[Senate Hearing 118-136]
[From the U.S. Government Publishing Office]



                                                        S. Hrg. 118-136

                          ADVANCED TECHNOLOGY:
                 EXAMINING THREATS TO NATIONAL SECURITY

=======================================================================

                                HEARING

                               before the

                            SUBCOMMITTEE ON
                EMERGING THREATS AND SPENDING OVERSIGHT

                                 of the

                              COMMITTEE ON
               HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
                          UNITED STATES SENATE

                    ONE HUNDRED EIGHTEENTH CONGRESS


                             FIRST SESSION

                               __________

                           SEPTEMBER 19, 2023

                               __________

        Available via the World Wide Web: http://www.govinfo.gov

                       Printed for the use of the
        Committee on Homeland Security and Governmental Affairs





                [GRAPHIC NOT AVAILABLE IN TIFF FORMAT]






                 U.S. GOVERNMENT PUBLISHING OFFICE

53-708 PDF                WASHINGTON : 2023












        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                   GARY C. PETERS, Michigan, Chairman

THOMAS R. CARPER, Delaware           RAND PAUL, Kentucky
MAGGIE HASSAN, New Hampshire         RON JOHNSON, Wisconsin
KYRSTEN SINEMA, Arizona              JAMES LANKFORD, Oklahoma
JACKY ROSEN, Nevada                  MITT ROMNEY, Utah
ALEX PADILLA, California             RICK SCOTT, Florida
JON OSSOFF, Georgia                  JOSH HAWLEY, Missouri
RICHARD BLUMENTHAL, Connecticut      ROGER MARSHALL, Kansas

                   David M. Weinberg, Staff Director
           William E. Henderson III, Minority Staff Director
                     Laura W. Kilbride, Chief Clerk
                   Ashley A. Gonzalez, Hearing Clerk


        SUBCOMMITTEE ON EMERGING THREATS AND SPENDING OVERSIGHT

                 MAGGIE HASSAN, New Hampshire, Chairman

KYRSTEN SINEMA, Arizona              MITT ROMNEY, Utah
JACKY ROSEN, Nevada                  JAMES LANKFORD, Oklahoma
JON OSSOFF, Georgia                  RICK SCOTT, Florida

                    Jason M. Yanussi, Staff Director
                       Nick Caron, Policy Advisor
           Scott Maclean Richardson, Minority Staff Director
        Margaret E. Frankel, Minority Professional Staff Member
                      Kate Kielceski, Chief Clerk








                            C O N T E N T S

                                 ------                                
Opening statements:
                                                                   Page
    Senator Hassan...............................................     1
    Senator Romney...............................................     2
    Senator Lankford.............................................    18
Prepared statements:
    Senator Hassan...............................................    31
    Senator Romney...............................................    33

                                WITNESS

                      Tuesday, September 19, 2023

Gregory C. Allen, Director, Wadhwani Center for AI and Advanced 
  Technologies...................................................     4
Jeff Alstott, Ph.D., Senior Information Scientist, RAND 
  Corporation....................................................     6
Dewey Murdick, Ph.D. Executive Director, Center for Security and 
  Emerging Technology............................................     8

                     Alphabetical List of Witnesses

Allen, Gregory C.:
    Testimony....................................................     4
    Prepared statement...........................................    34
Alstott, Jeff Ph.D.:
    Testimony....................................................     6
    Prepared statement...........................................    44
Murdick, Dewey, Ph.D.:
    Testimony....................................................     8
    Prepared statement...........................................    49

 
                          ADVANCED TECHNOLOGY:
                 EXAMINING THREATS TO NATIONAL SECURITY

                              ----------                              


                      TUESDAY, SEPTEMBER 19, 2023

                                     U.S. Senate,  
                       Subcommittee on Emerging Threats and
                                        Spending Oversight,
                    of the Committee on Homeland Security  
                                  and Governmental Affairs,
                                                    Washington, DC.
    The Subcommittee met, pursuant to notice, at 2:31 p.m., in 
room 562, Dirksen Senate Office Building, Hon. Margaret Hassan, 
Chair of the Subcommittee, presiding.
    Present: Senators Hassan [presiding], Rosen, Romney, 
Lankford, and Scott.

             OPENING STATEMENT OF SENATOR HASSAN\1\

    Senator Hassan. Before we get started today, I wanted to 
take a moment, Senator Romney, to reflect on the impact that 
you have had on the Senate in the time that you have been here 
and note how much I am going to miss working with you when you 
retire.
---------------------------------------------------------------------------
    \1\ The prepared statement of Senator Hassan appears in the 
Appendix on page 31.
---------------------------------------------------------------------------
    Ranking Member Romney has been an incredible partner both 
on this Committee and in the important bipartisan legislation 
that the Senate has passed in the last few years. Senator 
Romney, your dedication to public service is clear, and the 
people of Utah, Massachusetts, and the United States are better 
off due to your years in elected office.
    Thank you for your hard work, and there is more hard work 
to do, so I look forward to continuing our important work for 
the remainder of this Congress. With that, I am going to say 
good afternoon to everybody and welcome our distinguished panel 
of witnesses.
    Thank you all for appearing today to discuss potential 
threats to national security posed by advanced and emerging 
technologies, and what steps the Federal Government can take to 
mitigate risk and encourage the responsible development of next 
generation technologies.
    I also want to thank Ranking Member Romney and his staff 
for working with us on this hearing and for our continued 
partnership to address emerging threats to the Nation. Today's 
hearing brings together a group of experts in technology policy 
who have previously served as government officials and who are 
now providing important and valued insight on the development 
and applications of advanced technologies.
    We will hear about the potential dangers to public safety 
and security that may be posed by emerging technologies such as 
artificial intelligence (AI) and quantum technology. We will 
also hear about the actions that Congress and the Executive 
Branch can take to mitigate these risks, while still working to 
maintain the United States' technological innovation edge and 
stay ahead of our global adversaries.
    Public and private investment in the United States have 
fueled the rapid growth and the power and availability of 
artificial intelligence, quantum computing, and other emerging 
technologies. Our nation is well positioned to benefit from the 
technological revolution that is already underway.
    However, bad actors will also undoubtedly seek to use these 
powerful technologies to launch a higher volume of new and more 
severe attacks aimed at the American people. As we will hear 
today, AI and other advanced technologies pose real public 
safety risks, which Congress is just beginning to address.
    For example, although there has been considerable 
congressional attention paid to many of the public safety risks 
posed by artificial intelligence, there has been less focus on 
so-called catastrophic risks posed by AI, such as the ability 
of AI to help terrorists develop and use unconventional 
weapons.
    I am working on a framework to support research into safer 
AI that, in its fundamental design, cannot easily be abused by 
criminals and cannot easily behave in unexpected ways that 
would harm the public.
    Congress needs to look closely at ways to require AI to be 
designed in a fundamentally safer way, and in time, require all 
AI hardware to be restricted to running only fundamentally safe 
systems.
    I look forward to hearing from all of our witnesses about 
how Congress and the Federal Government can successfully 
encourage technological growth and keep the American people 
safe, secure, and free. I now recognize Ranking Member Romney 
for his opening remarks.

             OPENING STATEMENT OF SENATOR ROMNEY\1\

    Senator Romney. Thank you, Madam Chair. I appreciate your 
willingness to hold this hearing. I particularly appreciate the 
chance to speak with these three individuals.
---------------------------------------------------------------------------
    \1\ The prepared statement of Senator Romney appears in the 
Appendix on page 33.
---------------------------------------------------------------------------
    As you know, we have been receiving a lot of briefings from 
various luminaries in the technology community on matters 
relating to AI, but I am afraid they are not as closely 
involved to the nitty gritty of what is happening in the AI 
world as each of the three of you are, and therefore, I 
particularly look forward to hearing your testimony today and 
for our chance to ask you some questions.
    I am in the camp of being more terrified about AI, than I 
am in the camp of those thinking this is going to make 
everything better for the world. Even though I know in the 
analysis that has been done so far, that there are wonderful 
advances that would surely come as a result of AI.
    I just saw a study, you may have seen it, with the Boston 
Consulting Group, where they put two different groups of 
consultants on various tasks. One had access to AI. The other 
did not. The one that had access to AI ended up producing a 
superior product in most cases. It is like, that will make us 
more productive in providing advice and counsel and doing all 
sorts of other procedures in the business world. I am sure 
government can be made more effective.
    I am sure research in a whole host of areas, including 
medical, will be more effective. There are wonderful benefits, 
but at the same time, there are enormous risks to humanity at 
large, to our national security domestically, to jobs in the 
United States, to a whole host of things.
    I must admit, the frightening side has the edge, at least 
in my own thinking. The discussions that I have heard so far 
about AI look at ways for us to potentially prevent some of the 
most severe downsides.
    One is, individuals point out correctly, that we need to 
coordinate with other nations and perhaps have some kind of an 
international consortium or international agreement that 
relates to AI. I do not know how that would work, where it 
would be housed, how we would initiate that, and whether that 
is realistic.
    There has also been discussion that we need to have a 
separate agency or department of the Federal Government with 
individuals who focus on AI and look at the companies 
developing it, developing strategies, and giving advice and 
counsel to people like the Chair and myself.
    Frankly, a lot of, in my case, 76 year olds are not going 
to figure out how to regulate AI because we can barely use our 
smartphone. That is another area, which is should we have that 
kind of an agency, that kind of a department?
    There has also been a discussion that before a new AI 
generation is released to the public or put on open source, 
that it ought to go through some trial period with individuals, 
experts testing it and seeing if it can be abused, and how it 
could be abused, and perhaps limiting its public launch until 
it has actually had those potential flaws corrected. Finally, a 
question of, how can we control the world's worst actors from 
having access to a technology that they could use to threaten 
us or threaten humanity, for that matter.
    Some have suggested that because of the computing power 
necessary for AI systems to work, that we could manage the flow 
of and the presence of, if you will, large power semiconductor 
chips to see where they are, see who is making them, see where 
they go, restrict where they go. I do not know whether that is 
a realistic option for management of this or not, but I think, 
the question is, for someone like myself who is more concerned 
about the downside than the upside, my question is, and 
recognizing that this is going to be all over the world, what 
can we do to try and prevent as much of the downside as 
possible?
    With that, Madam Chair, I look forward to your questions 
and I may have one or two myself.
    Senator Hassan. Excellent. I too am more focused on the 
potential downsides here, understanding that there are, of 
course, upsides to this emerging technology as well, including 
in the health care arena. But I do not think supporting the 
emerging positive sides of this means we should not worry about 
or focus on the real risks that we face, too.
    Before we proceed to testimony, it is the practice of the 
Homeland Security and Governmental Affairs Committee (HSGAC) to 
swear in witnesses. If you will all please stand and raise your 
right hand.
    Do you swear that the testimony you give before the 
Subcommittee will be the truth, the whole truth, and nothing 
but the truth, so help you, God?
    Mr. Allen. I do.
    Dr. Alstott. I do.
    Dr. Murdick. I do.
    Senator Hassan. Thank you very much. Please be seated. Our 
first witness today is Gregory Allen. Mr. Allen is the Director 
of the Wadhwani Center for AI and Advanced Technologies at the 
Center for Strategic and International Studies (CSIS).
    Before leading the Wadhwani Center, Mr. Allen was the 
Director of Strategy and Policy at the Department of Defense's 
(DOD) Joint Artificial Intelligence Center (JAIC). In this 
role, he helped develop the Defense Department's AI 
implementation policy, as well as its standards for AI 
governance and ethics.
    Welcome, Mr. Allen. You were recognized for your opening 
statement.

