crisis from the Government's 
perspective from what you have seen or what you know? We know 
CISA has done great work.
    Mr. Green. So I think CISA has done a great deal of work. I 
think they are working on an effort to help get to National 
prioritization of assets. That will require a lot more 
continued work and focus. The opportunity is there. It is just 
work that has to be done and must be done.
    Ms. Jackson Lee. Great.
    Anyone else? Seconds on the clock. OK.
    Let me thank you very much for this hearing and also for 
the insight of the witnesses. I know that we will be 
collaboratively working together.
    Thank you. I yield back.
    Ms. Clarke. The gentlelady yields back.
    The Chair now recognizes for 5 minutes the gentlewoman from 
Tennessee, Mrs. Harshbarger, for 5 minutes.
    Mrs. Harshbarger. Thank you, Chairwoman and Ranking Member.
    Thank you for the witnesses for being here today.
    With the quantum and with the cybersecurity issues we face, 
when you find out the Government has been hacked in so many 
ways and it takes the private sector to tell us, that is a 
problem in my eyes.
    I want to start with Mr. Robinson.
    You talked about basically by the end of the decade we 
could do some quantum busting. We know that China is ahead of 
us in AI. I mean, where is China's progress? Where are they at 
with this quantum busting? Do you have any idea, sir?
    Mr. Robinson. Bottom line up front, conventional wisdom is 
10 years. I am in a position only to discuss how we see where 
the time line lies. I would have to defer to others on what 
other nation-states are doing.
    I can say that there is significant investment and we need 
to invest equally.
    Mrs. Harshbarger. Yes. I totally agree.
    Mr. Green, I have a question for you. Since Mastercard is 
used all over the world basically, what is the relationship 
between data privacy and cybersecurity in your eyes?
    I want to know your thoughts on cyber insurance, too, for a 
lot of companies and how that affects things. Is it good, bad, 
or indifferent? Does it give us a sense of false security? If 
you will elaborate a little bit on that.
    Mr. Green. Sure. Cybersecurity and privacy should be hand-
in-hand. I mean, they are at Mastercard. Our belief on privacy 
is a person should know and be able to control the information 
that we or any organization has, and we use those principles as 
we do our work around the globe.
    When it comes to insurance, I think there is an opportunity 
to do a lot of good there. I think the cyber insurance 
industry, it has matured a lot along the way, but I think there 
is still an opportunity for it to get better about knowing and 
understanding the security maturity of an organization that is 
acquiring the insurance.
    That will help to drive better behavior, because the more 
that you can demonstrate the proper level of maturity, the 
lower your rates should be and the more coverage you should 
get.
    So there is an opportunity there. I don't think it is where 
we need it to be just yet.
    Mrs. Harshbarger. Absolutely.
    Going back to the National cyber training center, I think 
that has been thrown around and discussed by different 
colleagues as far as like an academy or what have you.
    You are telling me that we are down 700,000, we have 
openings for 700,000 cybersecurity roles basically. I had heard 
that it was close to a million.
    That is unbelievable, that we would have that many 
openings. But it is all about the training aspects, and we need 
to address that in so many ways.
    There are so many questions that I have. It is just how do 
we stay ahead of these, just like the deepfakes, the writing of 
text?
    How does anybody--anybody can answer this--how do we stay 
ahead of that? How do we know the information we are getting is 
not going to change our opinion or even here in Congress affect 
how we legislate basically?
    I think--I can't remember which one was talking about the 
deepfakes. Who has access to this and who is doing this 
basically?
    Mr. Lohn. Thank you. I believe that that was me.
    With deepfakes technology you can create images. Anybody 
can do it. It is not that hard do. To do video is harder, but 
individuals can do it.
    The text until recently was only a couple of technology 
giant companies. But in the last couple months some highly 
effective models have been released. So anybody has access to 
that as well. So we need to be aware of the threat that is 
coming and existing.
    Now, people having the ability to use these things and 
having them actually use them are different things. We haven't 
seen too much that is really clear that they are being used 
maliciously. So that is promising.
    We are also starting to be more aware of them in more cases 
public discussion is raising. So we also want to just watch the 
sources, certain places.
    The big advantage of deepfakes and tech generation is that 
you can make lots of it, but you can only distribute lots if 
people are allowed to distribute lots of them. So you can 
monitor in that sense, too.