TESTIMONY OF GREGORY C. ALLEN,\1\ DIRECTOR, WADHWANI CENTER FOR 
                  AI AND ADVANCED TECHNOLOGIES

    Mr. Allen. Chair Hassan, Ranking Member Romney, and 
distinguished Members of the Subcommittee, thank you for the 
opportunity to testify today.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Allen appears in the Appendix on 
page 34.
---------------------------------------------------------------------------
    The Center for Strategic and International Studies does not 
take policy positions, so the views represented in my testimony 
are my own and should not be taken as those representing that 
of CSIS or the Department of Defense, where I used to work.
    For my testimony today, I hope to offer a perspective 
regarding the national security threats of artificial 
intelligence and other emerging technologies, as informed by my 
experience serving in government, as well as my research work.
    To begin, let me say that there is a broad technological 
trend across many fields where the cost and complexity of many 
technological capabilities and activities have come down 
significantly. In many cases, it takes less money and fewer 
highly trained experts staff to perform the same activity.
    As a result, certain types of activities that used to be 
only within the reach of large government or military 
organizations can now be performed by individual corporations 
or even individual people. In general, the falling cost and 
complexity of technologies and the activities that they enable 
is good news for the global economy and society.
    This trend should be celebrated. However, it also poses 
genuine challenges for U.S. national security in areas where 
high cost and complexity have historically presented a barrier 
to malicious and dangerous activities. It is good that, for 
example, developing nuclear weapons is expensive and 
complicated.
    The United States would be significantly less safe if 
building a functional nuclear weapon was cheap and simple. 
While nuclear weapons remain expensive and complicated, there 
are a number of areas where the cost and complexity of 
developing, acquiring, and employing national security relevant 
technologies is declining.
    In some important areas, this includes placing dangerous 
capabilities within the reach of non-state actors that will 
seek to use those capabilities to threaten the United States, 
as well as state actors who seek to do the same. I will focus 
on three of these capabilities today.
    The first is the reduced cost and complexity of weaponizing 
autonomous drones. The vast majority of non-state actors and 
terrorist groups throughout history have not had access to 
military air power for either airborne reconnaissance or for 
long range precision strikes.
    These historically have been too expensive and complicated 
for insurgent groups to maintain. The rise of commercial drone 
aircraft has changed the story significantly. During the Battle 
of Mosul in 2016, the Islamic State flew more than 300 drone 
missions in a single month, with roughly 100 of those used to 
deliver explosives.
    The U.S. Air Force (USAF) described this as the first time 
that U.S. ground forces have come under attack from enemy 
aircraft since the Korean War. The typical cost of these drones 
was $650. By comparison, the United States develops military 
missiles for millions of dollars per shot in some cases. While 
our missiles are superior to these drones, the drones are 
vastly more easily accessible and also much cheaper.
    The second area I want to discuss is the reduced cost and 
complexity of developing biological pathogens. Biotechnology 
and bioweapons development historically was expensive.
    The American bioweapons program during World War II 
employed roughly 4,000 people, of whom more than 500 were 
highly trained scientific experts. The multi-year budget was 
$40 million, which was about 1/20th the size of the Manhattan 
Project. This was a very big effort, and this was assessed at 
the time to be the minimum viable program size for a bioweapons 
program.
    Decades later, in the 1990s, the Aum Shinrikyo terrorist 
organization in Japan attempted multiple times to develop and 
deploy biological weapons using anthrax and other pathogens. 
Thankfully, they failed.
    However, the group successfully executed many steps of 
developing and delivering bioweapons, despite having only a 
handful of scientifically trained expert staff and a much 
smaller research and development (R&D) budget than any nation-
state.
    Of special note, these were folks with formal scientific 
training and formal affiliations with prestigious scientific 
research institutions who were engaged in terrorist activities. 
Today, the development of advanced genetic engineering 
technologies such as clustered regularly interspaced short 
palindromic repeats (CRISPR) has radically reduced the cost and 
complexity of gene editing to the point where even amateurs can 
modify the genes of viruses.
    Some research organizations have previously published 
genetic information related to highly lethal but not highly 
contagious pathogens such as bird flu, and terrorist 
organizations following in the footsteps of Aum Shinrikyo may 
be able to create genetically modified pathogens that are both 
highly contagious and highly lethal.
    The final area I want to talk about is the reduced cost and 
complexity of creating high quality, forged media. One of the 
most remarkable capabilities of AI technology is its ability to 
create compelling synthetic digital media.
    The sort of text, photos, videos, and audio files that 
would have in decades past cost Hollywood hundreds of millions 
of dollars to develop can today be developed by amateurs 
working with a single smartphone or a single laptop computer.
    During my time at the Department of Defense, my 
organization collaborated with Defense Advanced Research 
Projects Agency (DARPA) on technical means to detect these 
deepfakes or other AI enabled forgeries, but the quality and 
cost of producing these is radically exceeding our ability to 
detect them and our ability to intervene.
    This is a legitimate threat to the U.S. information 
ecosystem and U.S. national security, and I look forward to 
discussing these issues with you today. Thank you.
    Senator Hassan. Thank you very much, Mr. Allen. Our next 
witness is Dr. Jeff Alstott. Dr. Alstott is a Senior 
Information Scientist at the RAND Corporation, as well as an 
expert for the National Science Foundation (NSF).
    He has previously served in multiple national security 
roles in the Federal Government, including as Assistant 
Director for Technology Competition and Risks at the Office of 
Science and Technology Policy.
    He also served as the Director for Technology and National 
Security at the National Security Council. Welcome, Dr. 
Alstott. You are recognized for your opening Statement.

    TESTIMONY OF JEFF ALSTOTT, PH.D.,\1\ SENIOR INFORMATION 
                  SCIENTIST, RAND CORPORATION

    Dr. Alstott. Chair Hassan, Ranking Member Romney, and 
Members of the Subcommittee, good afternoon and thank you for 
the opportunity to testify. Progress in AI has advanced rapidly 
in recent years, leading to expanded debate among experts about 
its potential risks.
---------------------------------------------------------------------------
    \1\ The prepared statement of Dr. Alstott appears in the Appendix 
on page 44.
---------------------------------------------------------------------------
    Although AI has the potential to transform entire 
industries, it could also pose novel threats to national 
defense and homeland security. AI developers are racing to 
build increasingly advanced systems, and the drivers of AI 
progress, including algorithms, hardware, workforce, and 
investment, continue to advance.
    Despite this rapid progress, the sciences of interpreting 
and explaining AI behavior, assessing powerful AI for dangerous 
capabilities, and designing appropriate guardrails to mitigate 
harms are all efforts that are still in their infancy. Existing 
safeguards are still imperfect, and AI released by leading U.S. 
companies today can and do still exhibit unsafe and 
unanticipated behaviors long after they are trained and 
released. Unless society puts in effective guardrails, broadly 
capable AI systems could hasten the design and proliferation of 
bioweapons, cyber weapons, nuclear weapons, progressively more 
general intelligence, and other threats not yet conceived.
    If such systems proliferate, it will be very difficult to 
put the genie back in the bottle, potentially causing 
irreversible damage. One particular area of concern is the 
relationship of advanced AI development with biosecurity.
    Existing AI is already capable of assisting non-state 
actors with biological attacks that would cause pandemics, 
including the conception, design, and implementation of such 
attacks. Without safeguards, the development of ever more 
advanced AI systems will bring ever greater reductions to the 
barriers to launch such attacks, until we are at the point in 
which a lone actor can cause a pandemic killing millions.
    This change is occurring at the same time as gene synthesis 
machines are decreasing in cost and proliferating more widely, 
increasing the number of actors who have the necessary access 
and ability to create and release new diseases. Effective 
oversight of increasingly powerful AI and its potential threats 
will require visibility into the full AI development lifecycle.
    This lifecycle begins with large concentrations of AI 
hardware, with thousands of advanced chips performing a 
training run costing millions or soon billions of dollars. Once 
the AI is fully trained, it is made available to the public 
through a controlled Internet interface or by being published 
online in its entirety, at which point proliferation 
essentially cannot be stopped.
    Oversight of each of these stages, AI hardware, training, 
and release will be necessary to ensure our national security. 
These efforts will not come at the cost of U.S. innovation but 
will bolster U.S. competitiveness by ensuring the reliability 
of leading U.S. products and establishing the United States as 
the responsible market leader. In addition, domestic oversight, 
although essential, will not be sufficient alone.
    We must cooperate with our allies and partners, and 
communicate responsibly with our competitors and adversaries, 
to ensure the safe development of these technologies at the 
global level. I will highlight six actions that the Federal 
Government could take to mitigate these threats.
    First, require that large computing clusters that could be 
used to train powerful AIs, for example, high performance 
computers with over 10,000 advanced AI chips, be reported to 
the government, have adequate cybersecurity, and have know-
your-customer processes for anyone doing a very large 
computation on them.
    Two, require those making powerful AIs to maintain 
responsible security procedures during and after the training 
process to prevent U.S. made models from being stolen or 
leaked. The threshold for this requirement could be frontier 
models trained to be several times larger than any AI system 
made today and should cover both those handling the code and 
those handling the hardware.
    Three, ensure that these frontier AI development efforts 
also undergo an independent assessment to determine whether the 
AI or its proliferation would be a threat to national security, 
similar to how rocket launches are reviewed by the Federal 
Aviation Administration (FAA). This should include risk 
assessments prior to model training, at regular intervals 
throughout the training run, and just prior to model 
deployment.
    AI that is determined to be insufficiently safe could be 
held from further development and release until safety and 
security issues are adequately resolved. Conducting evaluations 
in each major stage of the AI development process would help 
companies detect safety problems early on, when issues are less 
costly to fix, reducing security risks, while saving companies 
time and money.
    Four, create a safe harbor information sharing environment 
for the private and public sectors to share safety and security 
problems from their AIs as they identify them and then create 
solutions together.
    Five, establish know your customer requirements for the 
providers of gene synthesis services and gene synthesis 
devices.
    Six, require that genetic material synthesized over at 
threshold length be screened for pathogenic potential. This 
should include supporting the development and adoption of a 
universal gene synthesis screening mechanism, which would 
decrease costs for U.S. companies and maintain U.S. 
competitiveness in the global bioeconomy. I thank the 
Subcommittee for the opportunity to testify. I look forward to 
answering your questions.
    Senator Hassan. Thank you very much, doctor. Our third 
witness is Dr. Dewey Murdick. Dr. Murdick is the Executive 
Director at Georgetown's Center for Security and Emerging 
Technology.
    Before moving to the Georgetown Center, Dr. Murdick served 
in both the public and private sector, including the Chief 
Analytics Officer and Deputy Chief Scientist of the Department 
of Homeland Security (DHS). He also stood up in office at the 
Intelligence Advanced Research Projects Activity focused on 
anticipatory intelligence.
    Welcome, Dr. Murdick. You are recognized for your opening 
statement.