    Mrs. Harshbarger. I appreciate your being here.
    I will yield back. Thank you.
    Ms. Clarke. The gentlelady yields back.
    The Chair now recognizes for 5 minutes the gentlewoman from 
New York, Miss Rice.
    Miss Rice. Thank you so much, Madam Chairwoman.
    Stony Brook University on Long Island, of which I represent 
a piece, is one of the foremost academic institutions 
developing innovative quantum technologies and building our 
understanding of how to apply them to real-world uses, like 
superdense coding and quantum encryption.
    In fact, one of Stony Brook's quantum communication 
networks passes right through my home town of Garden City.
    Stony Brook is a member of the Quantum Economic Development 
Consortium, or the QED-C, which aims to foster and grow the 
U.S. quantum industry with Federal support. It also came about 
pursuant to legislation that was passed by this House in 2018.
    Mr. Robinson, you have emphasized the important role 
academia and research institutions like Stony Brook will play 
in conducting fundamental quantum research and migrating our 
world to quantum computing networks. Some of our most important 
work is already coming out of Government-backed collaborative 
projects like QED-C.
    How can Congress and Federal agencies continue to support 
initiatives like QED-C and further develop a robust and nimble 
quantum research ecosystem? Are there particular programs or 
initiatives that have been especially successful so far?
    Mr. Robinson. Thank you, Congresswoman Rice. Thank you for 
the continued support of QED-C.
    I am currently the Quantum Economic Development Consortium 
Workforce chairman, and there are many efforts under QED-C that 
are on-going that are providing bridges to universities 
throughout our Nation, to include Stony Brook.
    Stony Brook, in partnership with Brookhaven National 
Laboratory, participates in the IBM Quantum Network. Through 
this network, IBM hosts developer boot camps, hackathons, 
hands-on training, open-source IBM Quantum Experience, which is 
our cloud service.
    We also support Brookhaven's National Quantum Initiative 
DOE Center, and Stony Brook is a part of that. QED-C is heavily 
involved with collaboration, not only in the United States, but 
also with our allies and partners. So continued funding of NIST 
to support QED-C is imperative in my view.
    There is a diversity and inclusion program at QED-C, which 
I am a part of, as a team. There is an emerging technology 
group.
    So we are very thankful of the Quantum Economic Development 
Consortium for the collaboration work that they do, and we 
encourage you to continue to fund them.
    Mrs. Harshbarger. OK. That is good to hear.
    Mr. Green, in your role at Mastercard and as chair of the 
Financial Services Sector Coordinating Council, you lead 
Mastercard's own threatcasting work and are tasked with 
synthesizing your insights with those drawn from your industry 
peers.
    How can CISA and the Federal Government better incorporate 
threatcasting and forward-looking perspectives as we develop 
quantum technology?
    How can we better coordinate with our global allies, 
because this has to be a global effort with our allies as we 
work to predict and understand these potential threats to our 
National and economic security?
    Mr. Green. Thank you, Congresswoman Rice.
    The threatcasting is a framework that helps people think 
though what possible futures are. I think CISA is actually 
well-positioned to connect to subject-matter experts. The power 
of threatcasting is you have to be able to access subject-
matter experts in order to answer the pertinent question that 
you are trying to address. So having the current relationships 
with the wide array of folks that they have now.
    Then it will work globally as well. I just came back from 
Dublin where we did our second half of the year threatcasting. 
We used teams, even government officials from the local Irish 
government and also from the European Union, as a part our 
subject-matter expert base.
    Then the power of the threatcasting is also in you predict 
the future and then you do a backcast that figures out, when a 
future is happening, what kind of protective steps or measures 
you can implement to deflect or stop that bad future from 
becoming true.
    Miss Rice. Thank you so much to all the witnesses.
    I yield back the balance of my time, Madam Chairwoman.
    Ms. Clarke. I thank the gentlelady.
    The Chair now recognizes for 5 minutes the gentleman from 
New York, Mr. Torres.
    Mr. Torres. Thank you, Madam Chair.
    Thinking about emerging technologies has me feeling like we 
are destined to live in a dystopia of undetectable deepfakes 
and disinformation.
    Are there or will there be deepfakes that are so seemingly 
real as to evade detection by even our best experts with our 
best tools of analysis, Doctor?