TESTIMONY OF DEWEY MURDICK, PH.D.\1\ EXECUTIVE DIRECTOR, CENTER 
              FOR SECURITY AND EMERGING TECHNOLOGY

    Dr. Murdick. Chair Hassan, Ranking Member Romney, and 
honorable Senators, thank you so much for the opportunity to 
chat. As you are keenly aware, the attention of elected 
officials and public servants is a precious commodity, and 
advanced technology threats are calling now.
---------------------------------------------------------------------------
    \1\ The prepared statement of Dr. Murdick appears in the Appendix 
on page 49.
---------------------------------------------------------------------------
    As such, I would like to make three suggestions. First, 
prioritize your attention and consider key criteria when 
evaluating threats. Focus on actionable steps that lay 
foundations for the most pressing concerns. Three, enable an 
adaptive approach to policymaking so we can simultaneously act 
and learn.
    Expanding on point one, prioritizing your attention 
requires knowledge of potential threat actors, a clear way to 
estimate threat severity, and an ability to estimate how much 
time we have to plan.
    For many Homeland Security missions, AI is changing the 
threat landscape now because it could lower the barriers of 
entry for novice criminals to do harm, like set fires, or steal 
cars, or whatever.
    It can magnify the effectiveness of disinformation and 
targeted phishing attacks by nation-states, or human 
traffickers who can use new tactics to exploit victims and 
their families. It can also help advanced criminals evade law 
enforcement alerts, such as with sophisticated methods to avoid 
detection in meth making ingredients' acquisition at scale.
    Other technologies are harder to plan for because we are 
still trying to figure them out. Consider the prospect of super 
intelligent AI systems that theoretically operate across both 
digital and physical worlds with some kind of agency.
    They do not currently exist, and we do not really know how 
to build them. However, we still need rigorous research and 
monitoring systems to flag when the critical developments might 
change our threat mitigation planning.
    Likewise, we anticipate quantum computers may someday break 
advanced encryption algorithms. Despite uncertainties about 
when and if this will all play out, we need to prepare for this 
threat and update how we protect our nation's secrets today.
    Some advancements may not be as transformative as we 
thought. For example, some have expressed concerns, and we just 
heard a very well laid out concern about the chat bots and 
other kinds of tools lowering the information hurdles for 
creating dangerous biological agents and pathogens. However, 
the information barrier is already extremely low and other 
interventions are probably actually, of higher relative 
priority.
    For example, you heard the screening of Deoxyribonucleic 
acid (DNA) sequences and improving our country's management of 
large amounts of genomic data. Furthermore, in this 
prioritization thinking, if an advanced technology threat is 
not prioritized today, we need to be systematically monitored 
so we do not forget about it, and we can track it.
    Point two, a strong foundation for addressing the most 
pressing threats requires all our talent, every types of it, no 
matter their backgrounds, no matter in technical, non-
technical, and we need to adapt to changes in the domestic and 
international workforce landscape.
    We need to assess existing tech relevant authorities that 
we have within the government and adapt them to leverage our 
national strengths. There are advocates who speak of today's 
threats, observed threats, and then there are those who are 
concerned about anticipated existential risks. I think we need 
to find a common ground between these two communities.
    How we address immediate threats shapes how we respond to 
long term concerns. We are still learning and need to adapt our 
plans as new information arrives. Gathering new information 
from--and potentially creating new bodies is something that we 
need to think about, specifically for specific gaps.
    For AI, we need to actively gather information on AI harms 
through voluntary and mandatory incident reporting. We need to 
also enhance the quality and security of our resources. We also 
need potentially new oversight organizations which can oversee 
where gaps are in existing sector specific agencies, see where 
they are being applied, and be the first to deal with problems.
    In conclusion, my last point, our approach must be agile, 
adaptive, and ever vigilant to global shifts. Our policies and 
our organizations need flexibility to gain these new insights. 
It is not just about immediate action, but a continuous cycle 
of small, informed steps backed by robust analytics that help 
us learn from new advancements and respond to what is working 
best. This is more than just tactical advice.
    It is a call to significantly bolster analytic capabilities 
in the United States with better data and more effective 
monitoring system, we can make timely and informed decisions. 
This is not just policy. It is a playbook for navigating the 
current and future tech age. Thank you.
    Senator Hassan. Thank you very much, all three, for such 
thoughtful testimony. I am going to start with a round of 
questions and then go to Senator Romney. We may have other 
Members in and out. There is a lot of activity in the Senate 
this afternoon, so we will see if others join us for 
questioning.
    I am going to start with a question to you, Dr. Alstott. At 
last week's AI forum here in the Senate, an AI researcher told 
Senators that his team was able to get Meta's AI system to 
provide instructions for how to develop a biological weapon. 
According to the researcher, all it took was $800 and a few 
hours of work.
    This is an example of a jailbreak which bad actors such as 
terrorists can use to evade the safeguards in AI systems. Is 
there risk of bad actors using AI to develop modified 
biological or chemical weapons? How can we mitigate any public 
safety risks from these kinds of jailbreaks?
    Dr. Alstott. Yes, there is a risk. We are in the process of 
identifying what the size of that risk is today. We know that 
the risk will increase over time. At RAND, we are running an 
experiment, along with colleagues, of really doing the bake off 
between teams that do and do not have today's AIs to see how 
quickly they can design a biological weapon. That experiment is 
not done. Can't comment on the intermediate results.
    However, we know that as the technology continues to 
change, that the information barriers will continue to come 
down. Those have been the last barriers when it comes to 
biological weapons. Unlike, say, nuclear weapons, where once 
you know how to make a bomb, you still have to go get the 
fissile material, all of our cells are the factories for a 
pandemic.
    The fundamental physics of making an attack for a pandemic, 
as opposed to, say, anthrax or another form of bioweapon, is 
really not in our favor. Protecting that sort of exquisite 
technical information that would enable a non-state actor to 
make such attacks is really critical for national security.
    Senator Hassan. Are there steps we can take to mitigate?
    Dr. Alstott. The first step, as Dr. Murdick described, is 
to have vigilance of what exactly are the threats that are 
coming in and characterize them at a technical level to be able 
to identify if a certain model, certain AI really would 
accelerate people. Then there would be the sort of all of 
society saying, that is not a tool that we want to have in our 
society's toolkit.
    I spoke during my testimony about different mechanisms that 
government could employ to say, all right, these are the models 
that we are going to check to see whether or not there is a 
problem, and then if there is a problem, we can give a green 
light or a red light to saying whether or not that should go 
out.
    Senator Hassan. Thank you. Another question for you, Dr. 
Alstott. The public safety risk from these so-called jailbreaks 
also extends to the fentanyl crisis. This Committee has worked 
on ways to combat the opioid epidemic and stay in front of the 
changing tactics of transnational criminal organizations (TCOs) 
who fuel the crisis.
    As illegal fentanyl creation and distribution has soared, 
the development of new fentanyl analogs has posed unique 
challenges for law enforcement, not only in the testing for 
fentanyl, but also in enforcing existing laws that have 
struggled to keep up with the rapid creation and evolution of 
fentanyl analogs.
    Can you comment on the risk posed by bad actors who could 
use AI to develop drug analogs that could potentially skirt 
existing laws and interdiction efforts?
    Dr. Alstott. That is an area where I myself only have 
adjacent knowledge. I can tell you that the overall notion of 
using machine learning models, be that today's large language 
models or other things that are more specialized for chemistry, 
would indeed be tools that anyone would want to have in their 
pocket for developing those analogs.
    Senator Hassan. OK. Something we will have to figure out 
how to develop a response to. Dr. Murdick, I want to take a 
moment to consider some of the very serious risks posed by 
artificial intelligence. As we heard earlier, AI can be 
susceptible to jailbreaks that disable guardrails and create 
enormous potential for dangerous outcomes.
    Similar catastrophic risks could come from powerful AI 
systems that might behave in unintended ways, such as future AI 
systems that manage critical infrastructure. To comprehensively 
address these kinds of risks in the long run, we have to strive 
to make AI fundamentally safe, meaning it cannot easily be 
abused by criminals and cannot easily behave in unexpected ways 
that harm the public.
    Instead of relying on AI systems to make values based 
decisions from training models or data sets, we need to ensure 
that AI systems can only be run on hardware that has intrinsic 
protections to prevent AI from acting in a harmful or malicious 
manner.
    This requires significant research and developing 
safeguards for systems that can ensure that AI will not be used 
to harm individuals or communities. Dr. Murdick, is research 
and development into technology that makes AI fundamentally 
safe an area that would benefit from sustained and focused 
Federal investment?
    Dr. Murdick. Yes. All the components that are part of safe 
AI, everything from responsible or traceable systems, robust 
systems, there is a lot of wonderful, very meaningful words 
that are associated with this whole community. It is a fairly 
new community.
    There is not a lot of cohesion yet, and the terminology is 
still in flux in some ways. Now, I am less concerned about that 
terminology than the actual impact that you are trying to lay 
out. But it is a sign that it is still a fairly new community 
that needs a lot of attention to figure out how to buildup 
these capabilities.
    Some of the specifics that you mentioned about being able 
to put controls in hardware to be able to stop it from running 
if it is running something troublesome, to my knowledge, today 
there is no clear direction of how that could even be 
implemented.
    That is not to say it is impossible, but a lot of the 
questions need some pretty fundamental research to open that 
up, and they are basic research questions that need to be 
explored. I think the point about baking in our values AI 
systems, most of the AI systems that I foresee coming in the 
next period of time--it is really hard to forecast the future, 
so just take that with a grain of salt--are ones that are 
human, machine teaming based.
    The AI system should not have agency at a level that we see 
in movies, right. It is going to have the capability to respond 
very helpfully and very usefully to human prompts.
    I think at this next phase, there is a lot of AI safety 
work that is baked into that human-machine teaming process, and 
there are a lot of opportunities to explore and implement 
licensing. For example, I drive a car. I am licensed to drive a 
car, and I know, I have general qualifications.
    You could imagine for someone having access to a certain 
type of model, then likewise having a license of some form 
where they have learned how to work with that system. They know 
when to believe it, when not to believe it, and how to work it 
effectively.
    That kind of human-machine team, that is within present day 
regulatory capabilities. We know how to do those kind of 
things. Those are examples of things that could happen now. 
Then there is long term research.
    Senator Hassan. Thank you very much. I am going to turn now 
to Senator Romney for his questions.
    Senator Romney. If the objective of this hearing was to 
calm our nerves and give us more confidence that everything is 
fine, it has not done that. It has underscored the fright that 
exists in my soul that this is a very dangerous development.
    I realize, it is not like overnight we clicked on a switch 
and now we have AI, and we have machine learning, and before we 
did not. We have been having machine learning, but it has now 
reached a level with generative AI that is in many respects 
quite different than what we have known in the past.
    Each of you have suggested some of the ways we might be 
able to safeguard against the worst kind of outcomes in the 
respective areas that have been described. The challenge that 
comes to mind is, one, as I listen to your recommendations, I 
understand about half. Maybe that is an overstatement.
    But in terms of, you describe the various stages, we need 
to put safeguards here, safeguards there. I am not sure I 
understand what the stages are. I do not know what is involved 
in them. The likelihood that Senators are going to be able to 
figure that out and draft a bill that focuses on this area, it 
just strikes me as being not reasonable. It is just not going 
to happen.
    Not in the House, not in the Senate. I look for your 
counsel or your thinking on how do we get from where we are, 
which is no safeguards at all, to the safeguards you would 
recommend, or others.
    I can tell you that were I the Chief Executive Officer 
(CEO) of the country or the Chief Executive Officer of a 
corporation, let us say I was a CEO of a major corporation, and 
I had two or three areas, let us say the head of a bank, two or 
three areas I am really concerned about, quantum computing 
being able to break into our systems to move money around and 
so forth. What I would do is I would first decide who I want to 
put in charge.
    There is going to be someone in charge of our effort to 
combat these threats, all of the threats. It might be an 
agency. It might be a department. But I am going to put someone 
in charge.
    Then, I am going to say to them, you are going to need to 
hire the expertise in each one of those threats or 
opportunities, and either hire someone to oversee each of 
those--and then, they may need to hire outside people who have 
expertise there or multiple outside people, or perhaps hire 
their own staff, but we are going to have to take this apart 
piece by piece and solve it piece by piece.
    Am I wrong in that assessment? If I am right, where should 
this be--who should be responsible? Dr. Murdick, was in 
Homeland Security. Should we task this with Homeland Security. 
They have so much on their plate right now. It is like, oh, 
gosh, here is one more thing, Secretary Mayorkas, that we can 
criticize you for.
    Do we set up a new agency, a new department? I do not know 
if you know where this all resides right now, but what is the 
process? How do we get from where we are, to actually putting 
in place these safeguards? That is the question.
    How much time do we have to do it? With that, maybe in the 
order of those who offered testimony, you might just go down 
the row and give any thoughts you have about how we do what you 
recommended.
    Mr. Allen. Senator, thank you for expressing your concerns. 
I am sorry that our solutions were not adequately---- 
[Laughter.]
    Senator Romney. It was not your job, that is all right.
    Mr. Allen. But if I could offer one potential source of 
optimism, think about the difference in safety from a fire 
safety perspective of a candle and an electric light bulb. I 
think everyone in this room would say if this place burned 
down, it would be much more likely to have happened from a 
candle than from an electric light bulb.
    But that was not such an obvious distinction when 
electricity was first invented. When electricity was first 
invented, it was a safety disaster. It was the constant source 
of fires. It was the constant source of the electrocution 
deaths of electrical workers.
    Electricity is not inherently safe. The companies and the 
government agencies of this country made it safe through 
deliberate effort over time. AI right now is not inherently 
safe, but it is also not inherently dangerous. It will depend 
upon the work that we do in the coming years. There is a lot of 
incredibly important work to be done.
    Now, one problem that you identified, which is the capacity 
of the government, you pointed out the capacity in the Senate 
to understand these issues. Jeff and I just got out of 
government not that long ago, and there was a dramatic shortage 
of AI talent on these issues. There is a significant shortage 
of biosecurity talent.
    That is not to mean that there are not smart, hardworking 
people on these issues. But if you were asking me to design the 
program to address these problems and compare it against the 
current skill sets and numbers of individuals serving in 
government, we just do not have enough.
    We must think of a program that would actually result in 
the outcomes that we want. For example, my own prior 
organization, the Joint Artificial Intelligence Center, was 
given the authority to have 100 civil servant or military 
personnel staff. But the result there was that military 
personnel were assigned to our organization.
    They may or may not have had prior understanding or 
expertise in AI, and there was not an existing program that 
they could be sent to, to sort of give them a crash course on 
AI. These are all structures that are going to have to be 
created to increase the bureaucratic capacity of the U.S. 
Government, and that is some of the most important work that 
can be done.
    In terms of what can be done from a regulatory perspective, 
I would argue that we should think about the levers in the 
system where there might be a high return on investment. We 
want to make it hard for accidents to happen if they are 
catastrophic. We want to make it hard for malicious activity to 
happen.
    But we do not want to ban all of these good activities as 
well. For example, biosecurity as an example, the mechanism of 
the problem that your question was about, Senator Hassan, was, 
why is it a challenge? Why does AI make it easier to make 
bioweapons?
    Part of it is the nature of existing regulations. The 
current biosecurity system is primarily a list based system. If 
you want to get access to anthrax pathogen, that is on a list. 
It is regulated because it is on a list. The challenge with AI 
systems is that they could assist in the development of novel 
pathogens that are not on a list anywhere.
    We must think OK, if DNA synthesis companies are going to 
need the ability to detect that something is a pathogen, even 
if it has never been created anywhere before and never been 
tested for pathogenic properties, how are we going to ensure 
that those companies have that capability?
    That is some of the most promising research that the 
government could invest in. How do we identify the risk of 
malicious use for things that are not currently on a list 
somewhere?
    Dr. Alstott. Senator Young, my fellow Hoosier, said 
recently that his analysis was that for the vast majority of 
issues that AI touches, there is already some part of 
government that has authority and responsibility to deal with 
it, and I agree with this. Self-driving cars, Department of 
Transportation (DOT). AI in medical context, Department of 
Health and Human Services (HHS).
    Most of AI can in principle be handled by the current setup 
of government, with a few exceptions. One is that if someone is 
making or deploying an AI that is predictably going to get 
millions of people killed, there is no part of government that 
has clear authorities and responsibility for addressing that, 
and so that needs to be created.
    There are several places that it would be logical to create 
it. An independent agency is one. DHS, which this Committee 
works with, is another. There is also the Department of 
Commerce, particularly the Bureau of Industry and Security 
(BIS). There is also Department of Energy (DOE), which has a 
lot of existing relevant authorities that could synergize 
there.
    Wherever it is that the Congress chooses to put it, it 
needs to have the authorities to be able to say, this is a 
problem, and we are not going to let that AI go out and needs 
to have the responsibility to understand this at a technical 
level.
    Thankfully, no part of government has to work alone. First, 
they have all the rest of government to work with, but also all 
of American society. Any part of government that has this 
responsibility should be trying to solve the talent problem by 
making friends.
    Whether they are working in government or working in 
industry, there are multiple mechanisms to reach technical 
experts.
    Senator Romney. Thank you.
    Dr. Murdick. Great. I think there is a few things. The 
threats are overwhelming. If you focus on what could kill you, 
I do think it is a little paralyzing, but I do think there is a 
very clear set of actions that are necessary, that have been 
used before, and the first up is information gathering.
    Mandatory and voluntary incident reporting is an incredibly 
useful way, both within specific sectors and across, to be able 
to get evidence of what is breaking. It is unfortunate, but 
sometimes you need a little bit more oomph to actually get 
action and having evidence of harm is really helpful in being 
able to do that.
    I think information gathering is extremely important. Two, 
to strengthen that information gathering, we need to strengthen 
our auditing community. That could be at the Government 
Accountability Office (GAO), that could be private sector, that 
could be any civil society organization that has a concern. But 
strengthening, raising the bar of that auditing community, 
developing those skills--there is a bit of investment that 
could go there.
    There is a bit more standard, I know, community 
development. There is a lot of things that could go in that 
space. Third, as Jeff was just mentioning, and we heard other 
times, there is a lot of agencies that have authorities that 
are very germane to the question at hand, the Federal Trade 
Commission (FTC), FAA, and the alphabet soup that I will not 
repeat, but these are really important roles.
    I think there is some tweaking. I think we first need to do 
a catalog of what authorities they have that are relevant to AI 
and figure out if they are adequate. Do they need small 
adjustments? If so, let us figure out how to do that to empower 
them.
    We have biological conventions and other things, if there 
is actually a harm that is being engineered, we have agreements 
across nations to be able to track some of these things. I am 
not saying they are perfect, but we have those. We might want 
to look at them and see if there is some updates.
    I think there will be across nations to strengthen some of 
those ideas. I have talked about info gathering, auditing, and 
some who of existing agencies. I do think if you start 
considering future organizations, my thing has been new 
organizations.
    Starting up at Intelligence Advanced Research Projects 
Activity (IARPA) and in the private sector, and watching DHS 
startup, there is lessons learned there. If you drop a ton of 
cash on a new organization, it is really easy to make mistakes. 
But just giving them a little bit, and then forgetting about 
them, and never increasing their budget is another problem.
    I do not actually know how to do that, but I think it has 
to be some kind of mechanism where you stage funding and you 
expand it with some kind of very clear waypoints and you do not 
just dump in because it stresses out government officials to 
execute that money and do it all right, and their oversight is 
super high when you have $1 billion in your pocket as opposed 
to a smaller amount.
    Anyway, this is not my expertise. I think you need a very 
carefully stage that growth because as we learned--lastly, and 
I mentioned this over and over in my opening comments, I will 
not belabor it now, but we do learn. We need a set of agile 
systems to be able to pick up information and learn how to 
address and how to collect information from industry.
    We do not know really how to do that. What questions should 
we ask to understand the level of threat? How do we update that 
thinking? How do we continue that integration? How do we avoid 
regulatory capture by that process of becoming too close to 
industry? These are things we do not know, but if we set it up 
to pick that up and gradually grow and learn, I think it is 
really important.
    The last thing, you asked about how much time do we have? I 
think in some cases we have no time. Information gathering on 
harms that are happening--every day we delay is less 
information we have. There is things like Skynet in its super 
empowered system of working across physical and digital worlds, 
I think we got some time there.
    But, I am not trying to minimize that threat, but we need 
to start taking these very clear steps long before that. To 
avoid getting overwhelmed, I think we need to think of it as a 
very staged process. Hopefully that is helpful.
    Senator Hassan. Thank you. That is a great overview, I 
think. What I think I will do now, I want to follow up with one 
or two questions and then turn to Senator Lankford, and we will 
again go back and forth.
    As Senator Romney was asking kind of this overall, how do 
we begin to think about this from our perspective, which is how 
do we establish the capacity, and then what kind of authorities 
do we need, I want to try to focus in some of my questions on 
particular risks, because I think one of the jobs of all of us 
moving forward is going to be to figure out how to prioritize 
what we work on first.
    Let me start, Mr. Allen, another question to you. In 
Russia's war on Ukraine, we have seen unmanned aerial systems 
(UAS) shape the battlefield and allow small military units or 
even individual soldiers to conduct aerial warfare.
    As the war has progressed, tutorials for utilizing civilian 
drones for military purposes have spread widely, and nearly 
anyone can now find directions for dropping explosives from a 
drone with just a quick online search.
    Additionally, more advanced drones have clear potential for 
dangerous use, such as an agricultural sprayer drone that could 
deliver a biochemical agent with virtually no additional 
modifications.
    Unmanned aerial systems are widely available in the United 
States and available to purchase at a relatively low price 
point. Mr. Allen, do you think that the Federal Government is 
investing enough in the technology needed to prepare for drone 
based threats to the United States?
    Mr. Allen. Thank you for raising this question. It is an 
area that I spent a lot of time thinking about when I was in 
the Department of Defense. I will say that good work on this 
issue is being done in both the Department of Defense and the 
Department of Homeland Security.
    But I would say the war in Ukraine sort of raises a new 
risk factor in this story. Namely that countermeasures for 
drone based warfare and especially cheap commercial based 
drones is in the stocks of the U.S. Army. It is in the stocks 
of the Department of Homeland Security.
    But many of these countermeasures specifically target the 
communications link between the remote operator and the drone 
itself. As this has become widespread practice in the war in 
Ukraine, both sides in that conflict are increasingly resorting 
to more autonomous systems that do not have a communications 
link between the operator and the aircraft itself.
    What this means is that many of the defenses that the 
United States and DHS in particular have been amassing will not 
work in specifically interrupting these types of threats.
    This is sort of a gap in our defensive capabilities, 
specifically within DHS. While we have good measures in place 
for the remotely operated aircraft, I would say we need to do 
significantly more with related to autonomous systems.
    Senator Hassan. Thank you. I am going to ask one more 
question, this one to Dr. Murdick, because I would like to turn 
now to a discussion of threats that may be posed by a different 
technology, which is quantum technology.
    Quantum and its impacts are further down the road than some 
of the other technologies we have discussed today. However, the 
applications of quantum technology in the hands of our 
adversaries could pose a significant threat to national and 
homeland security.
    Much of the public discussion around quantum technology is 
centered on the need to protect sensitive and private 
information from quantum computers capable of breaking our 
current encryption standards.
    While Congress has begun to address this issue, there are 
still other threats from quantum technology that have received 
less public attention. For example, quantum sensors could be 
extremely effective at detecting even the smallest changes in 
the environment, rendering some stealth aircraft obsolete.
    Dr. Murdick, what can Congress do now to ensure that the 
Federal Government is planning for the risks posed by 
developments in quantum technology, especially quantum 
technologies that have gotten less attention, such as quantum 
sensors?
    Dr. Murdick. Great. To first talk about quantum computing, 
I know that is kind of--but I do think that there is a very 
clear path. We do not know exactly when quantum computers will 
become a reality, but there is a very clear path for the post 
quantum cryptography approach.
    I think this is extremely high priority. Yes, it might be 
20 years before it is all in place, but it is going to take us 
a number of years to get these kind of quantum resistant 
algorithms in place.
    I wanted to say that because it is really important. 
Quantum sensors that detect gravitational field variance and 
other kinds of things are super interesting research. Even in 
quantum computing, there are some really near term capabilities 
that are hybrids between quantum and classical computers that 
are super interesting.
    Now, they are mostly research toys right now, and I think 
even some of the quantum sensors, the noise that is part of our 
life overwhelms most quantum things. A lot of research.
    I still am in the camp that there is a lot of research to 
be done here. The thing that is helpful, though, is looking at 
that research from a threat perspective. Researchers typically 
do not do that. They are trying, it depends on the grant 
language. Usually it is opportunity based.
    I think employing the type of individuals who are actually 
tearing apart the technology, maybe not as the primary 
researcher but analytically, and developing the way points of 
like this stage of development would mean that this capability 
is now possible, by establishing those maps and those roadmaps, 
you get a lot of insights.
    Some of them, if possible, making them open is really 
helpful because it provides for a much more collective hive 
mind kind of criticism and optimism thinking. Sometimes people 
get really obsessed with threats and that is all they can see. 
They do not actually see some of the other benefits.
    I would suggest if there is opportunities to do more 
analysis and developing monitoring systems for watching these 
types of technologies, I think that is where we are at right 
now due to some of the fundamental technical challenges.
    Senator Hassan. Thank you very much. Senator Lankford, if 
you are ready with questions, I will turn it over to you.