    Mr. Lohn. Yes. I think the short answer is yes. But we 
should keep working to advance our detections ability. But we 
might need to shed some of our effort from just detecting what 
is a deepfake to its provenance, how did it come to be, and 
that might be a better long-term solution.
    Mr. Torres. In the wake of SolarWinds, the Federal 
Government has prioritized harnessing the power of AI to create 
endpoint detect and response systems that can detect anomalous 
behavior on a network.
    Is there presently AI technology that could have prevented 
SolarWinds' intrusion or could have detected it earlier?
    Mr. Lohn. Not that I am aware of, no. I would have to look 
into the details of that specific attack. But it is very 
difficult--yes, not that I am aware of.
    Mr. Torres. OK.
    Mr. Robinson, I am going to follow up. You have been asked 
about quantum computing.
    Is the Federal Government acting swiftly enough to develop 
a quantum-resistant cryptography?
    Mr. Robinson. We are thankful for the National Quantum 
Initiative investment by the Federal Government. But the answer 
as far as post-quantum cryptography, we need those NIST 
algorithms today. We need those NIST post-quantum cryptographic 
algorithms to start to do remediation.
    On the quantum computing side, there is a lot of work force 
development that needs to occur. The average person still 
doesn't really understand what quantum computing is. So the 
Government can do more to effect that.
    Mr. Torres. China will ultimately develop the capacity to 
launch cryptographic attacks from a quantum computer, attacks 
capable of breaking traditional encryption.
    Are you confident that we are going to develop quantum-
resistant cryptography before then?
    Mr. Robinson. Yes, I am confident. NIST took the approach 
of having multiple algorithms, and there is new technology for 
cryptographic agility that will give us an ability to swap that 
in and out.
    The challenge is, is that we won't know when that occurs. 
So we have to be prepared now.
    Mr. Torres. To what extent--are we lagging behind China 
when it comes to investing in quantum computing? Are you 
confident that the COMPETES Act in the House and the USICA in 
the Senate are sufficient to close the gap?
    Mr. Robinson. I am not in a position at this time to have 
confidence that we will make it. But I do know this: We must 
pass the USICA Act if we want to be able to thwart the threat. 
The USICA Act and the Innovation Act are critical.
    Mr. Torres. Mr. Green, just to follow up on a question that 
Congress Member Rice asked about threatcasting.
    How would that apply to preparing for the future security 
risk of 6G, which is set to be rolled out or projected to be 
rolled out by 2030? Would that be an example of threatcasting 
at work?
    Mr. Green. Yes. I would say that is a perfect opportunity 
to leverage threatcasting. It would require us to pull in the 
subject-matter experts around 6G communications.
    You would want policy experts, different business experts 
that would be affected by it. Then you give them the 
opportunity to think of the worst-case scenarios that could 
manifest themselves related to the implementation of the new 
technologies.
    Then you do the backcast. Again, the backcast from the 
possible future is the most important part because you can put 
in flags.
    In backcasting you develop flags so that as a future is 
unfolding, if it is unfolding on the planned 10 years, you will 
see the flags manifest themselves along the way to the 10 
years. So you will know if it is going to be a 5-year future or 
a 15-year future.
    Then the reactive leverage you put in place gives you 
potential solutions to drive on if a future is starting to come 
true.
    Mr. Torres. Then I will try to quickly squeeze in a 
question.
    What efforts are being undertaken to ensure that the 
encryption of blockchain is quantum resistant? I will leave it 
at that.
    Mr. Robinson. Thank you, Congressman Torres.
    So the same cryptographic algorithms that NIST is working 
on can be applied in that space. Essentially they are KEMs and 
digital signatures, which could be applied to blockchain. As I 
mentioned, it underpins our banking, our telco industry, and 
essentially affects our economy.
    This is furthermore a reason why NIST should have 
continuous funding for NCCoE and the program to coalesce the 
Government, as well as industry, around post-quantum 
cryptography.
    Ms. Clarke. The gentleman yields back.
    I want to thank the witnesses for their valuable testimony 
and the Members for your outstanding questions today.
    The Members of the subcommittee may have additional 
questions for the witnesses, and we ask that you respond 
expeditiously in writing to those questions.
    The Chair reminds Members that the subcommittee record will 
remain open for 10 business days.
    Without objection, the subcommittee stands adjourned.
    [Whereupon, at 3:37 p.m., the subcommittee was adjourned.]