             OPENING STATEMENT OF SENATOR LANKFORD

    Senator Lankford. I am. Thank you. Thanks for holding the 
hearing. Obviously, we have a lot we have to learn because we 
have to figure out how to not limit this technology but to 
manage its use. My question, I have asked just about everybody, 
I want to start with you all.
    Define the phrase responsible AI for me, because everyone 
seems to throw around, we want to make sure we have a 
responsible AI. But this is not a trick question. I am really 
trying to figure out how is that defined--what does that mean, 
responsible AI? How do we start to define that?
    Because we cannot just throw that around. We have to 
actually get a definition for what that means. If anybody wants 
to jump in. Again, not trying to have a trick question. We just 
have to be able to narrow that list. Ready, set, go.
    Dr. Alstott. All right, I will take the bait. The issue 
with the phrase responsible AI, trustworthy AI, etcetera, is 
that it is like saying responsible cars, or responsible rocket 
ships, or so on. You have to get more technically precise about 
what are the harms or benefits that you care about and how do 
you tradeoff between them.
    In our testimonies today, we talked about various fairly 
specific threats that can come from AI in particular. I use the 
analogy of the FAA approving rocket launches and I think that 
this is particularly relevant. We do not have responsible 
rocket launches as a thing within physics.
    We have the idea that we do not want the rocket to fall on 
people's houses, so we will only approve launches that point 
away from people's houses.
    Senator Lankford. Right.
    We do not want F-35s landing on their house either, but 
that is a whole different issue for the day.
    Dr. Alstott. Exactly. Similarly, you can have these 
principles for AI. You can say that we are going to prioritize 
the largest national security and public safety threats, and 
that these are the sort of logical equivalents of point the AI 
away from people's houses before you launch it, please. This is 
an example of the kind of technical detail that you----
    Senator Lankford. I get it. But we have to put something in 
statutory language at some point to be able to say this is off 
limits, this is limits. Then to also say there is much of AI 
that we do not know what that is.
    Quite frankly, for me, it is setting the value set to say 
yes, no, this is a value set, and then go build on it rather 
than putting a fence around it to say you cannot go beyond 
here, if that makes sense.
    Dr. Alstott. Absolutely.
    Senator Lankford. Any ideas, thoughts that you have as you 
gather with other folks to talk about this, we have to be able 
to build on a value set of what is responsible AI, and then 
work from there.
    I am not looking for a final answer today, but I am looking 
to spark a conversation that we have got to have in a larger 
community because that value piece is still not established for 
us. Does that make sense? But I am glad to engage. Let me throw 
a dozen other things at you real quick.
    This whole concept of machine learning, obviously, we have 
had a lot of questions that come out because the government is 
the largest holder of data in many areas. Everyone that is 
involved in AI right now is coming to the government and 
saying, hey, would you give us this section of data?
    We will protect private information, but we need your data, 
otherwise we are harvesting this off the Internet and we want 
to be able to get your data for x. There are lots of issues 
that are unresolved, so, for the Federal Government and for 
national security. Let me give you one of them.
    If we are dealing with, let us say, port security. We 
obviously have done a lot of screening at Transportation 
Security Administration (TSA), a lot of port security. We have 
a lot of vehicles that we have scanned. All those different 
technologies are out there to actually scan vehicles, scan 
people, scan for fentanyl, whatever it may be.
    If we are going to upload that data to any one of these 
private entities, the question then becomes, once we hand data 
over for machine learning--we have handed a lot of data over. 
Who owns that data? Where does that data go?
    How could that data actually be used? Could that then be 
resold for all that data to go somewhere else? If there is a 
problem with it, at the end, that ends up being a national 
security issue.
    Liability issues then start to be able to fall into--you 
see what I am talking about? This gets into the weeds of actual 
practical applications of how AI is used and how the 
interchange is happening right now on national security.
    Thoughts and ideas on that, on that data? When they 
actually come to the Federal Government, we are going to 
protect privacy as well. We constitutionally must and should, 
but how do you manage ownership of privacy, ownership of data, 
and private entities trying to build some of this for national 
security?
    Dr. Murdick. Since Jeff took the last one out, I will start 
here. Greg, feel free to jump in if you want otherwise. A 
connection between those two last questions I think is really 
interesting.
    Responsible AI, one of the most potent counter questions or 
companion questions that goes with is, what are you trying to 
accomplish? That totally changes and clarifies a very nebulous 
question to something very specific, because policy 
implementation actually is what matters.
    This concept of data governance, I think at the very high 
level is all about trust. We have to create structures that 
people trust. Trust in government is fairly low. I do not know 
if it is an all-time low, but it is, I do not know, somewhere 
around 25 percent of the population or something.
    Trust in corporations goes up and down and is generally 
pretty low. Whatever structure we do, we have to protect this 
information. It has a lot of very personal information about 
individuals and handing it over to a corporation.
    For example, there was a DHS system that I used to work 
with that for some reason whoever wrote the contract never 
bothered to include that the government had ownership of the 
data.
    Extracting data actually cost money every time. It was a 
horrible contract. I think we have to write these kind of 
agreements that make sure that that data is the people's data. 
Obviously, we cannot make the people data, public data----
    Senator Lankford. Right.
    Dr. Murdick. But it is data. I think the concept of trust, 
and I am going to--mash two words together.
    If you design a data trust where that trust has, whoever is 
overseeing it has trust like responsibilities, fiduciary 
responsibilities to act in the interest of the people who are 
in that data set or in the American people, I think that kind 
of structure, however you do it, whether it is within the 
government, whether it is outside the government, it needs to 
have that kind of trust baked into it that allows people to 
see, these people, their sole responsibility is to make sure 
that this data is being used and leveraged and stored and moved 
and shared with another company or not shared by the company in 
the interest of the people.
    I think some kind of transparent mechanism, and I am sorry, 
I do not have more detail on that, but if it was some kind of 
transparent mechanism that implements that, and I borrow 
language from the trusts because it is a very easy connection 
to make in my mind, but I think it is a really useful framing.
    Mr. Allen. Regarding your question about data, Senator, I 
could give you multiple examples in which it makes sense for 
the government to closely guard its data and share it with 
almost no one.
    I can give you examples where it makes sense to give it 
away freely. I can give you examples where it makes sense to 
share it with a select group of folks, perhaps contractors 
working on a specific project.
    I would say that the sort of specific advice that the 
government needs to follow with regards to data strategy is 
probably not something that would be a good target for a 
legislative outcome. What I would say is that government 
employees need to have training on sort of what data strategy 
really looks like for a given end use.
    People who are writing acquisition contracts, for example, 
need to understand under what circumstances would it make sense 
for the government to retain the data as a proprietary asset, 
and under what circumstances might they want to release that 
under a license to a contractor, and so on.
    If you go to Silicon Valley and you talk to anybody in the 
corporate strategy departments of these various companies and 
you ask them what is their data strategy, you will find many 
different companies pursuing many different types of data 
strategies, but all with very deliberate thought and reasoning 
for why they are sharing and when they are sharing, and how it 
makes sense to their corporate bottom line.
    My point is that the government bureaucracies need the 
flexibility and the expertise to make those same kind of 
decisions.
    Senator Lankford. This is a body that is not super excited 
about bureaucratic flexibility because that can be used in all 
kinds of different ways. I am going to speak for the other 
folks in the dais for me, but the concept of bureaucratic 
flexibility makes the hair on the back of my neck stand up 
because I can really go sideways in a hurry.
    Let me just give you this thought on this, and I want to 
get out the way because I do not want to occupy all the time. 
When data is released and a corporate entity then owns that 
data and is using that data for whatever it may be for that 
software, then they continue to be able to use that data for 
something else, and then someone else buys into the company, or 
someone else also buys that resource, only they have access to 
that data, and all that has been gained from us, it does not 
take long on a national security level to be able to understand 
we have a risk that gets involved based on if a Chinese 
subsidiary ends up buying into one of these companies or 
getting access to data. I have a great deal of trust for 
picking up my cell phone and making a call.
    But I am also keenly aware that my cell phone provider also 
provides that metadata out on the open market, and that if 
people can track me based on having enough data points to be 
able to personally identify my location. That is not my intent 
with it.
    To go back to determining what we are going to do with data 
based on the intent and what it was actually designed for, 
Facebook was designed for college students to speak to each 
other. That is what it was originally designed for, and that is 
certainly not what its full usage is.
    My concern on any of this, on how we are building systems 
is, how do we build a value set without restricting the 
technology, because the technology is the technology. But how 
do we build a value set? How do we engage in such a way to 
protect national security, national security data, and systems, 
not knowing how a system will eventually be used or where that 
data will go in the days ahead?
    I want our screening to be better at the border. We have a 
lot of data on a lot of vehicles. We can make our screening 
better. But where else does that data go, how does that go, and 
what is the risk that we have to take with that? I appreciate 
your mercy here. Letting me go a couple of minutes over on 
that. I appreciate that very much. Thank you.
    Senator Hassan. Senator Romney, do you have other 
questions?
    Senator Romney. I took up more than my fair share already.
    Senator Hassan. Then I have about three or four more. The 
last one, to give you all a heads up, is really kind of a wrap 
up. What didn't you get to talk about today? Or are there 
things that one of you said or one of us said that you want to 
comment on?
    But let me start with a question about the use of advanced 
technologies by non-state actors. This goes to all three of 
you. Here is a two part question about potential risks posed by 
the proliferation of advanced technologies.
    Because the first computers were complicated and expensive, 
only governments and large companies could use them, and we 
have already talked about that. However, today, hundreds of 
millions of people use their smartphones, tiny, powerful 
computers all across the world, and previously inaccessible 
technologies are becoming available to more and more people.
    This proliferation of technology has empowered terrorists 
and dangerous non-state actors, allowing them to create, for 
instance, cell phone triggers for roadside bombs or use the 
Internet to radicalize lone wolf attackers in faraway places.
    In short, dangerous groups have proved adept at adopting 
new technologies. We have been discussing risks from developing 
and existing advanced technologies, so I would like to start by 
asking, are there technologies that you believe are 
particularly prone to use by dangerous non-state actors that we 
have not discussed yet or we should discuss further?
    Second, does the Federal Government have the resources and 
necessary expertise to successfully counter these threats? I 
will start with you, Mr. Allen.
    Mr. Allen. Thank you. The technology capability that I like 
to dwell upon that we did not spend a great deal of time on in 
today's session relates to deepfakes. This is the use of AI to 
generate synthetic media that is extremely realistic and 
compelling.
    My point here is that the tools for this have really 
brought down the costs of creating high quality things. If you 
look at a deepfake that I could create on my laptop using an 
open source software package, it is superior to Hollywood 
movies that spent hundreds of millions of dollars on their 
computer-generated imagery (CGI) budgets 20 years ago.
    This is coming in really strong. I would say that even 
though the politically motivated deepfake attacks that we have 
seen so far have been clumsy. For example, Russia's release of 
a Deepfake where President Zelensky of Ukraine surrendered and 
stated that all his forces should lay down their arms.
    This was a really low quality deepfake that was clumsily 
executed. But I draw almost no comfort from that fact because 
we should expect malicious actors to grow in sophistication and 
we should expect the tools to grow in sophistication.
    Think about, for example, the 2015 attempted coup in 
Turkey. The specific turning point in that coup was when the 
Turkish President did an interview on live television holding 
up his iPhone to the camera to do a face time interview in 
which he called upon the people of Turkey to go out into the 
streets and protest the military takeover.
    My point is that the right media, deployed at the right 
political moment can have transformative consequences. Because 
Russia is bad at it today, just because China is bad at it 
today, does not mean they will be bad at it 2 years from now, 
and we should expect them to be thinking long and hard about 
how to pull off these types of attacks.
    The intervention that I think could be useful in this 
regard relates to the tools for deepfake creation. Right now, I 
am technically qualified to download a package of software to 
create deepfakes. I am not technically qualified to create that 
package of software.
    If the U.S. Government were, for example, to require that 
the makers of this type of software embed characteristics in 
the media files that allow them under technical analysis to be 
revealed as AI enabled forgeries, this would raise the cost and 
complexity of executing these types of forged media political 
interventions.
    As I said before, our goal is not to make everything 
impossible, but our goal is to make malicious activity more 
difficult and more complicated, while allowing deepfakes for 
Hollywood movies or other types of entertainment applications 
to proceed.
    To give you just one example. Under a camera, you can do 
computer analysis of a video recording of a person that allows 
you to observe that person's pulse, literally the blood 
flushing into their face with every heartbeat. Now, my eyes 
cannot detect that in either, anybody's face over there.
    But a computer analysis of a video can observe this. My 
point is, if we were to prohibit, for example, deepfake video 
from replicating this blood flush phenomenon, then there would 
be something where for an entertainment application, it is 
indistinguishable to the human eye, but under technical 
analysis, it reveals itself as an AI generated forgery.
    I do not claim that this is the perfect example, but my 
point is that we should be hunting for these kinds of examples 
that make malicious activity hard----
    Senator Romney. Let me just ask, well and good. Let us say 
we prohibit that in the United States from all the U.S. 
providers of this technology. But 5 years from now, or 2 years 
from now, the Chinese will have the capacity, the Russian 
synthetic capacity, the Iranians. We cannot prevent them from 
putting a flush on the face.
    Mr. Allen. Yes, you are absolutely right. What you have to 
think about is the scale of the intervention that you are doing 
and what actors you are preventing. Somebody who has an 
unlimited research and development budget is much harder to 
stop than somebody who is an amateur cyber-criminal.
    My point is there are certain types of interventions that 
we could put in right now that would effectively be costless to 
the entertainment or research community but would present a 
high barrier for low technical sophistication actors.
    As we think about the sort of high sophistication threats 
coming from foreign intelligence services, those are obviously 
going to require more sophisticated interventions than what I 
described.
    Senator Hassan. Let us go to Dr. Alstott, and then Dr. 
Murdick, about the same question. I want to think about the 
non-state actor question in particular, if we can, too.
    Dr. Alstott. Non-state actors, terrorists, and others have 
attempted to use bioweapons, cyber weapons, and nuclear weapons 
in the past. For different threats, sometimes the barrier has 
been information and expertise, and sometimes it has been 
physical material.
    Over the decades, we have, unfortunately, in multiple 
instances, seen non-state actors attempt to use bioweapons that 
really have strategic scale to them. Fortunately, they have 
never succeeded. Unfortunately, the barriers are going down and 
we have had fairly recent close-ish calls within the classified 
record.
    This is a place that I would direct the majority of my 
attention because of the low barriers on the physical side. 
However, cyber weapons, nuclear weapons are two obvious cases 
in which a non-state actor could cause a great deal of trouble. 
But there are other threats not yet conceived.
    What we need to make sure exists is a function that is able 
to identify these threats as they are coming in and as they are 
identified, right, so that if we identify that AI will help a 
non-state actor use some category of weapon that we are not 
even talking about today, that we are able to move to address 
that problem at a faster Observe, Orient, Decide, Act (OODA) 
loop than we are today.
    Senator Hassan. Thank you. Dr. Murdick.
    Dr. Murdick. Yes. You have heard it said that necessity is 
the mother of invention, and I think for non-state actors, they 
are running generally on fairly small budgets, and they want to 
get more resources.
    They need to get information out. They need to get 
recruits. They need to get disruption, whatever their mission 
is. I think in the space where there are more tools available, 
there are a lot of creativity that is going to be coming out.
    I think from my perspective, there is some great examples 
here. I do think cybersecurity, especially the attack surface 
has increased because of the number of information systems that 
we are using. For example, AI itself is all mediated through 
computer systems.
    You have just increased the attack surface. You are 
disruptive--your people with your bent forks that can do weird 
things to systems is where I think you are going to see your 
type of threats, and I think cybersecurity is just where a lot 
of those threats will be realized--particularly in the 
disruptive goal.
    Senator Hassan. If we are looking at where to invest in 
talent and resources, that would be one of the areas that you 
would start with, assuming that as talented and good as a lot 
of the people we have are, we do not have enough given this 
landscape.
    Dr. Murdick. The neat thing about this area is it does not 
require your most technical Ph.D. individuals. The people who 
are most skilled with the bent forks--pardon me, I do not know 
where that analogy came from, but are your people who are 
living in the applied world, and so it is a class of talent 
that we really need to leverage that many people would call 
non-technical talent.
    Senator Hassan. OK. A couple of more questions, and bear 
with me, because Senator Romney, you were getting at the state 
actors, the China and Russia, and the technology.
    Mr. Allen, I want to follow up a little bit because as 
China, Russia, and other foreign adversaries look to develop 
their own advanced technologies or versions of them, it is 
really important that we are going to be able, the United 
States, to take steps to protect our intellectual property and 
technological edge.
    In the spring, the Biden Administration announced new 
controls to prevent the exportation of certain advanced 
semiconductor manufacturing equipment to China. This is an 
important step that will hopefully slow down Chinese 
development of the types of chips needed to produce powerful 
artificial intelligence systems.
    However, these controls would have been far less effective 
if the Dutch and Japanese had not also added export limits for 
similar technologies because of their roles as market leaders 
alongside the United States.
    Can you speak to the importance of multilateral cooperation 
in slowing the proliferation of advanced technologies to our 
adversaries?
    Mr. Allen. Thank you. I think you made the exact right 
point about the need for multilateral cooperation on this 
issue.
    The technological competition that we face with China is 
extremely different than that with the Soviet Union in the Cold 
War, both because of the depth of our trading relationship with 
China, and also because on a relative basis, the United States 
economy is smaller in global terms.
    Right after World War II, we alone were more than 50 
percent of global gross domestic product (GDP), and that is not 
the case today. There are a lot of other places in the world 
that possess extraordinary technological capability that is 
relevant to great power competition, including that with China.
    The October 7th export controls that the Biden 
Administration adopted to restrict the sale of advanced AI 
chips and advanced chipmaking equipment to China, I believe, 
was one of the two most important decisions the Biden 
Administration made in foreign policy last year. Other than 
Russia's war in Ukraine, that was probably the most important 
thing that happened. It really did fundamentally change our 
relationship with China for a long period of time.
    I would say the challenge is that export controls are not a 
foolproof solution. One Chinese company, Yangtze Memory 
Technologies Co (YMTC), which is a memory chip producing 
company, reportedly in 2021, had had 800 people employed full 
time for more than 2 years trying to develop alternatives to 
American technology in order to avoid export controls.
    The entire U.S. Export Control Agency is only 300 people. 
Actually, in inflation adjusted terms, their budget is headed 
for a cut this year. After the United States Federal Government 
put export controls at the center of U.S. foreign policy, both 
in our response to Russia's invasion of Ukraine and also in our 
artificial intelligence competition with China, we are actually 
degrading our own ability to enforce these export controls and 
to assess where export control restrictions would have our 
intended consequences, and I think that is a grave error on the 
part of the U.S. Government.
    Senator Hassan. Thank you. One more question, if you have 
the patience for it too, Senator Romney, and then the wrap up 
question that I talked about. To Dr. Alstott, as research 
institutions, private companies, and nations rapidly develop 
artificial intelligences of increasing power, the severity of 
the risks associated with these systems also increases.
    Earlier, I asked a question, and we talked about the 
utility of AI to dangerous non-state actors, but this risk 
could be mitigated by developing AI that cannot take harmful 
actions in the first place.
    As we develop powerful artificial intelligence and it 
becomes even more integrated into our daily lives, I think 
there need to be safeguards that protect the lives of 
Americans. What specific research questions do we need to ask 
and have answered to develop AI that is fundamentally safer and 
either cannot be exploited or at least is much harder to 
exploit for dangerous uses?
    Dr. Alstott. There are a variety of technical bets out 
there, and different technical experts have different takes on 
this.
    However, an example of a particular technical direction 
that has broad buy in is about the interpretability of what is 
going on inside the AI--mechanistic interpretability is a 
particular term of art these days.
    This is very much like doing neuroscience except on an AI, 
where you are able to look inside the AI as it is doing things 
and understand how its concepts are represented, how the 
concepts interact, how it makes decisions, how it does planning 
and so on, which is exactly the sort of view that you need in 
order to make strong claims about what this AI will and will 
not do under different circumstances.
    Now, I am a lapsed neuroscientist myself, so I can tell you 
that neuroscience is pretty hard. But this should be easier in 
the case of AI because we have visibility into the internals of 
the AI. We do not have to do surgery on it, no skulls need to 
be cut, etcetera. This is an example of just one technique.
    This technique and many other techniques have a sort of 
fundamental strategic issue with them, which is that it needs 
to be the case for them that as the AI is increasing in 
complexity and power, that your safety techniques keep up.
    If it is lagging behind, this will not work over the long 
term. You need your interpretability, or whatever techniques 
you would like, to be matching or exceeding as the AI grows in 
power and complexity.
    Senator Hassan. Thank you for that. That is helpful. We 
have discussed a pretty broad range of topics. I have found it 
very helpful.
    We obviously cannot cover all potential threats to national 
security in one short hearing, but I did want to give each of 
you a chance to share any final thoughts on topics that we 
maybe have not sufficiently addressed already.
    I will start with Dr. Murdick and go down to the table. 
Thank you all for being here. Dr. Murdick, any final thoughts?
    Dr. Murdick. I have really appreciated this conversation. 
It is such a rich discussion. Just very briefly, three things 
that I do not think we talked much about. This first one is 
relevant to your last question, software liability.
    Procedural changes have had huge impact in how systems are 
deployed. A Senate body cannot respond to everything directly, 
but by figuring out software liability questions, I think there 
is a huge opportunity to change the landscape of innovation and 
the threat space because you get lots of people empowered to 
start to adjust the landscape.
    Second, talent, I think, is so important. We did talk about 
it a lot. I think it is extremely important for AI literacy, 
for Science, technology, engineering, and mathematics (STEM) 
talent, for non-technical talent. It is going to take all of us 
to be able to do this.
    Making it clear that you do not have to be a Ph.D. in 
whatever to be participating in this discussion is extremely 
important. Then last, whatever we design, ultimately know the 
apparatus is to protect us. There is a desire, because we want 
everything to start with a complex system, but only in Greek 
mythology do complex systems spring into existence.
    I think we have to start with very simple systems that 
work, have a very clear mission, and then they get expanded in 
a very judicious way. I think we have to resist the urge to try 
to solve all your values based questions and get very focused 
ones, and then build from there. That way, we will get complex 
systems that work.
    Senator Hassan. Thank you. Dr. Alstott.
    Dr. Alstott. I second the idea of having a clear mission. 
As I said earlier, we do not currently have a function within 
government that has clear authorities and responsibilities on 
the issue of broadly capable AI and the threats that it could 
pose.
    As Senator Lankford was describing, this is in part a 
values question of what are the things that we need a 
bureaucracy empowered to address. The virtue of the United 
States is that we have a lot of diversity in values, which I at 
least personally enjoy.
    But one thing that there is a lot of agreement on is 
national security and public safety, so that seems like a top 
candidate for a place that a clear mission could start. 
Possibly other things could also be included, but this would 
seem to be a place that there be a lot of agreement.
    Senator Hassan. Thank you. Mr. Allen.
    Mr. Allen. Thank you so much for the opportunity to testify 
today. I think my closing remarks will principally be an 
apology to Senator Romney, because you asked a bunch of 
questions that I feel like we did not quite answer. I am going 
to use my closing remarks to do my best to answer them.
    You asked do we need an international consortium? Is that 
realistic, or how do we control the world's worst actors? 
Before I answer those, I want to talk about what I view as the 
problem that we are trying to solve, and it is split into two 
areas vis a vis AI.
    When I was working in the United States Department of 
Defense, we were principally focused on application specific 
AI. These are machine learning systems, and they learn from 
data. If you want to generate an AI system that can recognize 
cats, you need a bunch of pictures of cats.
    If you want to generate an AI system that can recognize 
military vehicles from satellite imagery, you need a lot of 
satellite images. These are application specific AI systems, 
and I believe the existing United States regulatory framework 
is pretty good at handling application specific AI systems.
    What I have just described is really the AI revolution from 
the year 2012 to around 2020 or 2022. The challenge that we 
have now is there are these increasingly general AI systems. If 
you talk to Chat Generative Pre-trained Transformer (ChatGPT), 
it will give you advice for how to design a nuclear submarine, 
and it will give you medical advice, and it will give you 
financial advice.
    These are no longer application specific systems because 
the training data is not a large library of cats, the training 
data is almost the entire Internet. It is such a general system 
that it is not a good fit for the existing regulatory 
structure--or at least in some instances, it is not a good fit 
for the regulatory structure.
    The second challenge we have is that these systems continue 
to get better at an exponential rate. I am sure both of you are 
familiar with Moore's Law, which is the phenomenon that 
computers get twice as fast for the same price or perhaps even 
a lesser price every 2 years.
    What that means is that in 20 years, AI systems will not be 
20 times better, they will be 1,000 times better, and that is 
if they proceed at the Moore's Law pace. Over the past 10 
years, AI research has radically exceeded the pace of Moore's 
Law in terms of the pace of technological progress.
    We must conceive now of regulatory structures that would be 
useful and relevant to AI systems that are not a little bit 
better than the astonishingly capable systems we have today, 
but a lot better than the astonishingly capable systems we have 
today. That is what I think the challenge is to solve.
    From that perspective, I do think that it is worth the U.S. 
Government's time to consider creating a new Federal agency or 
creating a new organization within a Federal agency that is 
specifically working on this problem.
    I have just recently hired staff to come up with a detailed 
proposal on this issue, and so I would hesitate to give you a 
detailed proposal today, but that is what I view as the problem 
that demands some kind of new type of action.
    International collaboration will be required on this issue, 
but we should think about developing mechanisms that are also 
useful in the event that international collaboration fails. For 
example, when I was in the United States Department of Defense, 
we put forth multiple requests for dialog with the People's 
Liberation Army to discuss military AI risk reduction so that 
we do not go to war accidentally, and all of those requests 
were refused.
    I do think it is worth us thinking about structures that 
can work even in the event that international collaboration 
does not go the way we hoped. Thank you both.
    Senator Hassan. Thank you all three for really not only 
excellent testimony but sharing your expertise with us so 
thoughtfully and so broadly. Again, just to thank you, too, for 
what you have already contributed to our nation's security.
    We really appreciate it. I look forward to continuing this 
conversation with my colleagues and my constituents. I know 
that you gave us a lot of ideas. You gave us some new problems 
to try to solve.
    I look forward to continuing the work with all of you and 
with my colleagues. The hearing record will remain open for 15 
days until 5.00 p.m. on October 4th for submissions of 
statements and questions for the record. The hearing is now 
adjourned.
    [Whereupon, at 3:59 p.m., the hearing was adjourned.]

                            A P P E N D I X

                              ----------                              

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


                               [all]